Create Access rules for policy-based VPN traffic

No traffic is sent out through the policy-based VPN until you direct traffic to the VPN in the Access rules. The Policy-Based VPN element must be referenced in at least one Access rule.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Create rules for incoming site-to-site VPN traffic.
    1. To allow traffic from a single policy-based VPN with an Apply or Enforce action, insert the following type of rule:
      Table 1. Basic rule for allowing incoming VPN traffic from a single policy-based VPN
      Source Destination Service Action
      Remote networks. Local networks. Set as needed. Select Allow, then open the Action options. Set VPN Action to Apply VPN or Enforce VPN, then select a Policy-Based VPN.
    2. (Optional) To match the rule based on whether traffic is using a policy-based VPN, insert the following type of rule:
      Table 2. Rule for allowing incoming policy-based VPN traffic from any number of different policy-based VPNs
      Source Destination Service Action Source VPN
      Remote networks. Local networks. Set as needed. Allow. To ignore this rule for non-VPN traffic, select Match traffic based on source VPN. Add one or more Policy-Based VPN elements according to where the traffic is coming from. This rule does not match traffic from other sources.
  2. To create rules for outgoing policy-based VPN traffic, insert the following type of rule:
    Table 3. Basic rule for outgoing VPN traffic
    Source Destination Service Action
    Local networks. Remote networks. Set as needed. Select Allow, then open the Action options. Set VPN Action to Apply VPN, Enforce VPN, or Forward, then select a Policy-Based VPN.
    Note: If Access rules send traffic into a policy-based VPN, but the source or destination IP addresses are not included in the Site definitions, the traffic is dropped. This configuration error is shown as the message “tunnel selection failed” in the logs.