Manualshelf

TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
571572573574575576577578579580
7-121
Virtual Private Networks
Configure Firewall Access Policies for Your VPN
9. If the IPsec tunnel uses NAT-T (because NAT is performed on traffic
somewhere between the remote endpoints and the module), you must
create two access policies to allow the NAT-T traffic:
a. For Action, accept the default: Permit Traffic.
b. For From, select the remote zone.
c. For To, select Self.
d. For Service, select ipsec-nat-t-udp.
e. For Source, specify Any Address.
If you know the public addresses of all of your remote endpoints, you
could create a named object with those addresses and specify that
object here.
f. For Destination, leave Any Address or specify the local gateway IP
address.
g. Click Apply.
h. For From, select Self.
i. For To, select the remote zone.
j. For Service, select ipsec-nat-t-udp.
k. For Source, leave Any Address or specify the local gateway IP address.
l. For Destination, specify Any Address.
If you know the public addresses of all of your remote endpoints, you
could create a named object with those addresses and specify that
object here.
m. Click Apply.
10. In the Add Policy window, click Close.
Access Policies for an L2TP over IPsec VPN
Before you begin configuring firewall access policies, determine the zone on
which traffic from the remote endpoints arrives. This is the zone associated
with the TMS VLAN on which local VPN gateway address is configured.
Typically, this is the External zone, but it could be another zone. The instruc-
tions below will refer to this zone as the “remote zone.”
After the remote endpoints have received virtual IP addresses (configured in
users’ dial-in accounts), their traffic is considered to have originated in the
External zone.