TMS zl Management and Configuration Guide ST.1.0.090213
D-84
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
lated and encrypted. It processes incoming VPN traffic after it has been
deencapsulated and deencrypted. In other words, the access policies must
permit the inner IP traffic that is sent over the VPN.
These access policies should be configured for the user group that you
assigned to the users’ dial-in policies.
Note The TMS zl Module automatically accepts IPsec traffic for which it is the
gateway. You only need to create access policies for AH or ESP traffic when
an IPsec VPN is established through the module to a VPN gateway behind it.
See “Troubleshooting the Firewall” on page D-36 for tips on troubleshooting
firewall access policies.
Keep in mind that access policies must permit any traffic that you want to send
over the tunnel. For example, you will probably want the remote endpoints to
initiate connections with local services. Therefore, you should create an
access policy with the local servers’ zone as the destination zone. The correct
source zone is always EXTERNAL. The correct IP addresses for the remote
endpoints are the virtual addresses that you configured in the users’ dial-in
policies.
If you can do so securely, try configuring access policies that allow all services
and see if the traffic can reach its destination. Enable logging on these access
policies. Check the module’s logs. It is possible that access policies permit
traffic correctly but there is another problem such as:
■ Another security device is dropping the traffic.
■ The L2TP dial-in user settings are incorrect. The setting for the remote
client’s default gateway (configured in the Step 3 of 3 window) must match
the server IP address (configured in the Step 1 of 3 window).
■ The remote client’s DNS server IP address might be misconfigured.
Once you get traffic flowing across the tunnel, you can experiment with more
restrictive access policies.