TMS zl Management and Configuration Guide ST.1.1.100226
7-249
Virtual Private Networks
Configure a GRE over IPsec VPN with IKE
To learn about creating Bypass and Deny policies, see “Configure Bypass
and Deny IPsec Policies” on page 7-352.
7. For Position, type a number.
The position determines the order in which the TMS zl Module processes
IPsec policies. The module processes the policy with the lowest value first
(for example, position 1 before position 2). The position matters most
when policies have overlapping traffic selectors. In this case, assign the
highest position (lowest value) to the IPsec policy with the most specific
traffic selector.
Note that you can specify a position that is already used by another policy.
The new policy is inserted above the former policy. You can use the arrow
icons in the Tools column in the VPN > IPsec > IPsec Policies window to
rearrange policies. Remember the policy at the top of the display is the
first policy processed.
A default IPsec policy prevents all traffic from being encrypted by the VPN
engine; therefore, all IPsec policies that you configure must have a higher
priority than this default policy.
Next, you configure the VPN traffic selector, which determines which traffic
will use the VPN tunnel. For a GRE over IPsec VPN, the traffic selector must
specify the GRE traffic between the TMS zl Module and the remote tunnel
endpoint.
Caution For this policy, you will specify a local TMS zl Module IP address. Be very
careful to specify GRE for the protocol. Otherwise, you might select manage-
ment traffic for the VPN and lock yourself out of the Web browser interface.
If you do lock yourself out, reboot the module, but DO NOT SAVE the
configuration.
If your traffic selector will include traffic that is also selected for NAT, you
must create a NAT exclusion policy. See “Exclusion NAT Policies” in
Chapter 5: “Network Address Translation.”
Refer to Figure 7-221 for help configuring the traffic selector.