Configuring firewall access policies for the VPN is step 8 in configuring an L2TP over IPsec VPN. To see all of the steps to configure a client-to-site L2TP over IPsec VPN, including an explanation of the figure below, click here.

Before you begin configuring firewall access policies, determine the for the local VPN gateway. Typically, this is EXTERNAL, but it could be another zone. The instructions below will refer to this zone as the remote zone.
You should also determine the zone for local endpoints that are allowed on the VPN. This might be INTERNAL or another zone. The instructions below will refer to this zone as the local zone.
The IP addresses that you configure for each dial-in user are automatically placed in EXTERNAL.
Finally, you must remember the name of the user group that you configured for the L2TP users. Some of the firewall access policies will be configured for that group.
-
Permit IKE messages from the remote endpoints.
-
Select Firewall > Access Policies > Unicast.
-
Ensure that the user group is None.
-
Click Add Policy.
-
For Action, accept the default, Permit Traffic.
-
For From, select the remote zone.
-
For To, select SELF.
-
For Service, select isakmp.
-
For Source, specify the L2TP client addresses, either with a single-entry address object or type the address manually. (Click Options and select Enter custom IP, IP/mask or IP-range.)
-
For Destination, accept the default, Any Address, or specify the local gateway.
-
Select the Enable logging on this Policy check box.

|
Because policy logging is processor-intensive, it is not recommended that you enable logging permanently. Use policy logging for troubleshooting and testing only.
|
-
Click Apply.
-
Permit L2TP traffic from the remote endpoints:
-
For Action, accept the default, Permit Traffic.
-
For From, select the remote zone.
-
For To, select SELF.
-
For Service, select l2tp-udp.
-
For Source, specify the L2TP client addresses, either with a single-entry address object or type the address manually. (Click Options and select Enter custom IP, IP/mask or IP-range.)
-
For Destination, accept the default, Any Address or specify the local gateway.
-
Click Apply.
-
Permit traffic from the local endpoints to the remote endpoints:
-
From the User Group list, select the group that you configured for L2TP users.
-
For Action, accept the default, Permit Traffic.
-
For From, select the local zone.
-
For To, select EXTERNAL.
-
For Service, accept the default: Any Source. You could also permit only certain types of traffic.
-
For Source, specify the local IP addresses that are allowed to send traffic on the VPN, either with a single-entry address object or type the address manually. (Click Options and select Enter custom IP, IP/mask or IP-Range.)
-
For Destination, specify the remote addresses.
-
Select the Enable logging on this Policy check box.
-
Click Apply.
-
Permit traffic from the remote endpoints to the local endpoints:
-
For Action, accept the default, Permit Traffic.
-
For From, select EXTERNAL.
-
For To, select the local zone.
-
For Service, accept the default: Any Source. You could also permit only certain types of traffic.
-
For Source, specify the remote IP addresses that are allowed to send traffic on the VPN, either with a single-entry address object or type the address manually. (click Options and select Enter custom IP, IP/mask or IP-Range.)
-
For Destination, specify the local addresses.
-
Click Apply.
-
Click Close.
-
If the IPsec tunnel uses NAT-T (when NAT is performed on traffic somewhere between the gateways), you must create an access policy to allow the NAT-T traffic from the remote endpoints:
-
For Action, accept the default: Permit Traffic.
-
For From, select the remote zone.
-
For To, select SELF.
-
For Service, select ipsec-nat-t-udp.
-
For Source, select Any Address.
-
For Destination, leave Any Address or specify the IP address that you configured for the local gateway.
-
Click Apply.
-
When the IPsec tunnel uses NAT-T, also create an access policy to allow the TMS zl Module to send NAT-T traffic:
-
For Action, accept the default: Permit Traffic.
-
For From, select SELF.
-
For To, select the remote zone.
-
For Service, select ipsec-nat-t-udp.
-
For Source, leave Any Address or specify the IP address that you configured for the local gateway.
-
For Destination, select Any Address.
-
Click Apply.
-
Click Save.

|