TMS zl Management and Configuration Guide ST.1.2.100916
7-58
Virtual Private Networks
Configure an IPsec Client-to-Site VPN
Caution If your traffic selector will include management traffic, you must configure a
Bypass policy with top priority that selects the management traffic, or you will
be locked out of the Web browser interface. See “Configure Bypass and Deny
IPsec Policies” on page 7-354.
If you do lock yourself out, access the module and delete the IPsec policy:
■ If the module has multiple IP addresses in its management-access zone,
you might be able to contact the module’s Web browser interface at one
of the other addresses. You can then delete the faulty IPsec policy from
the VPN > IPsec > IPsec Policies window.
■ If you have locked yourself out entirely, you can use the CLI to delete the
faulty IPsec policy. Access the host switch CLI and enter these commands:
hostswitch(config)# services <slot ID> name tms-module
hostswitch(tms-module-<slot ID>)# config
hostswitch(tms-module-<slot ID>:config) no ipsec policy
<policy name>
Replace <slot ID> with the ID of the slot in which the TMS zl Module
is installed. Replace <policy name> with the IPsec policy name. (You
can use the show ipsec policy command to view the name.)
Caution Similarly, the traffic selector must not include the local gateway address
(configured in the IKE policy) unless the selector is limited to specific proto-
cols such as UDP L2TP. If, however, for whatever reason the local addresses
include the local gateway address without such limitation, you must create a
Bypass policy to exclude IKE traffic to and from the module from the VPN.
Otherwise the VPN cannot be established. See “Configure Bypass and Deny
IPsec Policies” on page 7-354.
Note If your traffic selector will include traffic that is also selected for NAT, you
must create a NAT exclusion policy. See “Exclusion NAT Policies” in
Chapter 5: “Network Address Translation.”
Refer to Figure 7-46 for help while you configure the traffic selector.