HP X Unified Security Platform 213

IPSec Configuration

STEP A In the Tunnel Setup, check Enable IPSec Tunnel connections.

STEP B In the Local Networks table, select the source IP addresses that the originating device allows to route VPN traffic to the peer VPN Firewall, for the specific security associa- tion. This applies only to IPSec tunnel mode connections.

•To use specific IP addresses for routing, select IP Address group, IP Subnet, or IP Range. Then, configure the value(s) for the selected field.

•If you have configured the remote (peer) device to use the tunnel as the default route (overriding the default gateway), select Peer uses tunnel as default route.

•To use DHCP Relay over VPN, select Local addresses assigned by DHCP through this tunnel.

STEP C In the Remote Networks table, select the destination IP addresses that the terminating X family or network device allows to route VPN traffic to the local VPN firewall, for the specific security association.

•To use specific IP Addresses for routing, select IP Address, IP Subnet, or IP Range. Then, configure the value(s) for the selected field.

•To override the default gateway, select Use Tunnel as default route. Only one SA may be configured with this option.

•To use DHCP Relay over VPN, select Remote addresses assigned by DHCP through this tunnel.

STEP 4 Click Save/Create to save the configuration.

Click Cancel to return to the IPSec Summary without saving the changes.

Edit the Default SA for Site-to-Site VPN Connections

STEP 1

STEP 2

STEP 3

STEP 4

STEP 5

STEP 6

STEP 7

From the LSM menu, select VPN >IPSec Status. Then, select the IPSec Configuration tab. The VPN - IP Security/ IKE page displays.

On the IPSec Configuration page in the IP Security Associations table, click the Pencil icon to for the Default SA entry.

On the Edit IP Security Association page, in the IP Security Association Setup table, check Enable Security Association to enable the Default SA.

For IKE Setup, select the IKE Proposal from the drop-down list of proposals currently con- figured.

If you have selected an IKE Proposal with pre-shared key (PSK), type the Shared Secret. If you have selected a proposal with X.509 Certificates, type the certificate key.

The same pre-shared key or X.509 Certificate and key must be available on any remote device using this IKE proposal to establish a VPN connection.

For IPSec Tunnel Setup, check Enable IPSec Tunnel connections if you want to use the Default SA as the tunnel mode for terminating the site-to-site connection:

All devices within the termination zone have unrestricted access to the VPN. Traffic received over the VPN has unrestricted access to all devices within the termination zone. Firewall rules must be configured to access other zones.

Click Save to save the configuration.

X Family LSM User’s Guide V 2.5.1	197