Previous Examples
Two Tunnels and Certificate Authentication
We now add an additional system, Network C to the VPN network. We want Network C to be able to access both the Network A subnet and Network B.
In Example VPN configurations, we explained how to create centralized VPN hubs using extended subnetting. We uses this technique to allow Network B to route to Network C, and vice versa.
Network A Configuration
Create a new certificate for the new peer, and export it as a PKCS#12 file. We set the following properties for this certificate:
Parameter | Description |
ID Type | Host & Domain name |
ID Value | tunnelc.mycompany.com |
Common Name | Smoothwall C Cert |
Organization | My Company Ltd |
Modify the existing tunnel to Network B. All settings are unchanged except:
Parameter | Description |
Local subnet | 192.168.0.0/16 |
Notice how this subnet mask now covers all subnets in the VPN.
Now we create a new tunnel to Smoothwall C:
Parameter | Description |
Name | Tunnel 2 |
Local subnet | 192.168.0.0/16 |
Local ID type | Default local certificate ID |
Remote IP or hostname | 250.0.0.1 |
Remote network | 192.168.13.0/24 |
Remote ID type | Host & Domain name |
Remote ID value | tunnelc.mycompany.com |
Authenticate by | Certificate presented by peer |
Network B Configuration
Modify the tunnel as follows:
Parameter | Description |
Remote subnet | 192.168.0.0/16 |
Network C Configuration
Import the certificate, and then create the tunnel to Network A:
Parameter | Description |
Name | Tunnel 2 |
Local ID type | Default local certificate ID |
Local IP | The local IP address client connect to. |
Remote IP or hostname | 100.0.0.1 |
Remote network | 192.168.0.0/16 |
Remote ID type | Host & Domain name |
Remote ID value | tunnela.mycompany.com |
Authenticate by | Certificate presented by peer |
Creating a firewall rule
For traffic to flow through the tunnel, you must create a firewall rule that allows traffic to be routed between the internal networks and the clients connecting via IPSEC. This is done in the Network - Firewall section. For a bi-directional rule select both IPSEC and the Internal interfaces in both incoming and outgoing interfaces and select the accept action.
Testing
Test in the same way as before. After bringing up both tunnels, you should test by pinging a device on the Network A end from both of the Network B and Network C networks. Then you should test that you can route across Network A by pinging a host on the Network C network from the Network B network.