beautypg.com

Identification lists, Using an identity list – Amer Networks E5Web GUI User Manual

Page 594

background image

2.

Enter a name for the pre-shared key, for example MyPSK

3.

Choose Hexadecimal Key and click Generate Random Key to generate a key to the
Passphrase textbox

4.

Click OK

Then, apply the pre-shared key to the IPsec tunnel:

1.

Go to: Network > Interfaces and VPN > IPsec

2.

Select the target IPsec tunnel object

3.

Under the Authentication tab, choose Pre-shared Key and select MyPSK

4.

Click OK

9.3.8. Identification Lists

When certificates are used as authentication method for IPsec tunnels, the Clavister Security
Gateway will accept all remote devices or VPN clients that are capable of presenting a certificate
signed by any of the trusted Certificate Authorities. This can be a potential problem, especially
when using roaming clients.

A Typical Scenario

Consider the scenario of travelling employees being given access to the internal corporate
networks using VPN clients. The organization administers their own Certificate Authority, and
certificates have been issued to the employees. Different groups of employees are likely to have
access to different parts of the internal networks. For example, members of the sales force need
access to servers running the order system, while technical engineers need access to technical
databases.

The Problem

Since the IP addresses of the travelling employees VPN clients cannot be known beforehand, the
incoming VPN connections from the clients cannot be differentiated. This means that the
security gateway is unable to control the access to various parts of the internal networks.

The ID List Solution

The concept of Identification Lists presents a solution to this problem. An identification list
contains one or more identities (IDs), where each identity corresponds to the subject field in a
certificate. Identification lists can thus be used to regulate what certificates that are given access
to what IPsec tunnels.

Example 9.3. Using an Identity List

This example shows how to create and use an Identification List for use in the VPN tunnel. This
Identification List will contain one ID with the type DN, distinguished name, as the primary
identifier. Note that this example does not illustrate how to add the specific IPsec tunnel object.

Chapter 9: VPN

594

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: