TMS zl Management and Configuration Guide ST.1.2.100916
7-183
Virtual Private Networks
Configure an L2TP over IPsec VPN
7. If L2TP users are assigned to user groups, follow these steps:
a. Click Close.
b. In the Firewall > Access Policies > Unicast window, for User Group,
select the group to which L2TP users are assigned.
c. Click Add a Policy.
8. Permit traffic from the remote endpoints to local endpoints:
a. For Action, leave the default, Permit Traffic.
b. For From, select External.
c. For To, select the local zone.
d. For Service, leave Any Service.
This is the most basic configuration. You could also permit only
certain types of traffic.
e. For Source, specify the virtual addresses that the TMS zl Module
assigns to L2TP endpoints (either manually or with a previously
configured address object).
f. For Destination, specify the local addresses that remote endpoints are
allowed to access (either manually or with a previously configured
address object).
g. Click the Advanced tab.
h. For TCP MSS, type the value that you determined is best for your
system. For example, type 1360.
i. Click the Basic tab.
j. Click Apply.
9. If you have specified multiple user groups in the L2TP dial-in user
accounts, repeat step 7 and step 8 for each group.
10. If necessary for your services, create access policies that permit local
endpoints to send traffic to remote endpoints (at their virtual addresses
and the External zone). The policies should generally be configured in
None user group.
11. If the IPsec tunnel uses NAT-T (because NAT is performed on traffic
somewhere between the remote endpoints and the module), you must
create two access policies to allow the NAT-T traffic:
a. Verify that for User Group, None is selected.
a. For Action, accept the default: Permit Traffic.
b. For From, select the remote zone.
c. For To, select Self.
d. For Service, select ipsec-nat-t-udp.