Configuring firewall access policies for the VPN is step 6 in configuring a client-to-site IPsec VPN with IKE . To see all of the steps to configure a client-to-site IPsec VPN with IKE, including an explanation of the figure below, click here.

Before you begin configuring firewall access policies, determine the for the local VPN gateway. Typically, this is EXTERNAL, but it could be another zone. The instructions below will refer to this zone as the remote zone.
You should also determine the zone for local endpoints that are allowed on the VPN. This might be INTERNAL or another zone. The instructions below will refer to his zone as the local zone.
Optional: If you have configured IKE mode config, determine the zone that you selected for Firewall Zone on Step 3 of 4 of the IPsec policy. Again, this zone can be EXTERNAL or another zone. These instructions will refer to this zone as the IKE mode config zone.
Then follow these steps:
-
Configure an access policy to allow IKE messages from the remote endpoints.
-
Select Firewall > Access Policies > Unicast.
-
Click Add a Policy.
-
For Action, accept the default: Permit Traffic.
-
For From, select the remote zone.
-
For To, select SELF.
-
For Service, select isakmp.
-
For Source, accept the default, Any Address.
-
For Destination, accept the default, Any Address, or specify the IP address that you configured for the local gateway.
-
Select the Enable logging on this Policy check box.

|
Because policy logging is processor-intensive, it is not recommended that you enable logging permanently. Use policy logging for troubleshooting and testing only.
|
-
Click Apply.
No IKE Mode Config
If you did not configure IKE mode config, follow these next two steps. Otherwise, skip to the next section.
-
Create an access policy to permit traffic from the local endpoints to the remote endpoints:
-
For Action, accept the default: Permit Traffic.
-
For From, select the local zone.
-
For To, select the remote zone.
-
For Service, accept the default, Any Service. You could also permit only certain types of traffic.
-
For Source, specify the local IP addresses that are allowed to send traffic on the VPN, either with a single-entry address object or type the address manually. (Click Options and select Enter custom IP, IP/mask or IP-Range.)
-
For Destination, specify the remote client addresses.
-
Click Apply.
-
Create an access policy to permit traffic from the remote endpoints to the local endpoints:
-
For Action, accept the default: Permit Traffic.
-
For From, select the IKE mode config zone.
-
For To, select the local zone.
-
For Service, accept the default, Any Service. You could also permit only certain types of traffic.
-
For Source, specify the remote client addresses.
-
For Destination, specify the local IP addresses that are allowed to send traffic on the VPN.
-
Click Apply.
With IKE Mode Config
-
Create an access policy to permit traffic from the local endpoints to the remote endpoints:
-
For Action, accept the default: Permit Traffic.
-
For From, select the local zone.
-
For To, select the IKE mode config zone.
-
For Service, accept the default, Any Service. You could also permit only certain types of traffic.
-
For Source, specify the local IP addresses that are allowed to send traffic on the VPN, either with a single-entry address object or type the address manually. (Click Options and select Enter custom IP, IP/mask or IP-Range.)
-
For Destination, specify the IKE mode config addresses.
-
Click Apply.
-
Create an access policy to permit traffic from the remote endpoints to the local endpoints:
-
For Action, accept the default: Permit Traffic.
-
For From, select the IKE mode config zone.
-
For To, select the local zone.
-
For Service, accept the default, Any Service. You could also permit only certain types of traffic.
-
For Source, specify the IKE mode config addresses.
-
For Destination, specify the local addresses that the remote endpoints are allowed to reach.
-
Click Apply.
-
Click Close.


|