TMS zl Management and Configuration Guide ST.1.2.100916
7-111
Virtual Private Networks
Configure an IPsec Site-to-Site VPN with IKE
Caution Take great care when specifying Any. You might inadvertently block
necessary traffic. For example, if you select a local subnet for the local
addresses, Any for the protocol, and Any for the remote addresses, the
TMS zl Module will no longer allow endpoints on the local subnet to
send any traffic except to remote VPN clients. You might need to
create Bypass policies. See “Configure Bypass and Deny IPsec Poli-
cies” on page 7-354.
c. Local Port is present if you selected TCP or UDP for Protocol. Type a
specific port for the service to which remote clients are allowed
access or leave the field blank (which allows traffic to any port).
d. For Remote Address, specify the addresses for all remote endpoints
allowed to send and receive traffic over the VPN (indicated by 4 in
the figure).
Do one of the following to specify remote addresses:
– Select Any to permit any IP address.
– Select the single-entry IP, range, or network address object that
you configured for endpoints behind the remote VPN gateway.
– Manually type an IP address, an IP address range, or a network
address in CIDR format.
e. Remote Port is present if you selected TCP or UDP for Service. Type the
port number for the service that you want to allow local endpoints to
access in the remote network. Or leave the field blank (which allows
traffic to any port).
f. If you selected ICMP for the protocol, for ICMP Type, select Any.
If you select Echo or Timestamp, the tunnel must use manual keying
instead of IKE. See “Configure an IPsec Site-to-Site VPN with Manual
Keying” on page 7-124.
9. For Proposal, select a previously configured IPsec proposal.
The IPsec proposal specifies the IPsec mode, IPsec protocol, and the
authentication and encryption algorithms that secure the VPN connec-
tion. See “Create an IPsec Proposal” on page 7-104.
10. Click Next.