TMS zl Management and Configuration Guide ST.1.1.100430
10-72
Troubleshooting
Troubleshooting the TMS zl Module in Routing Mode
Table 10-10. Match IPsec Security Settings on the Module and Remote Clients
Troubleshoot Access Policies for a Client-to-Site IPsec VPN. If the
VPN > Connections > VPN Connections window shows an active IPsec tunnel
but your traffic cannot cross the VPN to its destination, a firewall access policy
is probably to blame. The TMS zl Module firewall processes outgoing VPN
traffic before it is encapsulated and encrypted. It processes incoming VPN
traffic after it has been deencapsulated and deencrypted. In other words,
access policies must permit the inner IP traffic that is sent over the VPN.
If you are using XAUTH, these access policies should be configured for the
user group to which the remote users authenticate.
Note The TMS zl Module automatically accepts IPsec traffic for which it is the
gateway. You only need to create access policies for Authentication Header
(AH) or Encapsulating Security Payload (ESP) traffic when an IPsec VPN is
established through the module to a VPN gateway behind it.
See “Troubleshooting the Firewall” on page 10-39 for tips on troubleshooting
firewall access policies.
Setting Configuration Location TMS zl Module Setting Remote Client Setting
Encapsulation mode IPsec proposal Tunnel Tunnel
IPsec protocol IPsec proposal Same protocol Same protocol
Encryption algorithm IPsec proposal Same encryption algorithm (if
any)
Same encryption algorithm (if
any)
Authentication algorithm IPsec proposal Same authentication algorithm
(if any)
Same authentication algorithm
(if any)
PFS enabled IPsec policy Same setting Same setting
Diffie-Hellman Group (if
PFS is enabled)
IPsec policy Same group Same group
SA lifetime IPsec policy Same setting for kilobytes and
seconds
Same setting for kilobytes and
seconds