TMS zl Management and Configuration Guide ST.1.1.100226
7-136
Virtual Private Networks
Configure an IPsec Site-to-Site VPN with Manual Keying
Create Access Policies for an IPsec Site-to-Site VPN
with Manual Keying
Before you begin configuring firewall access policies, determine the zone on
which traffic from the remote tunnel gateway arrives. Typically, this is the
External zone, but it could be another zone. The instructions below will refer
to this zone as the “remote zone.”
You should also determine the zone for local endpoints allowed on the VPN.
This might be the Internal zone or another zone. The instructions below will
refer to this zone as the “local zone.” If multiple zones are allowed to access
the VPN, you must create policies for each of these zones.
Figure 7-117 shows these zones in the example figure for IPsec site-to-site
VPNs.
Figure 7-117. Example IPsec Site-to-Site VPN (with Zones)
Table 7-12 lists the necessary access policies; the numbers in the Source and
Destination columns refer to the example figure above. (Note that these
policies are typically configure in the None user group. However, if local users
log in to the module, then the policies that use the local zone as the source
zone must be configured for the appropriate user groups.)
For access policies that permit the traffic sent over the tunnel, you should
consider setting the TCP MSS to a value lower than the typical MSS used in
your system. Otherwise, the addition of the IPsec and IP delivery headers
might make the packets too large to be transmitted. Table 7-12 suggests a
conservative value for the TCP MSS when the MTU is 1500. For more infor-
mation on the TCP MSS, see the introduction to “Firewall Access Policies” on
page 4-22 of Chapter 4: “Firewall.”