Example Configuration - HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual

Virtual Private Networks
Configuring a VPN Using IPSec

Example Configuration

Figure 8-7 illustrates a VPN between two remote sites, each of which includes
two LANs. At Site B, only one LAN is allowed in the VPN. At Site A, independent
on-site contractors have been assigned addresses in VLAN 99—192.168.2.192
to 192.168.2.223. These contractors are not authorized to connect to Site B.
Site B
Site A
Router 10.10.10.1 Router 10.10.10.2
Internet
LAN1 LAN2 LAN1 LAN2
192.168.1.0/24 192.168.2.0/24
192.168.4.0/24 192.168.5.0/24
VLAN99
192.168.2.192/27
Figure 8-7. Configuring an ACL for VPN Traffic
Enter the following commands to define traffic on Router A permitted to
access the VPN tunnel to Site B:
ProCurve(config)# ip access-list extended VPNTraffic
ProCurve(config-ext-nacl)# deny ip 192.168.2.192 0.0.0.31 any
ProCurve(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
ProCurve(config-ext-nacl)# permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
ProCurve(config)# crypto map VPN 10 ipsec-ike
ProCurve(config-crypto-map)# match address VPNTraffic
Enabling Router Traffic to Servers at a Remote VPN Site
The ProCurve Secure Router can send traffic to a server on its own behalf.
For example, it can download a file from a TFTP server at a remote VPN site.
Typically, a router takes the source addresses for the packets that it sends to
a server from the IP address of the interface used to reach that server. In our
example, packets that the ProCurve Secure Router sends to the TFTP server
8-39