HP TMS zl Module Security Administrator's Guide
4-373
Configuring a VPN on the HP TMS zl Module
GRE Tunnels
For step-by-step instructions for configuring access policies, see Chapter 7:
“Configuring the TMS zl Module Firewall.”
Configure a GRE over IPsec VPN with Manual Keying
You can secure a GRE tunnel using IPsec with manual keying or IPsec with
IKE. This section outlines the main tasks you must complete to configure a
GRE over IPsec VPN with manual keying. (If you want to use IPsec with IKE
to secure the GRE tunnel, see “Configure a GRE over IPsec VPN with IKE” on
page 4-340.)
The advantages and disadvantages of using manual keying are listed below:
■ Advantages
• Manual keying does not depend on the IKE protocol, so less process-
ing is used initially to negotiate the SA.
• You do not need to open UDP 500 (ISAKMP) in the firewall.
• Manual keying is required for an IPsec VPN that is limited to ICMP
echo or timestamp traffic.
■ Disadvantages
• Keys can be leaked, and overall the tunnel is less secure.
• Dynamic
routing
over the
tunnel
• Default
policies
disabled
Unicast SELF Tunnel OSPF or RIP 5 6 — 1
• Dynamic
routing
over the
tunnel
• Default
policies
disabled
Multicast Tunnel SELF OSPF or RIP 6 Any Address
or multicast
address
—1
• Dynamic
routing
over the
tunnel
• Default
policies
disabled
Multicast SELF Tunnel OSPF or RIP 5 Any Address
or multicast
address
—1
When
Required
Type From Zone To Zone Service Source Destination MSS Number of
policies