Manualshelf

TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
471472473474475476477478479480
7-21
Virtual Private Networks
IPsec VPNs
The TMS zl Module implements NAT-T under any of the following circum-
stances:
Client device is behind a NAT device.
TMS zl Module is behind a NAT device.
Both are behind a NAT device.
Multiple clients are behind separate NAT devices but have the same IP
address.
The TMS zl Module implements NAT-T in this way:
IKE packets are accepted from any port and responses are sent to the port
from which the packet came.
NAT-T negotiation is performed in accordance with RFC 4306.
UDP encapsulation of ESP packets and NAT keep-alives are supported in
accordance with RFC 3948.
Configure an IPsec VPN Connection
To configure an IPsec VPN connection, you must complete these tasks:
1. Optionally, create named objects, which you can use in IPsec policies as
well as corresponding firewall access policies.
Using named objects is best practice; however, you can specify IP
addresses manually.
2. Create an IKE policy.
Do not complete this step if you are using manual keying.
See “Create an IKE Policy” on page 7-22.
3. If you are using certificates, install the correct certificates on the TMS zl
Module.
Do not complete this step if you are using manual keying or if your IKE
policy will specify a preshared key.
See “Install Certificates for IKE” on page 7-37.
4. Create an IPsec proposal.
See “Create an IPsec Proposal” on page 7-53.
5. Create an IPsec policy.
See “Create an IPsec Policy” on page 7-55.