Manualshelf

HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
421422423424425426427428429430
4-252
Configuring a VPN on the HP TMS zl Module
L2TP over IPsec VPNs
Figure 4-171 shows an example site-to-site VPN. The remote gateway IP
address is 192.168.1.22. The remote endpoints behind the gateway are in
subnet 10.1.55.0/24. In this example, a default route through 192.168.115.1, the
local router in the path to these subnets, could fulfill the requirements for both
routes. However, to better illustrate the necessary routes, the figure shows
two specific routes. Note that, no matter how you set up the routes, the local
VPN gateway configured in the IKE policy must be 192.168.115.71, which is
the module IP address on the forwarding VLAN for these routes. (For infor-
mation about configuring routing on the TMS zl Module, see the HP Threat
Management Services zl Module Management and Configuration Guide.)
L2TP over IPsec VPNs
Microsoft VPN clients use Layer 2 Tunneling Protocol (L2TP) over IPsec to
establish VPN connections. The TMS zl Module can act as a gateway for these
endpoints, allowing them remote access to the private network.
L2TP is a session-layer protocol (Layer 5) that mimics a data-link protocol
(Layer 2). It tunnels a Point-to-Point Protocol (PPP) connection between two
endpoints within UDP datagrams. Typically, the tunneled traffic is transmitted
in IP packets over a public network such as the Internet.
L2TP tunnels data, but it does not secure it. With L2TP over IPsec, the L2TP
session is encapsulated and secured by IPsec.
An L2TP over IPsec session is established in the following way:
1. A remote endpoint and the TMS zl Module negotiate an IPsec tunnel for
L2TP messages.
You set up IKE to negotiate the IPsec tunnel. The module and the remote
client must use IKE preshared keys to authenticate each other. The IPsec
tunnel must use ESP for the protocol.
See “IPsec VPNs” on page 4-9 if you want to learn more about IPsec.
2. The TMS zl Module (which is the L2TP gateway) and the remote VPN
client establish a L2TP tunnel.
The L2TP messages are sent on UDP 1701. In the course of establishing
the tunnel, the module and the remote client can authenticate each other
again using CHAP, PAP, or MS-CHAP.