Create rules for policy-based VPN traffic
For more details about the product and how to configure features, click Help or press F1.
Steps
-
Create rules for incoming site-to-site VPN traffic.
-
To allow traffic from a single policy-based VPN with an Apply or Enforce action, insert the following type of rule:
Table 1. Basic rule for allowing incoming VPN traffic from a single policy-based VPN Source Destination Service Action Remote networks. Local networks. Set as needed. Select Allow, then open the Action options. Set VPN Action to Apply VPN or Enforce VPN, then select a Policy-Based VPN. -
(Optional) To match the rule based on whether traffic is using a policy-based VPN, insert the following type of rule:
Table 2. Rule for allowing incoming policy-based VPN traffic from any number of different policy-based VPNs Source Destination Service Action Source VPN Remote networks. Local networks. Set as needed. Allow. To ignore this rule for non-VPN traffic, select Match traffic based on source VPN. Add one or more Policy-Based VPN elements according to where the traffic is coming from. This rule does not match traffic from other sources.
-
To allow traffic from a single policy-based VPN with an Apply or Enforce action, insert the following type of rule:
-
To create rules for outgoing policy-based VPN traffic, insert the following type of rule:
Table 3. Basic rule for outgoing VPN traffic Source Destination Service Action Local networks. Remote networks. Set as needed. Select Allow, then open the Action options. Set VPN Action to Apply VPN, Enforce VPN, or Forward, then select a Policy-Based VPN. Note: If Access rules send traffic into a policy-based VPN, but the source or destination IP addresses are not included in the Site definitions, the traffic is dropped. This configuration error is shown as the message “tunnel selection failed” in the logs.