TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

1021

D-70

Troubleshooting

Troubleshooting the TMS zl Module in Routing Mode

Note that some settings are configured in the IPsec proposal and some

are configured in the IPsec policy. The table also indicates where the

setting is configured.

Table D-10. Match IPsec Security Settings on the Module and Remote Clients

Troubleshoot Access Policies for a Client-to-Site IPsec VPN. If the

VPN > IPsec > VPN Connections window shows an active IPsec tunnel but your

traffic cannot cross the VPN to its destination, a firewall access policy is

probably to blame. The TMS zl Module firewall processes outgoing VPN traffic

before it is encapsulated and encrypted. It processes incoming VPN traffic

after it has been deencapsulated and deencrypted. In other words, access

policies must permit the inner IP traffic that is sent over the VPN.

If you are using XAUTH, these access policies should be configured for the

user group to which the remote users authenticate.

Note The TMS zl Module automatically accepts IPsec traffic for which it is the

gateway. You only need to create access policies for Authentication Header

(AH) or Encapsulating Security Payload (ESP) traffic when an IPsec VPN is

established through the module to a VPN gateway behind it.

See “Troubleshooting the Firewall” on page D-36 for tips on troubleshooting

firewall access policies.

The most basic setup is an access policy that exactly matches the reverse of

the IPsec traffic selector:

■ From zone = the zone configured for IKE mode config in the IPsec policy

■ To zone = the zone for local endpoints that the remote clients are allowed

to access

Setting Configuration Location TMS zl Module Setting Remote Client Setting

Encapsulation mode IPsec proposal Tunnel Tunnel

IPsec protocol IPsec proposal Same protocol Same protocol

Encryption algorithm IPsec proposal Same encryption algorithm (if

any)

Same encryption algorithm (if

any)

Authentication algorithm IPsec proposal Same authentication algorithm

(if any)

Same authentication algorithm

(if any)

PFS enabled IPsec policy Same setting Same setting

Diffie-Hellman Group (if

PFS is enabled)

IPsec policy Same group Same group

SA lifetime IPsec policy Same setting for kilobytes and

seconds

Same setting for kilobytes and

seconds