Manualshelf

TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
531532533534535536537538539540
7-85
Virtual Private Networks
IPsec VPNs
Bypass Policies. The TMS zl Module forwards traffic that matches Bypass
policies but it does not secure it with an IPsec SA. By default, the module has
a Bypass policy that selects all traffic, allowing non-VPN traffic that the
firewall permits to reach its destination. You might create additional Bypass
policies for several reasons:
To allow management traffic to reach the TMS zl Module when its man-
agement IP address is selected by an Apply IPsec policy
To prevent the TMS zl Module from attempting to encrypt IKE traffic (UDP
port 500)
Encrypting IKE traffic is only a problem if the local or remote gateway
address is selected by an Apply IPsec policy (not typical).
To exclude from a secure VPN tunnel a subset of IP addresses within a
larger set of IP addresses allowed on the tunnel
Take care to position your policies correctly. If the Bypass policy selects a
subset of traffic selected by an Apply policy, the Bypass policy’s position
should be higher (lower value). Similarly, if the Apply policy selects a subset
of traffic selected by a Bypass policy, the Apply policy’s position should be
higher (lower value). For example, the default Bypass policy that selects all
traffic should always have the last position.
Ignore Policies. The TMS zl Module drops traffic that matches Ignore poli-
cies. Note that because the firewall applies access policies to the traffic first,
you only need to create Ignore policies for traffic that you want to exclude
that is nevertheless permitted by the firewall.
Configuration Steps. Follow these steps to create a Bypass or Ignore IPsec
policy:
1. In the left navigation bar of the Web browser interface, select VPN > IPsec.
2. Click the IPsec Policies tab.
Figure 7-68. VPN > IPsec > IPsec Policies Window
3. Click Add IPsec Policy.