TMS zl Management and Configuration Guide ST.1.0.090213
D-63
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
Figure D-13. IKE Firewall Access Policies for a Client-to-Site VPN
Figure D-13 illustrates a client-to-site VPN and displays the correct access
policies to allow IKE and NAT-T traffic.
In this example, access policies are configured between the Self and
External zones. You should always use the Self zone, but your policies
might require a different zone from External. Use the zone that includes
the VLAN on which your TMS zl Module receives traffic from the remote
endpoints. If the remote endpoints are in multiple zones, you must create
access policies to and from each zone.
If you are missing any of these access policies, add them now. You might
also try configuring policies that permit this traffic to and from each zone
and the Self zone (in case you have mistaken the remote clients’ zone).
Access policies
External to Self
Permit isakmp Any 172.16.1.254
Permit ipsec -nat-t-udp Any 172.16.1.254
Self to External
Permit isakmp 172.16.1.254 Any
Permit ipsec-nat-t-udp 172.16.1.254 Any
Internal zone
External zone
Server VLAN
10.1.30.0/24
Internet
VLAN
172.16.1.0/24
Module =
172.16.1.254
zl
ProCurve
Gig-T/S FP
zl Module
J8705A
PoE-Integrated 10/100/1000Base-T Ports (1-24) - Ports are IEEE Auto MDI/MDI-X
15
62
3
4
711
128
9
10
13 17
1814
15
16
19
20
23
24
21
22
Use ProCurve
mini-GBICs
and SFPs only
zl
ProCurve
Gig-T/SFP
zl Module
J8705A
PoE-Integrated 10/100/1000Base-T Ports (1-24) - Ports are IEEE Auto MDI/MDI-X
15
62
3
4
711
128
9
10
13 17
1814
15
16
19
20
23
24
21
22
Use ProCurve
mini-GBICs
and SFPs only
IPsec connection
Internet