Previous Example
Example 1 - Preshared Key Authentication
X509 Authentication
In this example, the same network as used in Example 1 is used. This time we will improve the setup by using x509 authentication instead of PSK.
Configuring Network A
Network A is configured to be the Certificate Authority in the system.
Begin by going to the Authorities page and setting up the CA. In this example, we will list only the required fields. You should, of course, enter values appropriate to your organization:
Parameter | Description |
Common Name | Network A Cert Auth |
Organization | My Company Ltd |
From now on, we will enter My Company Ltd in all Organization fields on the certificates we create.
Next you should export this certificate in PEM format. We will call this file ca.pem, and save it on the local workstation’s hard disk. You will need this file later.
Open the certificates page, and create the local certificate. It requires ID information:
Parameter | Description |
ID Type | Host & Domain name |
ID Value | tunnela.mycompany.com |
Common Name | Network A Local Cert |
The peer (the Network B device) needs a certificate too:
Parameter | Description |
ID Type | Host & Domain name |
ID Value | tunnelb.mycompany.com |
Common Name | Network B Cert |
Organization | My Company Ltd |
Create both certificates, and then export the Network B Cert certificate in PKCS#12 format. You will need to enter the passphrase to encrypt this certificate with; enter it in both boxes. We will call this file tunnelb.p12.
Now onto the tunnels page. Choose the Network A Local Cert certificate to be the Default local certificate, and press Save. We will Restart the VPN shortly to make this change active.
The tunnel specification is a little more complex. Here it's:
Parameter | Description |
Name | Tunnel 1 |
Local network | Set to the opposite end's remote network value. |
Local ID type | Default local certificate ID |
Local IP | The local IP address client connect to. |
Remote IP or hostname | 200.0.0.1 |
Remote network | 192.168.12.0/24 |
Remote ID type | Host & Domain name |
Remote ID value | tunnelb.mycompany.com |
Authenticate by | Certificate presented by peer |
Add the tunnel.
Configuring Network B
The first step is to import the certificates.
To import the certificates:
- On the Certificate authorities page, import the ca.pem file.
- On to the certificates page, import the tunnelb.p12 file you created earlier. Remember to input the passphrase used to create the export file in both boxes.
- Chose the certificate, Network B Cert as the Default local certificate and click Save. The tunnel configuration should look like this:
Parameter | Description |
Name | Tunnel 1 |
Local network | Set to the opposite end's remote network value. |
Local ID type | Default local certiate ID |
Local IP | The local IP address client connect to. |
Remote IP or hostname | 100.0.0.1 |
Remote network | 192.168.0.0/24 |
Remote ID type | Host & Domain name |
Remote ID value | tunnel.mycompany.com |
Authenticate by | Certificate presented by peer |
Creating a firewall rule
For traffic to flow through the tunnel, you must create a firewall rule that allows traffic to be routed between the internal networks and the clients connecting via IPSEC. This is done in the Network - Firewall section. For a bi-directional rule select both IPSEC and the Internal interfaces in both incoming and outgoing interfaces and select the accept action.
Testing
As before, restart both ends of the tunnel. If the tunnel fails to come up, the most likely cause is a mismatch of IDs. Check the IDs in the certificates by clicking on them in the certificate page. The ID is the same as the Certificate ID. Examine the log for telltale messages.