If narrow Security Associations are used for IPSec-protected FTP traffic, two VPN definitions are required, one for the data connection and one for the control connection. The following rules are from the server's perspective. The FTP client connecting from BranchOfficeAddressC1 to the PublicServerAddressA1 ports 20 and 21 uses the respective ZoneC FTP VPNs.
LocalDynVpnRule ZoneC_VPN-FTP-Data
{
LocalIpRef PublicServerAddressA1
RemoteIpRef BranchOfficeAddressC1
LocalDataPort 20
RemoteDataPort 0
Protocol tcp
}
LocalDynVpnRule ZoneC_VPN-FTP-Control
{
LocalIpRef PublicServerAddressA1
RemoteIpRef BranchOfficeAddressC1
LocalDataPort 21
RemoteDataPort 0
Protocol tcp
}
IpAddr PublicServerAddressA1
{
Addr 9.3.3.3
}
IpAddr BranchOfficeAddressC1
{
Addr 9.5.5.5
}