Configuring VPN
R81.10.X Quantum Spark 1500, 1600, 1800, 1900, 2000 Appliances Locally Managed Administration Guide|306
Configuring Site to Site VPN with a Certificate
Introduction
In this Site to Site VPN configuration method a certificate is used for authentication.
Prerequisites
n
Make sure the Site to Site VPN blade is set to On and Allow traffic from remote sites (by
default) is selected. See
"Configuring the Site to Site VPN Blade" on page337
.
n
The peer device that you connect to must be configured and connected to the network. If
it is a DAIP gateway, its host name must be resolvable.
n
You must reinitialize certificates with your IP address or resolvable host name. Make
sure the certificate is trusted on both sides.
n
VPN encryption settings must be the same on both sides (the local gateway and the peer
gateway). This is especially important when you use the Custom encryption option.
Configuration
1. Reinitialize certificates - Use the Reinitialize certificates option described in
"Managing
Installed Certificates" on page189
. Make sure this is done on both the local and peer
gateway (if they both use locally managed Check Point appliances).
2. Trust CAs on the local and peer gateways - Use one of these procedures:
n
Exchange CAs between gateways
n
Sign a request using one of the gateway's CAs.
n
Authenticate by using a 3rd party CA.
n
Authenticate with an existing 3rd party certificate.
3. Use certificate authentication to create the VPNsite.
a. Follow the instructions in
"Configuring VPN Sites" on page340
.
b. To make sure the specified certificate is used, enter the peer gateway's certificate
information in Advanced > Certificate Matching.
Trust Procedures
Exchange CAs between gateways:
Click Add to add the Trusted CA of the peer gateway. This makes sure the CA is uploaded on
both the local and peer gateways. See
"Managing Trusted CAs" on page357
.
Sign a request using one of the gateway's CAs:
To Next Page
Loading...
