Manualshelf

TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
461462463464465466467468469470
7-15
Virtual Private Networks
IPsec VPNs
The respondent searches its IPsec policies for a match. When it finds a match,
it returns the policy to the initiator. IKE then manages the generation and
exchange of any hash and encryption keys. It also associates an SPI with the
IPsec SA.
The endpoints can now transmit data securely over the IPsec SA.
XAUTH. XAUTH provides an additional, optional layer of security to IKE. If
enabled, XAUTH occurs between IKE phase 1 and IKE phase 2. Most com-
monly implemented for client-to-site VPNs, XAUTH requires endpoints to
authenticate themselves to the network.
The TMS zl Module can act as an XAUTH server and require a remote endpoint
to authenticate itself to the module’s local list of users or a RADIUS database.
The module can then apply to the remote user the firewall access policies
associated with the group to which the remote user authenticates. T
he module can also act as an XAUTH client and authenticate itself to a remote
endpoint that requires XAUTH.
IKE Mode Config
At times you will want to assign a virtual IP address on your organization's
private network to remote VPN users. The IKE mode config option can be
configured for client-to-site VPNs—for example, a VPN used by telecommut-
ers. These users connect to the private network through the VPN tunnel, often
from their home Internet connection. IKE mode config assigns virtual private
addresses to these mobile users for as long as they connect through the VPN
gateway.
IKE mode config allows a relatively small pool of mobile users to access the
VPN from remote locations. (IKE mode config is not designed for wide-scale
management.)
The remote client requests an IP address and default gateway from the IPsec
Remote Access Server (IRAS) on the TMS zl Module between IKE phase 1 and
phase 2 negotiations. It may also request addresses for DNS and WINS servers
that will resolve domain names or the user while on the private network. The
users appear as internal users on the network once they have received the IKE
mode config parameters.
When configuring IKE mode config, follow these guidelines.