TMS zl Management and Configuration Guide ST.1.2.100916

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

581

582

583

584

585

586

587

588

589

590

7-69

Virtual Private Networks

Configure an IPsec Client-to-Site VPN

Table 7-7 lists the necessary access policies; the numbers in the Source and

Destination columns refer to the example figure above.

For access policies that permit the traffic sent over the tunnel, you should

consider setting the TCP MSS to a value lower than the typical MSS used in

your system. (The remote client will set the MSS correctly on its own; however,

your local devices, which are unaware of the VPN, might not.) Otherwise, the

addition of the IPsec and IP delivery headers might make the packets too large

to be transmitted. Table 7-10 suggests a conservative value for the TCP MSS

when the MTU is 1500. For more information on the TCP MSS, see the

introduction to “Firewall Access Policies” on page 4-22 of Chapter 4: “Fire-

wall.”

Note The value for TCP MSS in the table is only a suggestion. You should determine

the best MSS for your environment.

Table 7-7. Checklist for Access Policies for an IPsec Client-to-Site VPN

When

Required

User

Group

From Zone To Zone Service Source Destination TCP MSS Number

policies

Always None Remote SELF IKE (isakmp) 3 or Any 1 — 1

Always None SELF Remote IKE (isakmp) 1 3 or Any — 1

With IKE mode

config

XAUTH

user

groups or

None

IKE mode

config

Local Any you

choose

4 2 1356 As many

as you

choose

•With IKE

mode

config

• Local

endpoints

initiate

sessions

with

remote

None (or

local

user

groups)

Local IKE mode

config

Any you

choose

2 4 1356 As many

as you

choose