HP TMS zl Module Security Administrator's Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

611

612

613

614

615

616

617

618

619

620

4-438

Configuring a VPN on the HP TMS zl Module

Bypass and Deny IPsec Policies

A default IPsec Bypass policy prevents all traffic from being encrypted by

the VPN engine; therefore, all IPsec policies that you configure must have

a higher priority than this default policy.

Next, you configure the VPN traffic selector, which determines which

traffic is selected by the policy. For example, the selector might specify

all IP traffic between 192.168.2.0/24 (a local network) and 192.168.3.0/24

(a remote network).

9. For Traffic Selector, configure these settings:

– Any—Any IP protocol. Select this option when you want to select

all traffic between local and remote endpoints.

– TCP or UDP—Select this option in conjunction with a local port to

select remote traffic that is destined for specific services in the

local network. Select this option in conjunction with a remote

port to select local traffic that is destined for specific services in

the remote network.

– ICMP—Select this option when you want to select only ICMP

traffic or ICMP traffic of a specific type.

– IP Protocols—Select one of these Layer 3 protocols, which are

listed by their IANA IP Protocol numbers.

Service objects and service groups will not appear in this list.

a. For Local Address, specify the IP addresses for all local traffic selected

by this policy.

Do one of the following to specify addresses:

– Select Any to select any IP address.

– Select a single-entry IP, range, or network address object.

– Manually type an IP address, IP address range, or network

address in CIDR format

b. Local Port is present if you selected TCP or UDP for Protocol. Type the

port number for the service that you want to select. Leave the box

empty to select all ports.

c. For Remote Address, specify the addresses of the remote endpoints to

which this policy applies.

– Select Any to select any IP address.

– Select a single-entry IP, range, or network address object.

– Manually type an IP address, IP address range, or network

address in CIDR format.

d. Remote Port is present if you selected TCP or UDP for Protocol. Type the

port number for the service that you want to select. Leave the box

empty to select all ports.

e. If you selected ICMP for the protocol, for ICMP Type, select Any, Echo,

or Timestamp.