TMS zl Management and Configuration Guide ST.1.1.100430

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

571

572

573

574

575

576

577

578

579

580

7-58

Virtual Private Networks

Configure an IPsec Client-to-Site VPN

• Deny—Traffic is discarded.

For information on configuring Bypass and Deny policies, see “Configure

Bypass and Deny IPsec Policies” on page 7-351.

7. For Position, type a number.

The position determines the order in which the TMS zl Module processes

IPsec policies. The module processes the policy with the lowest value first

(for example, position 1 before position 2). The position matters most

when policies have overlapping traffic selectors. In this case, assign the

highest position (lowest value) to the IPsec policy with the most specific

traffic selector.

Note that you can specify a position that is already used by another policy.

The new policy is inserted above the former policy. You can use the arrow

icons in the Tools column in the VPN > IPsec > IPsec Policies window to

rearrange policies. Remember the policy at the top of the display is the

first policy processed.

A default IPsec policy prevents all traffic from being encrypted by the VPN

engine; therefore, all IPsec policies that you configure must have a higher

priority than this default policy.

Next, you configure the VPN traffic selector, which determines which traffic

is selected by the policy. For example, the selector might specify all IP traffic

between 192.168.2.0/24 (a local subnet) and 192.168.3.0/24 (a remote subnet).

For a policy with the Apply action, the selected traffic is the traffic that is sent,

received, and secured on the IPsec SA.

Caution If your traffic selector will include management traffic to the TMS zl Module

itself, you first must configure a Bypass policy with top priority that selects

the management traffic, or you will be locked out of the Web browser inter-

face. If you do lock yourself out, reboot the module, but DO NOT SAVE the

configuration.

Similarly, the traffic selector must not include the local gateway address

(configured in the IKE policy) unless the selector is limited to specific proto-

cols such as UDP L2TP. If, however, for whatever reason the local addresses

include the local gateway address without such limitation, you must create a

Bypass policy to exclude IKE traffic to and from the module from the VPN.

Otherwise the VPN cannot be established.

See “Configure Bypass and Deny IPsec Policies” on page 7-351.

If your traffic selector will include traffic that is also selected for NAT, you

must create a NAT exclusion policy. See “Exclusion NAT Policies” in

Chapter 5: “Network Address Translation.”