TMS zl Management and Configuration Guide ST.1.2.100916
10-101
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
• The remote gateway
If the module uses a default route to reach the remote gateway, that route
suffices for the remote endpoints as well. However, when the TMS zl
Module has a specific route to the remote VPN gateway, you must add a
route to the remote network beyond the gateway. Use the same next-hop
as the route to the remote gateway, as shown in Figure 10-24.
Figure 10-24.Routes for a Site-to-Site VPN
4. Check the IPsec policy, and verify that it uses the IKE policy that you
configured for the site-to-site connection. Also verify that the traffic
selector is configured correctly. The protocol, local address, local port (if
any), remote address, and remote port (if any) must match the traffic that
you are attempting to send from the test client.
Note Check all network objects used in the IPsec policy and verify that they are up-
to-date and accurate.
5. Check the local gateway address in the IKE policy. Verify that this address
is the module IP address that the remote gateway contacts.
6. Check the IKE policies on the TMS zl Module and the remote gateway (if
possible). Ensure that both specify the same key exchange mode (main
or aggressive).
Routes
172.16.24.0/24 through 172.16.1.1
192.168.5.0/24 through 172.16.1.1
Internal zone
External zone
Server VLAN
10.1.30.0/24
Internet
VLAN
172.16.1.0/24
Module =
172.16.1.254
zl
ProCurve
Gig-T/SFP
zl Module
J8705A
PoE-Integrated 10/100/1000Base-T Ports (1-24) - Ports are IEEE Auto MDI/MDI-X
15
62
3
4
711
128
9
10
13 17
1814
15
16
19
20
23
24
21
22
Use ProCurve
mini-GBICs
and SFPs only
zl
ProCurve
Gig-T/SFP
zl Module
J8705A
PoE-Integrated 10/100/1000Base-T Ports (1-24) - Ports are IEEE Auto MDI/MDI-X
15
62
3
4
711
128
9
10
13 17
1814
15
16
19
20
23
24
21
22
Use ProCurve
mini-GBICs
and SFPs only
Internet
VPN gateway
172.16.24.253
Remote
network
192.168.5.0/24
IPsec connection