This article applies to our On-Premise Appliance Filter and Firewall product only, not to Cloud.
You can authenticate a VPN tunnel between two Smoothwall On-Premise Appliances using certificates. Each Appliance uses a certificate to identify the other.
With this method, you only share each Appliance’s public certificate with the other, not the Certificate Authority (CA). This setup allows each Appliance to use different CAs, Dynamic certificates and Road warrior connections to each other.
Important
This method ensures security by using the public certificate to verify that the identifying Appliance possesses the “private” data linked to the certificate. To keep the VPN secure, only share or export the public certificate.
Before you begin
- Ensure both Smoothwall On-Premise Appliances are updated to the same level. We recommend updating to the latest release where possible.
- Ensure you have Administrator access to both Appliances.
Step 1: Create the certificates
- Check that each Appliance has the CA you want to use.
- Create a signed certificate on each Appliance using the CA.
- Export the certificates in PEM format.
Step 2: Import the certificates
On each Appliance, import the certificate from the other Appliance.
Step 3: Turn on Authentication
Create an IPSec tunnel on each Appliance. Select the other Appliance’s certificate in the Authenticate by list.