Manualshelf

TMS zl Management and Configuration Guide ST.1.1.100430

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
651652653654655656657658659660
7-140
Virtual Private Networks
Configure an IPsec Site-to-Site VPN with Manual Keying
f. For Destination, specify the local addresses which the remote users
are allowed to access.
You can specify the addresses manually or select a previously config-
ured address object.
g. Click the Advanced tab.
h. For TCP MSS, type the value that you determined is best for your
system. For example, type 1356.
i. Click the Basic tab.
j. Click Apply.
6. In the Add Policy window, click Close.
Verify Routes for an IPsec Site-to-Site VPN
In the Network > Routing > View Routes window, verify that the following routes
exist. These routes can be static routes or routes discovered through a
dynamic routing protocol:
A route to the remote VPN gateway
The routes forwarding interface must be the interface with the IP address
that you specified as the local gateway address in the IKE policy.
This can be a default route.
A route to the remote endpoints for which the next hop is the same as in
the route to the remote gateway
If the route to the remote gateway is the default route, a separate route is
not required.
Figure 7-119 shows an example site-to-site VPN. The remote gateway IP
address is 192.168.1.22. The remote endpoints behind the gateway are in
subnet 10.1.55.0/24. In this example, a default route through 192.168.115.1, the
local router in the path to these subnets, could fulfill the requirements for both
routes. However, to better illustrate the necessary routes, the figure shows
two specific routes. Note that, no matter how you set up the routes, the local
VPN gateway configured in the IKE policy must be 192.168.115.71, which is
the module IP address on the forwarding VLAN for these routes.
See Chapter 9: “Routing” for instructions on setting up routes.