HP TMS zl Module Security Administrator's Guide
4-339
Configuring a VPN on the HP TMS zl Module
GRE Tunnels
For step-by-step instructions on configuring access policies using the TMS
management capabilities in NIM, see Chapter 6: “Configuring the TMS zl
Module Firewall” in this guide. (For additional guidelines for configuring
access policies to allow VPN traffic, see Chapter 7: Virtual Private Networks
in the HP Threat Management Services zl Module Management and Config-
uration Guide.)
Verify that a Route to the Remote Tunnel Gateway Exists
To establish the GRE tunnel, the TMS zl Module requires a route to the tunnel’s
destination address (indicated by 3 in the Figure 4-251). The route can be to
the specific address or any network that includes that address. The route can
be a static route or a route discovered with a routing protocol. It can even be
a default route, if the default gateway knows how to reach the remote tunnel
gateway. The forwarding interface for the route to the tunnel destination must
never be the tunnel interface (if it is, recursive routing will shut the tunnel
down).
In Figure 4-251, the forwarding interface would be the Gateway VLAN, and the
gateway for the route would be a router in this VLAN.
Caution Dynamic routing can introduce an issue. The remote tunnel gateway might
advertise a route to the tunnel destination address through the tunnel itself.
If this is the best, most specific route to the destination, then the module will
add it to its routing table. This causes causing recursive routing, which shuts
the tunnel down. Therefore, if you plan to use dynamic routing on the tunnel,
• Dynamic
routing over
the tunnel
• Default
policies
disabled
Multicast Tunnel SELF OSPF or RIP 6 Any Address
or multicast
address
—1
• Dynamic
routing over
the tunnel
• Default
policies
disabled
Multicast SELF Tunnel OSPF or RIP 5 Any Address
or multicast
address
—1
When Required Ty pe From Zone To Zone Service Source Destination MSS Number of
policies