TMS zl Management and Configuration Guide ST.1.1.100226
10-73
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
•IKE
• NAT-T (in case an intervening NAT device translates the clients’ or the
module’s IP address)
• L2TP traffic
Note These policies must be configured for the None user group.
Figure 10-14.IKE Firewall Access Policies for a Client-to-Site L2TP VPN
Figure 10-14 illustrates a client-to-site L2TP over IPsec VPN and displays
the correct access policies.
In this example, access policies use the Self and External zones. You
should always use the Self zone, but your policies might require a different
zone from External. Use the zone that includes the VLAN on which your
Access policies
External to Self
Permit isakmp Any 172.16.1.254
Permit ipsec-nat-t Any 172.16.1.254
Permit l2tp-udp Any 172.16.1.254
Self to External
Permit isakmp 172.16.1.254 Any
Permit ipsec-nat-t 172.16.1.254 Any
Permit l2tp-udp 1701 172.16.1.254 Any
Internal zone
External zone
Server VLAN
10.1.30.0/24
Internet
VLAN
172.16.1.0/24
Module =
172.16.1.254
zl
ProCurve
Gig-T/S FP
zl Module
J8705A
PoE-Integrated 10/100/1000Base-T Ports (1-24) - Ports are IEEE Auto MDI/MDI-X
15
62
3
4
711
128
9
10
13 17
1814
15
16
19
20
23
24
21
22
Use ProCurve
mini-GBICs
and SFPs only
zl
ProCurve
Gig-T/S FP
zl Module
J8705A
PoE-Integrated 10/100/1000Base-T Ports (1-24) - Ports are IEEE Auto MDI/MDI-X
15
62
3
4
711
128
9
10
13 17
1814
15
16
19
20
23
24
21
22
Use ProCurve
mini-GBICs
and SFPs only
L2TP over IPsec
Internet