HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

541

542

543

544

545

546

547

548

549

550

4-364

Configuring a VPN on the HP TMS zl Module

GRE Tunnels

The position determines the order in which the TMS zl Module processes

IPsec policies. The module processes the policy with the lowest value first

(for example, position 1 before position 2). The position matters most

when policies have overlapping traffic selectors. In this case, assign the

highest position (lowest value) to the IPsec policy with the most specific

traffic selector.

A default IPsec policy prevents all traffic from being encrypted by the VPN

engine; therefore, all IPsec policies that you configure must have a higher

priority than this default policy.

Next, you configure the VPN traffic selector, which determines which

traffic will use the VPN tunnel. For a GRE over IPsec VPN, the traffic

selector must specify the GRE traffic between the TMS zl Module and the

remote tunnel endpoint.

Caution For this policy, you will specify a local TMS zl Module IP address. Be very

careful to specify GRE for the protocol. Otherwise, you might select manage-

ment traffic for the VPN and lock yourself out of the Web browser interface.

If you do cause NIM to lose contact with a TMS zl Module, follow this

procedure:

1. Access the module and delete the IPsec policy:

• If the module has multiple IP addresses in its management-access

zone, you might be able to contact the module’s Web browser inter-

face at one of the other addresses. You can then delete the faulty IPsec

policy from the VPN > IPsec > IPsec Policies window (the policy will

be labeled with the name that you specified in the wizard).

• If you cannot reach the module’s Web browser interface, you can use

the CLI to delete the faulty IPsec policy. Access the host switch CLI

and enter these commands:

hostswitch(config)# services <slot ID> name tms-module

hostswitch(tms-module-<slot ID>)# config

hostswitch(tms-module-<slot ID>:config) no ipsec policy

Replace <slot ID> with the ID of the slot in which the TMS zl

Module is installed. Replace <policy name> with the name that you

specified in the wizard. (You can also use the show ipsec policy

command to view the name.)

2. NIM should now be able to contact the TMS zl Module. It is best practice

to synchronize the TMS properties before you continue configuring.