Manualshelf

TMS zl Management and Configuration Guide ST.1.2.100916

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
871872873874875876877878879880
7-354
Virtual Private Networks
Configure Bypass and Deny IPsec Policies
Configure Bypass and Deny IPsec
Policies
Bypass and Deny IPsec policies allow the TMS zl Module to select a subset of
the traffic in a VPN for different handling.
Bypass Policies
The TMS zl Module forwards traffic that matches Bypass policies but it does
not secure it with an IPsec SA. By default, the module has a Bypass policy that
selects all traffic, allowing non-VPN traffic that the firewall permits to reach
its destination. You might create additional Bypass policies for several rea-
sons:
To allow management traffic to reach the TMS zl Module when its man-
agement IP address is selected by an Apply IPsec policy
To prevent the TMS zl Module from attempting to encrypt IKE traffic (UDP
port 500)
Encrypting IKE traffic is only a problem if the local or remote gateway
address is selected by an Apply IPsec policy (not typical).
To exclude from a secure VPN tunnel a subset of IP addresses within a
larger set of IP addresses allowed on the tunnel
Take care to position your policies correctly. If the Bypass policy selects a
subset of traffic selected by an Apply policy, the Bypass policy’s position
should be higher (lower value). Similarly, if the Apply policy selects a subset
of traffic selected by a Bypass policy, the Apply policy’s position should be
higher (lower value). For example, the default Bypass policy that selects all
traffic should always have the last position.
Deny Policies
The TMS zl Module drops traffic that matches Deny policies. Note that
because the firewall applies access policies to the traffic first, you only need
to create Deny policies for traffic that you want to exclude that is nevertheless
permitted by the firewall.