About IPsec Policies

IPsec policies specify the settings for an IPsec SA Security Association— that is, the actual VPN connection. The Threat Management Services (TMS) zl Module can establish the IPsec SA using IKE or using keys that you specify manually.

You configure the following parameters for each IPsec policy:

Action

How the traffic in the traffic selector should be treated.

  • Apply — The traffic is forwarded to its destination and is secured with the IPsec SA.

  • Bypass — The traffic is forwarded to its destination without being tunneled through the VPN.

  • Ignore —  The traffic is discarded.

You can use Bypass or Ignore policies to select subsets of the traffic that is included in an Apply policy.

You can also use an Apply policy to select subsets of Bypass or Ignore traffic.

Direction

Bypass and Ignore only. Specify Inbound, Outbound, or Both for the traffic direction that is affected by the action.

Position

The position determines the order in which the TMS zl Module processes IPsec policies. When a packet arrives at the VPN engine, the module checks the traffic selector on the IPsec policies to see if the packet matches the traffic selector, starting with the policy with the lowest numerical position.

The position matters most if two or more policies have overlapping traffic selectors. In this case, assign the lowest numerical position to the IPsec policy with the most specific traffic selector.

A default IPsec policy prevents all traffic from being encrypted by the VPN engine; therefore, all IPsec policies that you configure must have a higher priority than this default policy.

Traffic Selector

These fields specify which traffic will use the VPN tunnel.

  • Service — The services that are allowed to pass through the VPN. Select Any to allow all traffic types or select a protocol (ICMP Internet Control Message Protocol, TCP, or UDP). You can also select an IANA Internet protocol, but service objects and service groups are not valid for this field.

  • Local Address — The local IP address of the traffic that is allowed to pass through the VPN. You can type the IP addresses manually or you can select named objects. (If you plan to use IKE mode config, you cannot select a named object or Any for the local address.)

  • Local Port — This field appears only if you selected TCP or UDP for Service. This is the local port number of the traffic that is allowed to pass through the VPN. Leave the Port field empty to specify all ports.

  • Remote Address — The remote IP address of the traffic that is allowed to pass through the VPN. You can type the IP addresses manually or you can select named objects.

  • Remote Port — This field appears only if you selected TCP or UDP for Service. This is the remote port number of the traffic that is allowed to pass through the VPN. Leave the Port field empty to specify all ports.

  • ICMP Type — This field appears only if you selected ICMP for Service. If you select Echo or Timestamp, you must use manual key configuration instead of IKE.

 

If your traffic selector will include management traffic, you must configure a Bypass policy with top priority that selects the management traffic, or you will be locked out of the Web browser interface. If you do lock yourself out, access the module through the CLI, save the startup-config, then erase the startup-config. When the module has rebooted, restore the saved startup-config, then reconfigure the management-access VLAN and IP address to regain HTTPS access.

IPsec Proposal

IPsec proposals are configured on VPN > IPsec > IPsec Proposals. They specify the IPsec encapsulation mode, IPsec protocol, and the authentication and encryption algorithms that secure the VPN connection. This field appears only if the Action is Apply.

Key Management

  • Automatic — Keys are managed automatically with IKEv1 policies, which are configured on VPN > IPsec > IKEv1 Policies.

  • Manual — Keys are manually input on both ends of the VPN tunnel.

SA Lifetime

You must specify a value for at least one of these options.

  • Seconds — This setting specifies how long the IPsec SA remains open. When the lifetime of the SA reaches 80 percent of the total lifetime, the TMS zl Module checks whether the SA has experienced any activity. If it has, it negotiates a new SA and then deletes the old SA. If the SA is inactive, the module waits for the complete lifetime to expire, and if the SA is still inactive, it deletes the SA.

  • Kilobytes — This setting specifies when an SA expires based on the amount of data that has passed through it. (The more traffic sent over a connection, the better chance a hacker has at cracking a key).

The TMS zl Module checks an IPsec SA for inactivity when the SA has transmitted and received 80 percent of the allowed bandwidth in KB. If the SA is active, the module renegotiates it, deleting the old SA when the new one is established. The module deletes an inactive SA if it is still inactive when the total lifetime in kilobytes is reached.

If you specify the SA lifetime both in seconds and in kilobytes, the module checks the SA for activity when the first limit is reached.

IKE Mode Config

A pool of addresses on your private network that will be assigned to remote users while they are on the VPN. You also specify at least one DNS server and WINS servers, if desired.

Advanced Settings

In most cases, you should use the default values for these settings. To learn more, see this page.