TMS zl Management and Configuration Guide ST.1.2.100916
7-60
Virtual Private Networks
Configure an IPsec Client-to-Site VPN
The local addresses should be internal addresses on your private
network.
– Select the single-entry IP, range, or network address object that
you created earlier for local endpoints.
Note An address object is not valid if you plan to configure IKE mode
config. It is also invalid for a transport-mode VPN (but you should
be using tunnel mode).
– Select Any to permit any IP address.
Any is not valid if you plan to configure IKE mode config. In fact,
you should always take care when specifying Any in a traffic
selector. You could inadvertently select traffic that should not be
part of the VPN and block that traffic from reaching its destina-
tion.
c. Local Port is present if you selected TCP or UDP for Protocol. Type the
port number for the service to which you want to allow remote users
access. Leave the box empty to allow traffic to all ports.
d. The Remote Address setting depends on whether you will use IKE
mode config or not.
If you will use IKE mode config, specify the same addresses that you
will configure for the IKE mode config pool (indicated by 4 in the
example figure):
– Manually type an IP address, IP address range, or network
address in CIDR format
– Select a single-entry IP, range, or network address object.
If you will not use IKE mode config, you must match the exact value
that the remote clients send for their local IP address (indicated by 3
in the example figure). Some clients always send their actual IP
address. In this case, you must specify this single address and create
a separate IPsec policy for each remote client. Other clients (such as
the Mac IPSecuritas) can send an entire subnet. Do one of the follow-
ing to specify addresses:
– Manually type an IP address, IP address range, or network
address in CIDR format
– Select a single-entry IP, range, or network address object.
– Select Any to permit any IP address.