HP TMS zl Module Security Administrator's Guide
4-231
Configuring a VPN on the HP TMS zl Module
Configuring an IPsec Site-to-Site VPN with Manual Keying
■ Advantages
• Manual keying does not depend on the IKE protocol, so less process-
ing is used initially to negotiate the SA.
• You do not need to open UDP 500 (ISAKMP) in the firewall.
• Manual keying is required for an IPsec VPN that is limited to ICMP
echo or timestamp traffic.
■ Disadvantages
• Keys can be leaked, and overall the tunnel is less secure.
• Lengthy keys can be mistyped.
• Keys can be difficult to manage with multiple remote sites.
• Manual keying cannot be used to create a site-to-site IPsec VPN with
the HP Secure Router 7000dl series.
• Manual keying cannot be used to configure a client-to-site VPN or with
IKE mode config.
For this type of deployment, you must use the Manage IPsec wizard to
configure IPsec proposals and IPsec policies.
Using NIM and the IPsec Manage wizard, you can even configure a set of
similar site-to-site VPNs between multiple TMS zl Modules and a remote VPN
gateway. However, this requires that most settings be the same on all modules.
Table 4-25. IPsec Parameters in the Manage IPsec Wizard
Whether you are configuring the IPsec site-to-site VPN with manual keying,
you must complete these tasks:
1. Optionally, create named objects, which you can use in IPsec policies as
well as corresponding firewall access policies.
Using named objects is best practice; however, you can specify IP
addresses manually. See “Create Named Objects for the VPN (Optional)”
on page 4-232.
2. Create an IPsec proposal.
Policy or Proposal Parameter Module-Specific or Same
for Every Selected Module
IPsec Proposal Proposal Name Same
Encapsulation Mode Same
Security Protocol Same
Encryption Algorithm Same
Authentication Algorithm Same