Section 35.1.7.2, Sections 35.1.7.2, Example – Westermo RedFox Series User Manual
Page 804
Westermo OS Management Guide
Version 4.17.0-0
❼ Remote Cert: In this scenario, Alice would accept all initiators (Bob, Charlie,
Dave, etc.) with a certificate issued by their common CA, and where the
DN string matches "C=US, O=ACME, CN=*". The remote certificate only
needs to be specified in the trusted peer use case, see
The default setting is ”no remote-cert”, thus this line may not be shown
in your configuration file.
❼ Peer IP address: Alice is configured to accept initiators irrespective of their
IP address. Bob needs to be configured with Alice’s ”Internet” IP address or
domain name as peer (here 10.10.1.2; not shown in
Example
Alice’s Configuration
Bob’s Configuration
tunnel
tunnel
ipsec 0
ipsec 0
enable
enable
no aggressive
no aggressive
pfs
pfs
no ike
no ike
no esp
no esp
no peer
peer 10.10.1.2
no outbound
no outbound
local-id dn "C=US, O=ACME, CN=Alice"
local-id dn "C=US, O=ACME, CN=Bob"
remote-id dn "C=US, O=ACME, CN=*"
remote-id dn "C=US, O=ACME, CN=Alice"
local-subnet 10.0.1.0/24
local-subnet 10.0.2.128/29
remote-subnet 10.0.2.0/24 shared
remote-subnet 10.0.1.0/24
method cert
method cert
local-cert AliceCert
local-cert BobCert
no remote-cert
no remote-cert
remote-ca same
remote-ca same
no initiator
initiator
dpd-action clear
dpd-action restart
dpd-delay 30
dpd-delay 30
dpd-timeout 120
dpd-timeout 120
sa-lifetime 28800
sa-lifetime 28800
ike-lifetime 3600
ike-lifetime 3600
end
end
end
end
35.1.7.2
Different CAs: IKE certificates with multiple organisations
As of WeOS v4.17.0, this use case can only be configured via the CLI.
To use IPsec to establish secure tunnels between users or units of different organ-
isations, Alice and Bob will usually have certificates issued by different CAs. In
this case, Alice would upload/import Bob’s CA certificate (C
B
), and would thereby
trusted all certificates issued by Bob’s CA.
804
➞ 2015 Westermo Teleindustri AB