TMS zl Management and Configuration Guide ST.1.1.100226
7-263
Virtual Private Networks
Configure a GRE over IPsec VPN with IKE
h. For TCP MSS, type the value that you determined is best for your
system. For example, type 1388.
i. Click the Basic tab.
9. If the IPsec tunnel uses NAT-T (because NAT is performed on traffic
somewhere between the gateways), you must create access policies to
allow the NAT-T traffic between the remote gateway and the module and
vice versa:
a. For Action, accept the default: Permit Traffic.
b. For From, select the remote zone.
c. For To, select Self.
d. For Service, select ipsec-nat-t-udp.
e. For Source, specify the remote gateway’s address.
f. For Destination, leave Any Address or specify the local gateway IP
address.
g. Click Apply.
h. For From, select Self.
i. For To, select the remote zone.
j. For Service, select ipsec-nat-t-udp.
k. For Source, leave Any Address or specify the local gateway IP address.
l. For Destination, specify the remote gateway IP address.
m. Click Apply.
10. If you enabled a dynamic routing protocol (RIP or OSPF) on the tunnel,
ensure that access policies permit this traffic between SELF and the
tunnel zone. (This is the default setting.)
11. In the Add Policy window, click Close.
12. Click Save.
Multicast Access Policies
If the GRE tunnel will carry multicast traffic, complete this section.
1. Configure an access policy to permit local traffic that is sent across the
tunnel, before it is encapsulated:
a. Click Firewall > Access Policies > Multicast.
b. Click Add Policy.
c. For Action, accept the default, Permit Traffic.
d. For From, select the local zone.
e. For To, select the tunnel zone.