TMS zl Management and Configuration Guide ST.1.2.100916
7-122
Virtual Private Networks
Configure an IPsec Site-to-Site VPN with IKE
e. For Source, specify the remote IP addresses allowed to send traffic
on the VPN (either manually or by specifying a previously configured
address object).
f. For Destination, specify the local addresses which the remote users
are allowed to access (either manually or by specifying a previously
configured address object).
g. Click the Advanced tab.
h. For TCP MSS, type the value that you determined is best for your
system. For example, type 1356.
i. Click the Basic tab.
j. Click Apply.
9. If the IPsec tunnel uses NAT-T (because NAT is performed on traffic
somewhere between the gateways), you must create access policies to
allow the NAT-T traffic between the remote gateway and the module and
vice versa:
a. For Action, accept the default: Permit Traffic.
b. For From, select the remote zone.
c. For To, select Self.
d. For Service, select ipsec-nat-t-udp.
e. For Source, specify the remote gateway’s address (either manually or
by specifying a previously configured address object).
f. For Destination, specify the local VPN gateway address.
You can specify the address manually or select a previously config-
ured address object. Alternatively, select Any Address.
g. Click Apply.
h. For From, select Self.
i. For To, select the remote zone.
j. For Service, select ipsec-nat-t-udp.
k. For Source, specify the local VPN gateway address.
You can specify the address manually or select a previously config-
ured address object. Alternatively, select Any Address.
l. For Destination, specify the remote gateway IP address (either manu-
ally or by specifying a previously configured address object).
m. Click Apply.
10. In the Add Policy window, click Close.
Move on to the next step: verifying routes.