Example IPsec Site-to-Site and PSK Authentication Configuration
Preshared Key (PSK) authentication is useful for creating a basic VPN site-to-site connection where there's no need for multiple tunnel authentication and management controls.
- To create the primary tunnel specification on the primary system, on the NETWORK menu, under the VPN submenu, click IPsec subnets.
- Enter a descriptive Name for the tunnel and to make sure that the tunnel can be started once configuration is completed, select Enabled.
- Select the external Local IP address to use for this tunnel and specify the Local network that the secondary system can access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.10.0/255.255.255.0.
- From the Local ID type list, select how to identify the primary system to the secondary system by using the local IP address of the primary system’s external IP address, and leave Local ID value empty. It's generated automatically as Local IP was chosen as the local ID type.
- If the secondary system has a static IP address or host name, enter the Remote IP or hostname. If the secondary system has a dynamic IP address, leave this blank.
- Specify the Remote network on the secondary system that the primary system can access. This should be given in the IP address / network mask format and should correspond to an existing local network. For example, 192.168.20.0/255.255.255.0.
- From the Remote ID type list, select Remote IP (or ANY if blank Remote IP). This means that the primary system can use the secondary’s IP address (if one was specified).
- Enter the Remote ID value local IP address of the secondary system.
- From the Authenticate by list, select "Preshared Key". This instructs the Smoothwall Firewall to authenticate the secondary system by validating a shared pass phrase.
- Enter a Preshared Key pass-phrase, and then reenter the Preshared Key again to confirm it.
- If you want to reduce bandwidth consumption, select the Use compression option. It's useful for low bandwidth connections but demands more processing power.
- Do not select the Initiate the connection option. It's the responsibility of all secondary systems to initiate their own connection to the primary Smoothwall.
- Enter a descriptive Comment, for example: Tunnel to Birmingham Branch, and click Add.
All advanced settings can be safely left at their defaults. The Smoothwall lists it in the Current tunnels area. The next step is to create a matching tunnel specification on the remote system.