TMS zl Management and Configuration Guide ST.1.0.090213
7-97
Virtual Private Networks
Layer 2 Tunneling Protocol (L2TP) over IPsec
2. Create an IKE policy for remote access (client-to-site).
Only one IKE policy can specify the client-to-site type, main mode, and
preshared keys. Often you must configure a policy that is valid for all of
your remote clients.
See “Create an IKE Policy for a Client-to-Site IPsec VPN” on page 7-31 and
follow these guidelines:
• IKE Policy Type = Client-to-Site (Responder)
• Local Gateway = The module IP address or VLAN interface that the
remote VPN client can reach (typically, an address on a VLAN in the
External zone)
• Local ID Type = Any type that you choose
If you use digital certificates for authentication, you must select
Distinguished Name or a type for which the certificate has a subject
alternate name.
• Local ID Value = Any valid ID
If you use digital certificates, you must match the value to the value
specified in the certificate.
Table 7-6 displays valid remote ID types and values.
Table 7-6. Valid Remote IDs for an L2TP over IPsec VPN to Windows Clients
• Key Exchange Mode = Main
• Authentication Method = Any method you desire (match the method
on the client)
For Security Parameters Proposal settings, you have several options. By
default, a Windows XP client sends five IKE security proposals, four of
which are compatible with the TMS zl Module. See Table 7-7 for a list of
these proposals so that you can match one of these proposals in the IKE
policy. (Windows 2000 clients do not support proposal 1 and Windows
Vista clients only support proposal 1.)
Remote ID Type Remote ID Value for Preshared
Key
Remote ID Value for Digital
Certificate
IP Address 0.0.0.0 Matches subject alternate
name
Domain Name <domainname>
Example: procurve.com
Matches subject alternate
name
Email * Matches subject alternate
name
Distinguished Name * Matches subject name