TMS zl Management and Configuration Guide ST.1.2.100916
7-117
Virtual Private Networks
Configure an IPsec Site-to-Site VPN with IKE
Move to the next task: configuring firewall access policies that permit traffic
associated with the VPN.
Create Access Policies for an IPsec Site-to-Site VPN that
Uses IKE
Before you begin configuring firewall access policies, determine the zone on
which traffic from the remote gateway arrives. Typically, this is the External
zone, but it could be another zone. The instructions below will refer to this
zone as the “remote zone.”
You should also determine the zone for local endpoints allowed on the VPN.
This might be the Internal zone or another zone. The instructions below will
refer to this zone as the “local zone.” If multiple zones are allowed to access
the VPN, you must create policies for each of these zones.
Figure 7-99 shows these zones in the example figure for IPsec site-to-site
VPNs.
Figure 7-99. Example IPsec Site-to-Site VPN (with Zones)
Table 7-10 lists the necessary access policies; the numbers in the Source and
Destination columns refer to the example figure above. (Note that all of these
policies are typically configured for the None user group. However, if local
users log in through the module, then the access policies with the local zone
as the source zone would need to be configured for their user groups.)
For access policies that permit the traffic sent over the tunnel, you should
consider setting the TCP MSS to a value lower than the typical MSS used in
your system. Otherwise, the addition of the IPsec and IP delivery headers