<< Create IPsec Policy (4 of 4)

Create Static Routes >>

 

Example 2: IPsec VPN, Client-to-Site

Create Firewall Access Policies for the VPN Traffic

 

Now you can create firewall access policies to permit the VPN traffic between the VPN clients and the internal network. Remember that the VPN clients will initiate the VPN tunnel using IKEv1 key negotiation from their public addresses; then, once they have established an SA, they will use the IKE mode config addresses to access internal resources.

TMS zl Module

HP ProCurve VPN Client

  1. Select Firewall > Access Policies > Unicast.

  2. Click Add a Policy.

  3. Permit IKE messages from the remote endpoints.

  1. For Action, accept the default: Permit Traffic.

  2. For From, select EXTERNAL.

  3. For To, select SELF.

  4. For Service, select isakmp.

  5. For Source, select, remoteENDS.

  6. For Destination, select localVPNGate.

  7. Select the Enable logging on this Policy check box.

Because policy logging is processor-intensive, it is not recommended that you enable logging permanently. Use policy logging for troubleshooting and testing only.

  1. Click Apply.

  1. Permit IKE messages to the remote endpoints.

  1. For Action, accept the default: Permit Traffic.

  2. For From, select SELF.

  3. For To, select EXTERNAL.

  4. For Service, select isakmp.

  5. For Source, select, localVPNGate.

  6. For Destination, select remoteENDS.

  7. Click Apply.

  1. Permit traffic from the local endpoints to the remote endpoints' IKE mode config addresses:

  1. For Action, accept the default: Permit Traffic.

  2. For From, select INTERNAL.

  3. For To, select ZONE3.

  4. For Service, select Any Service.

  5. For Source, select localENDS.

  6. For Destination, select IKEmodeIPs.

  7. Click Apply.

  1. Permit traffic from the remote endpoints' IKE mode config addresses to the local endpoints:

  1. For Action, accept the default: Permit Traffic.

  2. For From, select ZONE3.

  3. For To, select INTERNAL.

  4. For Service, select Any Service.

  5. For Source, select IKEmodeIPs.

  6. For Destination, select localENDS.

  7. Click Apply.

  8. Click Close.

This example assumes that the Windows firewall on the client has been disabled.

<< Create IPsec Policy (4 of 4)

Create Static Routes >>