TMS zl Management and Configuration Guide ST.1.2.100916
7-68
Virtual Private Networks
Configure an IPsec Client-to-Site VPN
Create Access Policies for an IPsec Client-to-Site VPN
Before you begin configuring firewall access policies, determine the zone on
which traffic from the remote endpoints arrives. This is the zone associated
with the TMS VLAN on which local VPN gateway address is configured. Often,
this is the External zone, but it could be another zone. The instructions below
will refer to this zone as the “remote zone.”
Also, determine the zone on which traffic from remote endpoints arrives after
the endpoints have been assigned IKE mode config addresses (you selected
this zone when you created the IPsec policy). Again, this zone can be the
External zone or another zone. The instructions will refer to this zone as the
“IKE mode config zone.” If you did not use IKE mode config, use the remote
zone wherever the IKE mode config zone is indicated.
You should also determine the zone for local endpoints that are allowed on
the VPN. This might be the Internal zone or another zone. The instructions
below will refer to this zone as the “local zone.” If VPN clients are allowed to
access multiple zones, you must create policies for each of these zones.
Figure 7-51 shows these zones in the example figure for IPsec client-to-site
VPNs.
Figure 7-51. Example IPsec Client-to-Site VPN (with Zones)