HP TMS zl Module Security Administrator's Guide
4-250
Configuring a VPN on the HP TMS zl Module
Configuring an IPsec Site-to-Site VPN with Manual Keying
Before you begin configuring firewall access policies on a module, determine
the zone on which traffic from the remote tunnel gateway arrives. Typically,
this is the External zone, but it could be another zone.
You should also determine the zone for local endpoints allowed on the VPN.
This might be the Internal zone or another zone. If multiple zones are allowed
to access the VPN, you must create policies for each of these zones.
Figure 4-170 shows zones in an example IPsec site-to-site VPN.
Figure 4-170. Example IPsec Site-to-Site VPN (with Zones)
Table 4-27 lists the necessary access policies; the numbers in the Source and
Destination columns refer to the example figure above. (Note that these
policies are typically configure in the None user group. However, if local users
log in to the module, then the policies that use the local zone as the source
zone must be configured for the appropriate user groups.)
For access policies that permit the traffic sent over the tunnel, you should
consider setting the TCP MSS to a value lower than the typical MSS used in
your system—particularly, when IPsec fragmentation is disabled. Otherwise,
the addition of the IPsec and IP delivery headers might make the packets too
large to be transmitted. Table 4-27 suggests a conservative value for the TCP
MSS when the MTU is 1500. (For more information on the TCP MSS, see
Chapter 6: “Configuring the TMS zl Module Firewall.”
Note The value for TCP MSS in the table is only a suggestion. You should determine
the best setting for your environment.