Manualshelf

HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
521522523524525526527528529530
4-344
Configuring a VPN on the HP TMS zl Module
GRE Tunnels
Verify That a Route to the Remote Tunnel Gateway Exists
After you create the GRE tunnel (as described in “Configure a GRE Tunnel”
on page 4-326), you must ensure that the TMS zl Module has a route to the
tunnel’s destination address (indicated by 3 in the Figure 4-253). Without this
route, the TMS zl Module cannot establish the GRE tunnel.
The route can be to the specific address or any network that includes that
address. The route can be a static route or a route discovered with a routing
protocol. It can even be a default route, if the default gateway knows how to
reach the remote tunnel gateway. The forwarding interface for the route to
the tunnel destination must never be the tunnel interface (if it is, recursive
routing will shut the tunnel down).
In the Figure 4-253, the forwarding interface would be the gateway VLAN, and
the gateway for the route would be a router in this VLAN.
Caution Dynamic routing can introduce an issue. The remote tunnel gateway might
advertise a route to the tunnel destination address through the tunnel itself.
If this is the best, most specific route to the destination, then the module will
add it to its routing table. This causes causing recursive routing, which shuts
the tunnel down. Therefore, if you plan to use dynamic routing on the tunnel,
it is best practice to add a specific static route to the tunnel destination address
through the proper gateway. (Make sure to give this route an administrative
distance lower than the routing protocol.)
Figure 4-253. Example GRE over IPsec VPN (with tunnel interface)