TMS zl Management and Configuration Guide ST.1.0.090213
1-58
Overview
Virtual Private Network (VPN)
L2TP tunnels data, but it does not secure it. With L2TP over IPsec, the L2TP
session is encapsulated and secured by IPsec.
See “Layer 2 Tunneling Protocol (L2TP) over IPsec” in Chapter 7: “Virtual
Private Networks.”
GRE
GRE is a Layer 2 protocol that establishes a virtual point-to-point connection
between two devices across an intervening network. It can encapsulate any
protocol that Ethernet can encapsulate. When the TMS zl Module selects
traffic for the GRE tunnel, it encapsulates the traffic with a GRE header and
a new IP header. The new IP header includes the destination address of the
remote tunnel endpoint.
Because GRE tunnels do not secure traffic, you should configure GRE over
IPsec for traffic that requires data integrity or data privacy.
The TMS zl Module supports both GRE and GRE over IPsec.
See “Generic Routing Encapsulation (GRE)” in Chapter 7: “Virtual Private
Networks.”
VPN Use Models
The TMS zl Module supports both site-to-site VPNs and client-to-site VPNs.
Site-to-Site VPNs
A site-to-site VPN is a tunnel between two gateway devices, such as TMS zl
Modules, routers with VPN capabilities, Unified Threat Management (UTM)
devices, or standalone VPN devices. The TMS zl Module can establish a VPN
with any IPsec with IKE v1-compliant VPN gateway—another TMS zl Module
is not required.
The two gateways secure traffic and forward it over the tunnel on behalf of
the endpoints that are behind each gateway. The traffic is only protected
between the two gateways, not between an endpoint and its own gateway.
Most commonly, a site-to-site VPN connects two sites (such as a main office
and a branch office) through a public, untrusted network such as the Internet.
The Internal zone traffic at each site is assumed not to require encryption.
The TMS zl Module supports a hub-and-spoke topology, in which VPN gate-
ways at multiple sites connect to a hub gateway at a central site.