HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

421

422

423

424

425

426

427

428

429

430

4-243

Configuring a VPN on the HP TMS zl Module

Configuring an IPsec Site-to-Site VPN with Manual Keying

– Select the single-entry IP, range, or network address object that

you configured for local endpoints. (An address object is not valid

for a transport-mode VPN.)

– Manually type an IP address (for an L2TP over IPsec VPN, type

the IP address of the local VPN gateway), IP address range, or

network address in CIDR format (192.168.1.1/24).

c. Local Port is present if you selected TCP or UDP for Protocol. Type a

specific port for the service to which remote clients are allowed

access or leave the field blank (which allows traffic to any port).

d. For Remote Address, specify the IP addresses of all remote endpoints

allowed to send and receive traffic over the VPN (indicated by 4 in

the figure).

Do one of the following to specify addresses:

– Select Any to permit any IP address.

– Select the single-entry IP, range, or network address object that

you configured for remote endpoints.

– Manually type an IP address, IP address range, or network

address in CIDR format.

e. Remote Port is present if you selected TCP or UDP for Protocol. Type the

port number for the service that you want to allow local endpoints to

access in the remote network. Or leave the field blank (which allows

traffic to any port).

f. If you selected ICMP for the protocol, for ICMP Type, select Any, Echo,

or Timestamp.

Caution If your traffic selector will include management traffic to a TMS zl Module,

you first must configure Bypass policy on that module with top priority that

selects the management traffic. Otherwise, NIM will lose contact with the

module, and you will be locked out of the Web browser interface.

If you do cause NIM to lose contact with a TMS zl Module, follow this

procedure:

1. Access the module and delete the IPsec policy:

• If the module has multiple IP addresses in its management-access

zone, you might be able to contact the module’s Web browser inter-

face at one of the other addresses. You can then delete the faulty IPsec

policy from the VPN > IPsec > IPsec Policies window (the policy will

be labeled with the name that you specified in the wizard).

• If you cannot reach the module’s Web browser interface, you can use

the CLI to delete the faulty IPsec policy. Access the host switch CLI

and enter these commands: