HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

421

422

423

424

425

426

427

428

429

430

4-246

Configuring a VPN on the HP TMS zl Module

Configuring an IPsec Site-to-Site VPN with Manual Keying

•Select IP Address and type an IP address on the module in the box.

The IP address must be an IP address already configured on the

TMS zl Module. Type the address that the remote gateway can reach.

For example, if the remote gateway connects to the module through

the Internet, select the IP address associated with the module’s Inter-

net VLAN.

•Select Use VLAN IP Address and select a VLAN from the list.

Select the VLAN on which the remote gateway reaches the TMS zl

Module. For example, if the remote gateway connects to the module

through the Internet, select the VLAN on which the module has its

connection to the Internet.

7. For Remote Gateway IP Address under Peer ID, specify the IP address of the

remote gateway (indicated by 3 in the figure).

You must type the IP address that the remote gateway specifies for its

local IP address. Use the IP address at which the TMS zl Module can reach

the remote gateway (typically, a public IP address).

8. Next, set the SPI and keys for the protocol that you selected in the IPsec

proposal (ESP, in the example displayed in Figure 4-167). The correct

number of characters for a key depends on the algorithm that you selected

in the IPsec proposal and is indicated to the right of the box. Note also

that if you selected AH, you will not see boxes for encryption keys:

a. For SPI Number, type a decimal number that uniquely identifies this

IPsec SA. You must match the SPI on the remote gateway. (In log files

and packet sniffers, this number may be represented in hexadecimal.)

b. For Inbound Encryption Key (ESP only), type a character string of the

specified length. The string must match the outbound encryption key

on the remote gateway.

It is best practice to use a mix of character types (alphanumeric and

special) and not to use dictionary words.

c. For Outbound Encryption Key (ESP only), type a character string of the

specified length. The string must match the inbound encryption key

on the remote gateway.

d. For Inbound Authentication Key, type a character string of the specified

length. The string must match the outbound authentication key on the

remote gateway.

e. For Outbound Authentication Key, type a character string of the speci-

fied length. The string must match the inbound encryption key on the

remote gateway.

9. Click Next.