Allowing IPsec VPN access in filter policies

The traffic that is required in order to set up the IPsec VPN is managed by an implicit filter rule. The filter policy will therefore manage how mobile users who were authenticated via the VPN access internal resources.

In the module Configuration > Security policy > Filter - NAT > Filtering tab:

1. In the filter policy, select the row below the one in which you wish to add the rule allowing mobile users to use the IPsec VPN.
2. Click on New rule.
3. Select Single rule.
   A new row appears.
4. In the newly added row, double-click on the cell in the Action column.
   The configuration window of the rule opens.
   
5. In the Action field, select pass.
6. In the menu on the left side of this window, select Source.
7. In the User field, select the group of users allowed to set up IPsec VPN tunnels (EAP-GTC-CERT Users@stormshield.eu in this example).
8. Click on the Advanced properties tab in the Source section.
9. For the Via field, select IPsec VPN tunnel.
10. For the Authentication method field, select IPsec VPN.
11. In the menu on the left side of this window, select Destination.
12. Click on Add in the Destination hosts grid.
13. Select the network that mobile users can access through the IPsec VPN tunnel (group IKEv2_EAP_LOCAL_NET_GRP in the example).
14. In the menu on the left side of this window, select Inspection.
15. In the Inspection profile field, select the IPS profile that contains the TCP-UDP profile with the MSS option (IPS_03 in the example).
16. Click on OK.
17. Double-click on the cell corresponding to the Status column to enable this rule.
    Its status will switch to ON.
18. Click on Apply, then on Yes, activate the policy.

The filter rule configured is therefore: