Manualshelf

TMS zl Management and Configuration Guide ST.1.1.100226

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
561562563564565566567568569570
7-60
Virtual Private Networks
Configure an IPsec Client-to-Site VPN
If you will not use IKE mode config, you must match the exact value
that the remote clients send for their local IP address (indicated by 3
in the example figure). Some clients always send their actual IP
address. In this case, you must specify this single address and create
a separate IPsec policy for each remote client. Other clients (such as
the Mac IPSecuritas) can send an entire subnet. Do one of the follow-
ing to specify addresses:
Manually type an IP address, IP address range, or network
address in CIDR format
Select a single-entry IP, range, or network address object.
Select Any to permit any IP address.
Caution Take great care when specifying Any. You might inadvertently
block necessary traffic. For example, if you select a local subnet
for the local addresses, Any for the protocol, and Any for the
remote addresses, the TMS zl Module will no longer allow end-
points on the local subnet to send any traffic except to remote
VPN clients. You might need to create Bypass policies. See “Con-
figure Bypass and Deny IPsec Policies” on page 7-352.
e. For Remote Port, type a specific port number or leave the box empty
(which allows traffic to all ports). Typically, you should leave the box
empty.
f. If you selected ICMP for the protocol, for ICMP Type, leave Any.
Selecting a specific ICMP type requires you to use manual keying,
which is not typically an option for client-to-site VPNs.
9. For Proposal, select a previously configured IPsec proposal.
The IPsec proposal specifies the IPsec mode, IPsec protocol, and the
authentication and encryption algorithms that secure the VPN connec-
tion. See “Create an IPsec Proposal” on page 7-53.
10. Click Next.