TMS zl Management and Configuration Guide ST.1.1.100430

A-136

Command-Line Reference

IPsec Policy Context

PFS (Perfect Forward Secrecy) for keys: Disabled

SA Lifetime in Seconds: 28800

SA Lifetime in Kilobytes: 0

IP Address Pool for IRAS: Disabled

Advanced Settings

IP compression: Disabled

Anti-Replay Window Size: 32

Extended sequence number: Disabled

Re-key on sequence number overflow: Enabled

Persistent tunnel: Disabled

Fragment before IPsec: Enabled

Copy DSCP value from clear packet: Disabled

DSCP Value: 9

DF Bit Handling: Clear DF bit.

traffic-selector

With this command, you configure the VPN traffic selector, which determines

the traffic to which this policy is applied. For example, the selector might

specify all IP traffic between 192.168.2.0/24 (a local network) and 192.168.3.0/

24 (a remote network). For a policy with the Apply action, the selected traffic

is the traffic that is sent and received (and secured) on the IPsec SA.

Caution If your traffic selector will include management traffic to the TMS zl Module

itself, you first must configure a Bypass policy with top priority that selects

the management traffic, or you will be locked out of the Web browser inter-

face. If you do lock yourself out, reboot the module, but DO NOT SAVE the

configuration.

Similarly, the traffic selector must not include the local gateway address

(configured in the IKE policy) unless the selector is limited to specific proto-

cols such as UDP L2TP. If, however, for whatever reason the local addresses

include the local gateway address, you must create a Bypass policy to exclude

IKE traffic to and from the module from the VPN. Otherwise the VPN cannot

be established.

If your traffic selector will include traffic that is also selected for NAT, you

must create a NAT exclusion policy. See “Exclusion NAT Policies” in

Chapter 5: “Network Address Translation.”