TMS zl Management and Configuration Guide ST.1.1.100430
7-73
Virtual Private Networks
Configure an IPsec Client-to-Site VPN
d. For Service, leave Any Service.
This is the most basic configuration. You could create access policies
that permit only certain types of traffic.
e. For Source, specify the IKE mode config addresses (either manually
or with a previously configured named object).
In the example figure, these addresses are indicated with the number
4.
Note If you did not configure IKE mode config, specify the remote end-
points actual IP addresses. Do not specify Any Address because this
would open a security vulnerability.
f. For Destination, specify the local addresses that the remote endpoints
are allowed to reach (either manually or with a previously configured
named object).
In the example figure, these addresses are indicated with the number
2.
g. If you want, click the Advanced tab.
h. For TCP MSS, type the value that you determined is best for your
system. For example, type 1356.
i. Click the Basic tab.
j. Optionally, select the Enable logging on this Policy check box if you
want to view log messages for this policy.
Note It is not recommended that you enable logging permanently, because
policy logging is processor-intensive. Use policy logging for troubleshoot-
ing and testing only.
k. Click Apply.
7. If XAUTH divides remote users into multiple groups, repeat step 5 and
step 6 for each user group.
8. If necessary for your services, create access policies that permit local
endpoints to send traffic to remote endpoints (at their IKE mode config
addresses and zone, if you configured IKE mode config).