IPsec VPN Parameters: Diagram

The figures below shows many of the parameters that you need to configure for an IPsec VPN. See this page for a list of all parameters and where they are configured.

How to Configure an IPsec VPN

VPN Type

The figure below shows the two types of IPsec VPNs that you can configure on the Threat Management Services (TMS) zl Module. The site-to-site VPN links two VPN gateways, usually on different physical sites, and the client-to-site VPN links a remote client with a LAN.

  1. Site-to-Site or Client-to-Site

VPN Addresses

The figure below shows the various addresses and IDs that you might have to configure on your IPsec VPN.

 

  1. Local ID (TMS zl Module)

  2. Private Local Gateway Address in the EXTERNAL zone

  3. Public (NAT) Local Gateway Address in the SELF zone

  4. Remote ID (VPN Client)

  5. Public Remote Interface Address (VPN Client)

  6. Remote ID (VPN Gateway)

  7. Public Remote Gateway Address (VPN Client)

  8. Destination Addresses and Ports

  9. Source Addresses and Ports

IKE SA Parameters

The figure below shows the parameters for the IKE Internet Key Exchange SA Security Association.

  1. IKE Encryption Algorithm and Key

  2. IKE Authentication Method (PSK or Certificate)

  3. DH Diffie-Hellman Group

  4. IKE Authentication Algorithm

IPsec SA Parameters

The figure below shows the parameters for the IPsec SA.

  1. IPsec Encapsulation Mode (Tunnel or Transport)

  2. IPsec Security Protocol (AH Authentication Header or ESP Encapsulating Security Protocol )

  3. IPsec Encryption Algorithm

  4. IPsec Authentication Algorithm