VPN > IPsec > IPsec Policies

On this window, you configure the IPsec policy, which is:

  • step 5 in configuring a VPN with IKE policies

  • step 3 in configuring a VPN with manual keying

  • step 5 in configuring an L2TP Layer 2 Tunneling Protocol client-to-site VPN

To see detailed instructions for configuring IPsec VPNs on the Threat Management Services (TMS) zl Module (including an explanation for the figure below), click here.

To see detailed instructions for configuring L2TP VPNs on the TMS zl Module (including an explanation for the figure below), click here.

Add IPsec Policy — Click to add an IPsec policy.

Click the  icon to see the explanation for a field, or click here to see an explanation of all fields.

 

A default IPsec policy prevents all traffic from being encrypted by the VPN engine; therefore, all IPsec policies that you configure must have a higher priority than this default policy.

 

Step 1 of 4

  • Policy Name 

  • Enable this policy 

  • Action 

  • Direction 

  • Position 

  • Traffic Selector 

  • Protocol 

  • Local Address 

  • Local Port 

  • Remote Address 

  • Remote Port 

  • ICMP Internet Control Message Protocol Type

  • Proposal 

If you selected Bypass or Ignore for Action, click Finish.

Step 3 of 4

  • Enable IP Pool for IRAS IPsec Remote Access Server (Mode Config) 

  • IRAS IP Address/Mask 

  • Firewall Zone 

  • IP Address Ranges 

  • Primary DNS Server and Secondary DNS Server 

  • Primary WINS Server and Secondary WINS Server 

Step 2 of 4

Key Exchange Method

  • Auto (with IKE) 

  • IKEv1 Policy 

  • Enable PFS Perfect Forward Secrecy 

  • SA Security Association Lifetime in seconds 

  • SA Lifetime in kilobytes 

  • Manual

  • Local Gateway 

  • Remote Gateway IP Address 

  • SPI Security Parameters Index Number 

  • ESP Encapsulating Security Protocol Only: Inbound Encryption Key 

  • ESP Only: Outbound Encryption Key 

  • Inbound Authentication Key 

  • Outbound Authentication Key 

Step 4 of 4

  • Optional: Advanced Settings 

  • Enable IP Compression 

  • Anti-Replay Window Size 

  • Enable Extended Sequence Number 

  • Enable Re-key on Sequence Number Overflow 

  • Enable Persistent Tunnel 

  • Enable Fragment Before IPsec 

  • Optional, Tunnel Mode Only: Tunnel Options

  • Enable Copy DSCP Differentiated Services Code Point Value from Clear Packet 

  • DF Don't Fragment Bit Handling 

  • DSCP Value