Permitting Local And Remote Networks - HP 7102dl - ProCurve Secure Router Configuration Manual

Virtual Private Networks
Configuring a VPN Using IPSec

Permitting Local and Remote Networks

You will need to add a permit statement specifying each local network allowed
to access the VPN tunnel as the source IP address. The destination depends
on the type of VPN.
N o t e
The IP addresses selected by the ACL must match the peer's configuration
exactly. For example, if the peer's configuration specifies that remote network
192.168.3.0 /24 is part of the VPN, but not remote network 192.168.4.0 /24, you
must permit only 192.168.3.0 /24 as a valid destination.
Site-to-Site Configuration. The destination is the remote network or net-
works that participate in the VPN. The source is the local VPN network or
networks.
You permit traffic to and from a network with this command:
Syntax: permit ip [any | host <source A.B.C.D> | hostname <source hostname> |
<source A.B.C.D> <wildcard bits>] [any | host <destination A.B.C.D> | hostname
<destination hostname> | <destination A.B.C.D> <wildcard bits>]
Wildcard bits allow you to select an entire subnet or range of subnets in one
entry. However, if the remote gateway device connects to more than one non-
contiguous subnet, you must enter separate permit statements to allow traffic
from every local subnet to every remote subnet included in the VPN.
Wildcard bits operate on reverse logic from subnet masks. A one indicates that
the router is to ignore the bit and zero indicates that the router is to check it.
For example, the wildcard bits in the following entry allow you to select an
entire class C network for the source and for the destination of VPN traffic:
ProCurve(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
You can also select a range of subnets. For example, an organization has
divided the network 10.1.0.0 /16 into /24 subnets. Each site includes 16 /24
subnets, which means that, considered as a whole, the site is a /20 network.
That is, Site A includes subnets 10.1.0.0 /24 through 10.1.15.0 /24, which can
be summarized as 10.1.0.0 /20. Site B include subnets 10.1.16.0 /24 through
10.1.31.0 /24, which can be summarized as 10.1.16.0 /20. (Every time you
double the number of subnets, you decrease the prefix length by one.)
A quick rule-of-thumb for specifying a range of /24 subnets such as these is
that the number in the third octet plus one shows the number of subnets in
the range.
10-37