Configuring firewall access policies for the VPN is step 4 in configuring an IPsec VPN with manual keying. To see all of the steps to configure an IPsec VPN with manual keying, including an explanation of the figure below, click here.

Before you begin configuring firewall access policies, determine the for the local VPN gateway. Typically, this is EXTERNAL, but it could be another zone. The instructions below will refer to this zone as the remote zone.
You should also determine the zone for local endpoints that are allowed to use the VPN. This might be INTERNAL or another zone. The instructions below will refer to this zone as the local zone.
Then follow these steps:
-
Create an access policy to permit traffic from the local endpoints to the remote endpoints:
-
Select Firewall > Access Policies > Unicast.
-
For Action, accept the default: Permit Traffic.
-
For From, select the local zone.
-
For To, select the remote zone.
-
For Service, accept the default, Any Service. You could also permit only certain types of traffic.
-
For Source, specify the local IP addresses that are allowed to send traffic on the VPN, either with a single-entry address object or type the address manually. (Click Options and select Enter custom IP, IP/mask or IP-Range.)
-
For Destination, specify the remote IP addresses allowed on the VPN connection. Again, you can select the address object that you used in the IPsec policy traffic selector.
-
Select the Enable logging on this Policy check box.

|
Because policy logging is processor-intensive, it is not recommended that you enable logging permanently. Use policy logging for troubleshooting and testing only.
|
-
Click Apply.
-
Create an access policy to permit traffic from the remote endpoints to the local endpoints:
-
For Action, accept the default, Permit Traffic.
-
For From, select the remote zone.
-
For To, select the local zone.
-
For Service, accept the default, Any Service. You could also permit only certain types of traffic.
-
For Source, specify the remote IP addresses allowed to send traffic on the VPN, either with a single-entry address object or type the address manually. (Click Options and select Enter custom IP, IP/mask or IP-Range.)
-
For Destination, specify the local addresses.
-
Click Apply.
-
Click Close.

|