TMS zl Management and Configuration Guide ST.1.2.100916
7-286
Virtual Private Networks
Configure a GRE over IPsec VPN with Manual Keying
A default IPsec policy prevents all traffic from being encrypted by the VPN
engine; therefore, all IPsec policies that you configure must have a higher
priority than this default policy.
Next, you configure the VPN traffic selector, which determines which traffic
will use the VPN tunnel. For a GRE over IPsec VPN, the traffic selector must
specify the GRE traffic between the TMS zl Module and the remote tunnel
endpoint.
Caution For this policy, you will specify a local TMS zl Module IP address. Be very
careful to specify GRE for the protocol. Otherwise, you might be locked out
of the Web browser interface.
If you do lock yourself out, access the module and delete the IPsec policy:
■ If the module has multiple IP addresses in its management-access zone,
you might be able to contact the module’s Web browser interface at one
of the other addresses. You can then delete the faulty IPsec policy from
the VPN > IPsec > IPsec Policies window.
■ If you have locked yourself out entirely, you can use the CLI to delete the
faulty IPsec policy. Access the host switch CLI and enter these commands:
hostswitch(config)# services <slot ID> name tms-module
hostswitch(tms-module-<slot ID>)# config
hostswitch(tms-module-<slot ID>:config) no ipsec policy
<policy name>
Replace <slot ID> with the ID of the slot in which the TMS zl Module
is installed. Replace <policy name> with the IPsec policy name. (You
can use the show ipsec policy command to view the name.)
Note If your traffic selector will include traffic that is also selected for NAT, you
must create a NAT exclusion policy. See “Exclusion NAT Policies” in
Chapter 5: “Network Address Translation.”
Refer to Figure 7-248 for help configuring the traffic selector.