Manualshelf

TMS zl Management and Configuration Guide ST.1.2.100916

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
531532533534535536537538539540
7-20
Virtual Private Networks
IPsec Concepts
The remote client requests an IP address and default gateway from the IPsec
Remote Access Server (IRAS) on the TMS zl Module between IKE phase 1 and
phase 2 negotiations. It may also request addresses for DNS and WINS servers
that will resolve domain names or the user while on the private network. The
users appear as internal users on the network once they have received the IKE
mode config parameters.
When configuring IKE mode config, follow these guidelines.
You can configure IKE config mode only for an IPsec policy that specifies
Auto (with IKEv1) for Key Management and that specifies a client-to-site
IKEv1 policy. Each IKEv1 client-to-site policy supports only one IP
address pool.
Microsoft Windows VPN clients and IPSecuritas for Macintosh VPN cli-
ents do not support the TMS zl Module implementation of IKE mode
config.
When configuring the IPsec policy for IKE mode config, on the traffic
selector (Step 1 of 4):
Local Address must be the local addresses behind the TMS zl Module.
You must specify these addresses manually instead of selecting a
named object or Any.
Remote Address must be the IKE mode config addresses.
As always, you must create access policies that permit the traffic that the
remote VPN endpoints send over the VPN tunnel. The source zone for
these policies is the IKE mode config zone.
When you configure IKE mode config in the IPsec policy (Step 3 of 4),
IRAS IP Address/Mask is the IP address that the TMS zl Module uses to
route traffic from the IKE mode config addresses. This address and
associated subnet must be unique and not part of a TMS VLAN.
A virtual interface will be created and associated with this subnet. You
can see this interface as a connected route on the Network > Routing >
View Routes window. The interface is designated irstintXXX, where XXX is
a unique three-digit number.
The address ranges for IKE mode config must be in the same subnet as
the IRAS IP address. These ranges are also configured in the IPsec policy
(Step 3 of 4).