TMS zl Management and Configuration Guide ST.1.1.100430
7-177
Virtual Private Networks
Configure an L2TP over IPsec VPN
Caution You must be very careful when you configure firewall access policies in the
None user group that permit traffic from L2TP users. These users are in the
External zone, so you can inadvertently open your network up to unauthorized
access. At the very least, take great care to limit the firewall access policies
to the specific virtual IP addresses that are assigned to L2TP clients.
For access policies that permit the traffic sent over the VPN, you should
consider setting the TCP MSS to a value lower than the typical MSS used in
your system. Otherwise, the addition of the L2TP, IP delivery, and IPsec
headers might make the packets too large to be transmitted. Table 7-20
suggests a conservative value for the TCP MSS when the MTU is 1500. For
more information on the TCP MSS, see the introduction to “Firewall Access
Policies” on page 4-22 of Chapter 4: “Firewall.”
Note The value for TCP MSS in the table is only a suggestion. You should determine
the best MSS for your environment.
Table 7-20 lists the necessary access policies; the numbers in the Source and
Destination columns refer to the example figure above.
Table 7-20. Checklist for Access Policies for an L2TP over IPsec VPN
When
Required
User Group From Zone To Zone Service Source Destination TCP
MSS
Number of
policies
Always None Remote SELF IKE
(isakmp)
3 or Any 1 — 1
Always None SELF Remote IKE
(isakmp)
13 or Any—1
Always None Remote SELF L2TP
(l2tp-udp)
3 or Any 1 — 1
Always None SELF Remote L2TP
(l2tp-udp)
13 or Any—1
Always L2TP user
groups (or None,
not
recommended)
EXTERNAL Local Any you
choose
4 2 1360 As many
as you
choose
Local
endpoints
initiate
sessions
with
remote
None (or local
user groups)
Local EXTERNAL Any you
choose
2 4 1360 As many
as you
choose