TMS zl Management and Configuration Guide ST.1.2.100916
7-118
Virtual Private Networks
Configure an IPsec Site-to-Site VPN with IKE
might make the packets too large to be transmitted. Table 7-10 suggests a
conservative value for the TCP MSS when the MTU is 1500. For more infor-
mation on the TCP MSS, see the introduction to “Firewall Access Policies” on
page 4-22 of Chapter 4: “Firewall.”
Note The value for TCP MSS in the table is only a suggestion. You should determine
the best MSS for your environment.
Table 7-10. Checklist for Access Policies for an IPsec Site-to-Site VPN That Uses
IKE
Exact steps for configuring these policies are given below:
1. In the left navigation bar of the Web browser interface, click Firewall >
Access Policies.
2. Click the Unicast tab.
3. Select None for User Group.
4. Click Add a Policy.
5. Allow IKE messages from the remote gateway.
a. For Action, accept the default: Permit Traffic.
b. For From, select the remote zone.
c. For To, select Self.
d. For Service, select isakmp.
When
Required
From Zone To Zone Service Source Destination TCP MSS Number
of
policies
Always Remote SELF IKE (isakmp) 3 1 — 1
Always SELF Remote IKE (isakmp) 1 3 — 1
Always Remote Local Any you choose 4 2 1356 As many
as you
choose
Always Local Remote Any you choose 2 4 1356 As many
as you
choose
When NAT-T
is used
Remote SELF NAT-T (ipsec-
nat-t-udp)
31 —1
When NAT-T
is used
SELF Remote NAT-T (ipsec-
nat-t-udp)
13 —1