beautypg.com

Ipsec lan to lan with certificates – Amer Networks E5Web GUI User Manual

Page 571

background image

An Allow rule for outbound traffic that has the previously defined ipsec_tunnel object as
the Destination Interface. The rule's Destination Network is the remote network
remote_net.

An Allow rule for inbound traffic that has the previously defined ipsec_tunnel object as
the Source Interface. The Source Network is remote_net.

Action

Src Interface

Src Network

Dest Interface

Dest Network

Service

Allow

lan

lan_net

ipsec_tunnel

remote_net

all_services

Allow

ipsec_tunnel

remote_net

lan

lan_net

all_services

The Service used in these rules is All but it could be a predefined service.

6.

Define a new cOS Core Route which specifies that the VPN Tunnel ipsec_tunnel is the
Interface to use for routing packets bound for the remote network at the other end of the
tunnel.

Interface

Network

Gateway

ipsec_tunnel

remote_net

9.2.2. IPsec LAN to LAN with Certificates

LAN to LAN security is usually provided with pre-shared keys but sometimes it may be desirable
to use X.509 certificates instead. If this is the case, Certificate Authority (CA) signed certificates
may be used and these come from an internal CA server or from a commercial supplier of
certificates.

Creating a LAN to LAN tunnel with certificates follows exactly the same procedures as the
previous section where a pre-shared key was used. The difference is that certificates now replace
pre-shared keys for authentication.

Two unique sets of two CA signed certificates (two for either end, a root certificate and a gateway
certificate) are required for a LAN to LAN tunnel authentication.

The setup steps are as follows:

1.

Open the management Web Interface for the Clavister Security Gateway at one end of the
tunnel.

2.

Under Key Ring, add the Root Certificate and Host Certificate into cOS Core. The root
certificate needs to have 2 parts added: a certificate file and a private key file. The gateway
certificate needs just the certificate file added.

3.

Set up the IPsec Tunnel object as for pre-shared keys, but specify the certificates to use
under Authentication. Do this with the following steps:

a.

Enable the X.509 Certificate option.

b.

Add the Root Certificate to use.

c.

Select the Gateway Certificate.

4.

Open the management Web Interface for the Clavister Security Gateway at the other side of
the tunnel and repeat the above steps with a different set of certificates.

Chapter 9: VPN

571

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: