Configuring firewall access policies for the VPN is step 6 in configuring an IPsec VPN with IKE. To see all of the steps to configure an IPsec VPN with IKE, including an explanation of the figure below, click here.

Before you begin configuring firewall access policies, determine the for the local VPN gateway. Typically, this is EXTERNAL, but it could be another zone. The instructions below will refer to this zone as the remote zone.
You should also determine the zone for local endpoints that are allowed to use the VPN. This might be INTERNAL or another zone. The instructions below will refer to this zone as the local zone.
Then follow these steps:
-
Configure an access policy to allow IKE messages from the remote gateway.
-
Select Firewall > Access Policies > Unicast.
-
Click Add a Policy.
-
For Action, accept the default: Permit Traffic.
-
For From, select the remote zone.
-
For To, select SELF.
-
For Service, select isakmp.
-
For Source, specify the IP address that you configured for the remote gateway. You can select a previously-configured or type the IP address manually. (Click Options and select Enter custom IP, IP/mask or IP-Range.)
-
For Destination, accept the default, Any Address, or specify the IP address that you configured for the local gateway.
-
Select the Enable logging on this Policy check box.

|
Because policy logging is processor-intensive, it is not recommended that you enable logging permanently. Use policy logging for troubleshooting and testing only.
|
-
Click Apply.
-
Configure an access policy to allow IKE messages to the remote gateway:
-
For Action, accept the default: Permit Traffic.
-
For From, select SELF.
-
For To, select the remote zone.
-
For Service, select isakmp.
-
For Source, accept the default, Any Address, or specify the IP address that you configured for the local gateway.
-
For Destination, specify the IP address that you configured for the remote gateway.
-
Click Apply.
-
Create an access policy to permit traffic from the local endpoints to the remote endpoints:
-
For Action, accept the default, Permit Traffic.
-
For From, select the local zone.
-
For To, select the remote zone.
-
For Service, accept the default, Any Service. You could also permit only certain types of traffic.
-
For Source, specify the local IP addresses that are allowed to send traffic on the VPN, either with a single-entry address object or type the address manually. (Click Options and select Enter custom IP, IP/mask or IP-Range.)
-
For Destination, specify the remote IP addresses that are allowed on the VPN connection. Again, you can select an address object that was used in the IPsec policy traffic selector.
-
Click Apply.
-
Create an access policy to permit traffic from the remote endpoints to the local endpoints:
-
For Action, accept the default, Permit Traffic.
-
For From, select the remote zone.
-
For To, select the local zone.
-
For Service, accept the default, Any Service. You could also permit only certain types of traffic.
-
For Source, specify the remote IP addresses that are allowed to send traffic on the VPN, either with a single-entry address object or type the address manually. (Click Options and select Enter custom IP, IP/mask or IP-Range.)
-
For Destination, specify the local addresses.
-
Click Apply.
-
Click Close.

|