Manualshelf

TMS zl Management and Configuration Guide ST.1.1.100226

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
1171117211731174117511761177117811791180
10-96
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
device. Note that some settings are configured in the IPsec proposal and
some are configured in the IPsec policy. The table also indicates where
the setting is configured.
Table 10-17. Match IPsec Security Settings on the Module and Remote Gateway or
Clients
Access Policies for Site-to-Site VPNs. If the VPN > IPsec > VPN
Connections window shows an active IPsec tunnel but traffic cannot cross the
VPN and reach its destination, a firewall access policy is probably to blame.
The TMS zl Module firewall processes outgoing VPN traffic before it is
encapsulated and encrypted. It processes incoming VPN traffic after it has
been deencapsulated and deencrypted. In other words, the access policies
must permit the inner IP traffic that is sent over the VPN.
Note The TMS zl Module automatically accepts IPsec traffic for which it is the
gateway. You only need to create access policies for AH or ESP traffic when
an IPsec VPN is established through the module to a VPN gateway behind it.
See “Troubleshooting the Firewall” on page 10-36 for tips on troubleshooting
firewall access policies. Keep in mind that access policies must permit any
traffic that you want to send over the tunnel.
The most basic setup is an access policy that exactly matches the IPsec traffic
selector between the zone for local endpoints and the zone for remote end-
points (the zone on which the remote gateway is reached). To allow remote
endpoints to initiate connections, you must create an access policy that
matches the reverse of the IPsec traffic selector between the remote end-
points’ zone and the local endpoints’ zone.
Setting Configuration Location TMS zl Module Setting Remote Gateway Setting
Encapsulation mode IPsec proposal Tunnel Tunnel
IPsec protocol IPsec proposal Same protocol Same protocol
Encryption algorithm IPsec proposal Same encryption algorithm (if
any)
Same encryption algorithm (if
any)
Authentication algorithm IPsec proposal Same authentication algorithm
(if any)
Same authentication algorithm
(if any)
PFS enabled IPsec policy Same setting Same setting
Diffie-Hellman Group (if
PFS is enabled)
IPsec policy Same group Same group
SA lifetime IPsec policy Same setting for kilobytes and
seconds
Same setting for kilobytes and
seconds