HP TMS zl Module Security Administrator's Guide
4-374
Configuring a VPN on the HP TMS zl Module
GRE Tunnels
• Lengthy keys can be mistyped.
• Keys can be difficult to manage with multiple remote sites.
• Manual keying cannot be used to create a site-to-site IPsec VPN with
the HP Secure Router 7000dl series.
• Manual keying cannot be used to configure a client-to-site VPN or with
IKE mode config.
You will use the Manage IPsec wizard to create IPsec proposals and IPsec
policies for this type of VPN. When you use the Manage IPsec wizard, you can
configure IPsec proposals on multiple TMS zl Modules at once. On the other
hand, You will need to configure IPsec policies on individual modules.
1. Optionally, create named objects, which you can use in VPN and firewall
access policies related to the GRE tunnel.
Using named objects is best practice; however, you can specify IP
addresses manually. See “Create Named Objects (Optional)” on page
4-375.
2. Create GRE tunnels for the traffic that you want to secure with GRE over
IPsec.
See “Configure a GRE Tunnel” on page 4-326.
3. Verify that there is a route to the remote tunnel gateway.
See “Verify That a Route to the Remote Tunnel Gateway Exists” on page
4-376.
4. Create an IPsec proposal.
The mode is typically transport mode because the TMS zl Module gener-
ates the GRE packets, but you can also use tunnel mode. You can configure
other settings as you choose, making sure to match them on the remote
tunnel endpoint.
See “Create an IPsec Proposal for a GRE over IPsec VPN that Uses Manual
Keying” on page 4-377.
If you have an appropriate proposal, you can use the existing proposal.
5. Create an IPsec policy that uses manual keying.
See “Create an IPsec Policy for a GRE over IPsec VPN That Uses Manual
Keying” on page 4-382.
6. Configure firewall access policies to allow the traffic.
See “Create Access Policies for a GRE over IPsec VPN That Uses Manual
Keying” on page 4-392.