Manualshelf

TMS zl Management and Configuration Guide ST.1.1.100430

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
641642643644645646647648649650
7-130
Virtual Private Networks
Configure an IPsec Site-to-Site VPN with Manual Keying
8. For Traffic Selector, configure these settings:
a. For Protocol, specify the protocol for traffic allowed over the VPN:
Any—Any IP protocol. Select this option when you want to select
all traffic between local and remote endpoints.
TCP or UDP—Select this option in conjunction with a remote port
to allow local traffic destined for specific services in the remote
network. Select this option in conjunction with a local port to
allow remote traffic destined for specific services in the local
network.
ICMP—Select this option when you want to allow only ICMP
traffic or ICMP traffic of a specific type.
IP Protocols—Select one of these Layer 3 protocols, which are
listed by their IANA IP Protocol numbers.
Service objects and service groups will not appear in this list.
b. For Local Address, specify the IP addresses of all local endpoints that
are allowed to send traffic over the VPN (indicated by 2 in the figure).
Do one of the following to specify addresses:
Select Any to permit any IP address.
Select the single-entry IP, range, or network address object that
you configured for local endpoints. (An address object is not valid
for a transport-mode VPN.)
Manually type an IP address (for an L2TP over IPsec VPN, type
the IP address of the local VPN gateway), IP address range, or
network address in CIDR format (192.168.1.1/24).
Note Typically, the local addresses are internal addresses on your private
network while the local gateway address (which you configured in
the IKE policy) is the TMS zl Module’s public or external address. If,
however, for whatever reason the set of local addresses that you
specify here includes the local gateway address, you must create a
Bypass policy to exclude IKE traffic to and from the module from the
VPN. Otherwise the VPN cannot be established.
See “Configure Bypass and Deny IPsec Policies” on page 7-351.
c. Local Port is present if you selected TCP or UDP for Protocol. Type a
specific port for the service to which remote clients are allowed
access or leave the field blank (which allows traffic to any port).
d. For Remote Address, specify the IP addresses of all remote endpoints
allowed to send and receive traffic over the VPN (indicated by 4 in
the figure).