beautypg.com

Tion 35.1.7.1, Sections 35.1.7.1 – Westermo RedFox Series User Manual

Page 802

background image

Westermo OS Management Guide

Version 4.17.0-0

and set his local-id accordingly (”local-id inet 1.2.3.4”).

5. Defining local and remote IP subnets: By using DN strings with common

name (CN) wild-card, a VPN gateway can easily serve multiple road-warriors
using a single IPsec tunnel. E.g., if Alice (IPsec Responder/VPN Gateway) use
DN string, C=US, O=ACME, CN=*” as remote-id, it would match certificates
with different CNs (e.g., Bob or Charlie) as long as the other relative distin-
guished names (RDNs), here C=US, O=ACME, of the presented certificate
would match.

However, if Alice is to allow multiple VPN peers to connect via a single tunnel
definition, she should allow each peer to have a local subnet (or virtual IP)
corresponding to a part of her configured remote subnet, i.e, her remote
subnet should be shared by Bob, Charlie or any other valid peer. An example
is shown in the figure below, where Alice has declared her remote subnet
10.0.2.0/24 as shared to allow Bob, Charlie and Dave to connect.

Charlie

(PC)

Dave

(PC)

Alice

(GW)

Bob

(GW)

Remote−id:
"C=US, O=ACME, CN=*"
Remote−subnet:
10.0.2.0/24 (Shared)

Peer Address: Any

Local−id:
"C=US, O=ACME, OU=RD, CN=Bob"

Virtual IP: 10.0.2.12/32

Local−id:

Local−id:
"C=US, O=ACME, CN=Dave"
Virtual IP: 10.0.2.11/32

"C=US, O=ACME, CN=Charlie"

10.0.2.128/29

10.0.1.0/24

Intranet

Internet/

Figure 35.6: By defining the remote subnet as ”shared”, one IPsec tunnel def-
inition at the responder (Alice) can serve multiple initiators (Bob, Charlie, and
Dave).

35.1.7.1

Common CA: IKE certificates within an organisation

When a company wish to use IPsec with certificate authentication within their
organisation, all entities (IPsec VPN gateways and users of VPN clients) can have
their certificate issued by the same CA. The CA can either be operated by the
company itself, or an external (professional) CA organisation.

In this user scenario, a VPN unit such as Alice will have to upload/import

802

➞ 2015 Westermo Teleindustri AB

This manual is related to the following products:
See also other documents in the category Westermo Equipment: