For your VPN to function properly, the Threat Management Services (TMS) zl Module requires a route to the remote VPN gateway (for a site-to-site VPN) or to the remote endpoints (for a client-to-site VPN). Configuring a static route is
To see detailed instructions for configuring IPsec VPNs on the TMS zl Module (including an explanation for the figure below), click here. To see detailed instructions for configuring L2TP VPNs on the TMS zl Module (including an explanation for the figure below), click here.
If the TMS zl Module's default gateway is the next-hop router for the VPN tunnel's path, you will usually not need to configure any other static routes. If the default gateway is not the next hop, you may need to change the TMS zl Module's default gateway so that it is the next hop, then configure another static route to replace the old default gateway. In other words, the route’s forwarding interface should be the interface with the IP address that you specified as the local gateway address. In a site-to-site VPN, the TMS zl Module may also require a route to the remote endpoints that are beyond the gateway.
In the figure above, two VPNs are shown: one site-to-site and one client-to-site. For the site-to-site VPN, the IKE policy specifies 172.17.1.99 as the local gateway and the remote gateway as 192.168.1.99. Because the default gateway (0.0.0.0) is the next-hop router on the VPN path, you probably would not need to add another static route. However, if you have trouble with the VPN, you might need to add a route to 10.1.55.0/24 through 172.17.1.1. For the client-to-site VPN, the IKE policy specifies 172.17.1.99 as the local gateway and the remote clients are on the subnet 172.22.3.0/24. Again, the default gateway should be sufficient, but if it is not, you might need to add a static route to 172.22.3.0/24. Configure static routes on Network > Routing > Static Routes.
|