Manualshelf

HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
491492493494495496497498499500
4-322
Configuring a VPN on the HP TMS zl Module
L2TP over IPsec VPNs
Verify Routes for the L2TP over IPsec VPN
Verify that each TMS zl Module knows a route to the remote endpoints. This
route can be a default route, a static route, or a route discovered through a
dynamic routing protocol. The route’s forwarding interface must be the inter-
face with the IP address that you specified as the local gateway address in the
IKE policy (and as the local address in the IPsec policy). This is also the IP
address that L2TP clients use to contact the TMS zl Module. If necessary, add
the route.
Also note that, whenever a TMS zl Module assigns a virtual IP address to an
L2TP client, a route to pppX is automatically added to the route table. This
route is to the virtual IP address and uses the server address that you assigned
to the tunnel as the gateway address.
Figure 4-237 shows an L2TP over IPsec VPN in which the remote clients are
on the subnets 172.22.3.0/24 and 10.78.15.0/24. For this VPN, a default route
through 192.168.115.1 would work. However, to better illustrate the necessary
routes, the figure shows two specific routes: one to each remote subnet. For
both routes, the gateway is 192.168.115.1. Whether a default route or specific
routes are used for this example, the IKE policy for this VPN must specify
192.168.115.71 as the local gateway. Similarly, L2TP clients contact the TMS
zl Module at 172.168.115.71. (For more information about configuring routing
on the TMS zl Module, see the HP Threat Management Services zl Module
Management and Configuration Guide.)