TMS zl Management and Configuration Guide ST.1.0.090213
D-75
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
• NAT-T (in case an intervening NAT device translates the clients’ or the
module’s IP address)
• L2TP traffic
Note These policies must be configured for the None user group.
Figure D-15. IKE Firewall Access Policies for a Client-to-Site L2TP VPN
Figure D-15 illustrates a client-to-site L2TP over IPsec VPN and displays
the correct access policies.
In this example, access policies use the Self and External zones. You
should always use the Self zone, but your policies might require a different
zone from External. Use the zone that includes the VLAN on which your
TMS zl Module receives traffic from the remote endpoints. If the remote
endpoints are in multiple zones, you must create access policies to and
from each zone.
Access policies
External to Self
Permit isakmp Any 172.16.1.254
Permit ipsec -nat-t Any 172.16.1.254
Permit l2tp-udp Any 172.16.1.254
Self to External
Permit isakmp 172.16.1.254 Any
Permit ipsec -nat-t 172.16.1.254 Any
Permit l2tp-udp 1701 172 .16.1.254 Any
Internal zone
External zone
Server VLAN
10.1.30.0/24
Internet
VLAN
172.16.1.0/24
Module =
172.16.1.254
zl
ProCurve
Gig-T/S FP
zl Module
J8705A
PoE-Integrated 10/100/1000Base-T Ports (1-24) - Ports are IEEE Auto MDI/MDI-X
15
62
3
4
711
128
9
10
13 17
1814
15
16
19
20
23
24
21
22
Use ProCurve
mini-GBICs
and SFPs only
zl
ProCurve
Gig-T/S FP
zl Module
J8705A
PoE-Integrated 10/100/1000Base-T Ports (1-24) - Ports are IEEE Auto MDI/MDI-X
15
62
3
4
711
128
9
10
13 17
1814
15
16
19
20
23
24
21
22
Use ProCurve
mini-GBICs
and SFPs only
L2TP over IPsec
Internet