Manualshelf

TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
561562563564565566567568569570
7-116
Virtual Private Networks
Configure Firewall Access Policies for Your VPN
9. If the IPsec tunnel uses NAT-T (because NAT is performed on traffic
somewhere between the gateways), you must create access policies to
allow the NAT-T traffic between the remote gateway and the module and
vice versa:
a. For Action, accept the default: Permit Traffic.
b. For From, select the remote zone.
c. For To, select Self.
d. For Service, select ipsec-nat-t-udp.
e. For Source, specify the remote gateway’s address.
f. For Destination, leave Any Address or specify the local gateway IP
address.
g. Click Apply.
h. For From, select Self.
i. For To, select the remote zone.
j. For Service, select ipsec-nat-t-udp.
k. For Source, leave Any Address or specify the local gateway IP address.
l. For Destination, specify the remote gateway IP address.
m. Click Apply.
10. In the Add Policy window, click Close.
Access Policies for an IPsec Site-to-Site VPN with
Manual Keying
Before you begin configuring firewall access policies, determine the zone on
which traffic from the remote tunnel gateway arrives. Typically, this is the
External zone, but it could be another zone. The instructions below will refer
to this zone as the “remote zone.”
You should also determine the zone for local endpoints allowed on the VPN.
This might be the Internal zone or another zone. The instructions below will
refer to this zone as the “local zone.” If multiple zones are allowed to access
the VPN, you must create policies for each of these zones.
Then follow these steps:
1. In the left navigation bar of the Web browser interface, select Firewall >
Access Policies.
2. Click the Unicast tab.
3. Click Add a Policy.