Note: To configure VPNs, you need a Unified Threat Management license.
The following documents VPN examples from realistic business scenarios.
VPNs between Business Partners
To create a VPN between two separate organizations such as two firms working together as partners, it's most likely that you need an IPsec tunnel. This might be to an appliance that isn't from Smoothwall, so to decide upon a compatible tunnel specification, you need a degree of coordination.
This example uses certificates created by an external, commercial Certificate Authority so that each organization can authenticate certificates presented by the other using a Certificate Authority that's independent of both organizations.
This configuration example assumes the following:
- Local Smoothwall.
- Local Smoothwall.
- Local Smoothwall.
- Local Smoothwall.
Firstly, import the certificate created for the local Smoothwall (Certificate A).
To import the certificate:
- In the local system, on the NETWORK menu, under the VPN submenu, click Certificates.
- Import Certificate A, see our help topic, Importing and creating certificates.
- On the NETWORK menu, under the VPN submenu, click Certificates.
- Import the Certificate Authority's certificate according to the file format it was supplied in, see our help topic, Importing and creating certificate authorities and their certificates.
- Connect to Smoothwall on the Smoothwall and on the NETWORK menu, under the VPN submenu, click IPsec subnets.
- From the Local ID type list, select "Default local cert subject" or "Default local cert subject alt.name". However, if the other VPN gateway isn't directly compatible with the communication of certificate subjects in the Smoothwall Filter and Firewall, you might need to use the user-specified values.
- Choose Certificate A from the Local certificate list to make sure that this tunnel overrides any default local certificate that might be configured.
- Choose Certificate provided by peer from the Authenticate by list. This will make sure that the Smoothwall will authenticate Certificate B when is presented by the other organization’s VPN gateway.
- Choose the remote ID type from the Remote ID type list that was entered during the creation of Certificate B using the commercial Certificate Authority.
- Confer with the other organization regarding all other configuration settings and make sure that they authenticate the tunnel by using the Certificate Authority's certificate and Certificate A as provided by the Smoothwall as connection time.
Next, import the commercial Certificate Authority's certificate:
Next, configure the local tunnel specification in cooperation with the other organization. This is most likely to be an IPsec site-to-site connection, though you can connect to their network as a road warrior. In either case, to decide on the configuration options to be used on the respective VPN gateways, you need full consultation between both organizations.
Follow these steps to create a site-to-site connection:
Extended Site to Site Routing
A useful feature of the Smoothwall is its ability to use the VPN as a means of linking multiple networks together by creating a centralized VPN hub. The hub is used to route traffic to between different networks and subnets by manipulation of the local and remote network settings in each tunnel specification.
This potentially means that every network can link to every other network without the need for a fully routed network of VPN tunnels, that is, a tunnel from every site to every other site. A fully routed network can be awkward to configure and maintain.
This configuration example assumes the following:
- Site A – Local network: 192.168.10.0/255.255.255.0 – Tunnel A connects to Site B.
- Site B – Local network: 192.168.20.0/255.255.255.0 – Tunnel A connects to Site A, Tunnel C connects to Site C.
- Site C – Local network: 192.168.30.0/255.255.255.0 – Tunnel C connects to Site B.
The advantage of this approach is that you only need one tunnel for each remote network. The disadvantage is that the central VPN gateway is now routing traffic not destined for it. Therefore, it needs additional resources for its bandwidth. Also, the central VPN creates a single point of failure in the network. An improved approach would incorporate backup tunnel definitions that could be used to create a fail-over VPN hub elsewhere on the network.
Site A Tunnel Definition
A definition for Tunnel A (connecting Site A to Site B). Use the following local and remote network settings:
- Local network – 192.168.10.0/255.255.255.0
- Remote network – 192.168.0.0/255.255.0.0
With this configuration, any traffic destined for the Site B network (any address in the range 192.168.20.0 to 192.168.20.255) is routed to Site B, because this range falls within the definition of the remote end of Tunnel A.
Any traffic destined for the Site C network (any address in the range 192.168.30.0 to 192.168.30.255) will also be routed to Site B, because this range also falls within the definition of the remote end of Tunnel A. However, this traffic still needs to be forwarded to Site C to reach its destination – Tunnel C from Site B will ensure this.
Site B Tunnel Definitions
First, a definition for Tunnel A (connecting Site B to Site A). Use the following local and remote network settings:
- Local network – 192.168.0.0/255.255.0.0
- Local network – 192.168.0.0/255.255.0.0
With this configuration, any traffic destined for the Site A network (any address in the range 192.168.10.0 to 192.168.10.255) is routed to Site A, because this range falls within the definition of the remote end of Tunnel A.
Next, a definition for Tunnel C (connecting Site B to Site C). Use the following local and remote network settings:
- Local network – 192.168.0.0/255.255.0.0
- Local network – 192.168.0.0/255.255.0.0
With this configuration, any traffic destined for the Site C network (any address in the range 192.168.30.0 to 192.168.30.255) is routed to Site C, because this range falls within the definition of the remote end of Tunnel C.
Site C tunnel definition
A definition for Tunnel C (connecting Site C to Site B). Use the following local and remote network settings:
- Local network – 192.168.30.0/255.255.255.0
- Remote network – 192.168.0.0/255.255.0.0
With this configuration, any traffic destined for the Site B network (any address in the range 192.168.20.0 to 192.168.20.255) is routed to Site B, because this range falls within the definition of the remote end of Tunnel C.
Any traffic destined for the Site A network (any address in the range 192.168.10.0 to 192.168.10.255) will also be routed to Site B, because this range also falls within the definition of the remote end of Tunnel C. However, this traffic still needs to be forwarded to Site A to reach its destination – Tunnel A from Site B will ensure this.