TMS zl Management and Configuration Guide ST.1.1.100430

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

531

532

533

534

535

536

537

538

539

540

7-20

Virtual Private Networks

IPsec Concepts

■ Traffic selectors—the traffic that is allowed over the IPsec SA (VPN

tunnel)

The traffic selector specifies local and remote IP addresses (the local

addresses on one endpoint must match the remote addresses on the

other). Optionally, the selector can select a specific IP protocol or a

specific TCP or UDP service.

■ Other advanced options

The respondent searches its IPsec policies for a match. When it finds a match,

it returns the policy to the initiator. IKE then manages the generation and

exchange of any hash and encryption keys. (If the endpoints agreed to use

PFS, they proceed once again through the Diffie-Hellman process). IKE also

associates an SPI with the IPsec SA.

The endpoints can now transmit data securely over the IPsec SA. The VPN

connection is complete.

XAUTH

XAUTH provides an additional, optional layer of security to IKE. If enabled,

XAUTH occurs between IKE phase 1 and IKE phase 2. Most commonly imple-

mented for client-to-site VPNs, XAUTH requires endpoints to authenticate

themselves to the network.

The TMS zl Module can act as an XAUTH server and require a remote endpoint

to authenticate itself to the module’s local list of users or a RADIUS database.

The module can then apply to the remote user the firewall access policies

associated with the group to which the remote user authenticates. T

he module can also act as an XAUTH client and authenticate itself to a remote

endpoint that requires XAUTH.

IKE Mode Config

At times you will want to assign a virtual IP address on your organization's

private network to remote VPN users. The IKE mode config option can be

configured for client-to-site VPNs—for example, a VPN used by telecommut-

ers. These users connect to the private network through the VPN tunnel, often

from their home Internet connection. IKE mode config assigns virtual private

addresses to these mobile users for as long as they connect through the VPN

gateway.

IKE mode config allows a relatively small pool of mobile users to access the

VPN from remote locations. (IKE mode config is not designed for wide-scale

management.)