span with external firewall IP wan_ip.
Web Interface
A. Create a Self-signed Certificate for IPsec authentication:
The step to actually create self-signed certificates is performed outside the Web Interface using a suitable
software product. The certificate should be in the PEM (Privacy Enhanced Mail) file format.
B. Upload all the client self-signed certificates:
1. Go to: Objects > Authentication Objects > Add > Certificate
2. Enter a suitable name for the Certificate object
3. Select the X.509 Certificate option
4. Click OK
C. Create Identification Lists:
1. Go to: Objects > VPN Objects > ID List > Add > ID List
2. Enter a suitable name, for example sales
3. Click OK
4. Go to: Objects > VPN Objects > ID List > Sales > Add > ID
5. Enter the name for the client
6. Select Email as Type
7. In the Email address field, enter the email address selected when the certificate was created on the client
8. Create a new ID for every client that is to be granted access rights, according to the instructions above
D. Configure the IPsec tunnel:
1. Go to: Interfaces > IPsec > Add > IPsec Tunnel
2. Now enter:
• Name: RoamingIPsecTunnel
• Local Network: 10.0.1.0/24 (This is the local network that the roaming users will connect to)
• Remote Network: all-nets
• Remote Endpoint: (None)
• Encapsulation Mode: Tunnel
3. For Algorithms enter:
• IKE Algorithms: Medium or High
• IPsec Algorithms: Medium or High
4. For Authentication enter:
• Choose X.509 Certificate as authentication method
• Root Certificate(s): Select all client certificates and add them to the Selected list
• Gateway Certificate: Choose the newly created firewall certificate
• Identification List: Select the ID List that is to be associated with the VPN Tunnel. In this case, it will be
sales
5. Under the Routing tab:
• Enable the option: Dynamically add route to the remote network when a tunnel is established.
6. Click OK
9.4.3. Roaming Clients Chapter 9. VPN
448
To Next Page
Loading...
