Creating the tunnel on the secondary system

Prerequisite

• Example IPsec site-to-site and X509 authentication configuration.

Procedure

Note: You can safely leave all advanced settings at their default values.

1. In the secondary system, on the NETWORK menu, under the VPN submenu, click IPsec subnets.
2. Enter a descriptive Name for the tunnel and to make sure that the tunnel can be started once configuration is completed, select the Enabled option.
3. Select the external Local IP address to use for this tunnel and specify the Local network that the primary system can access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.20.0/255.255.255.0.
4. From the Local ID type list, select "Default local Certificate ID" and leave the Local ID value blank. Its value is automatically retrieved by the Smoothwall during the connection process.
5. Enter the external Remote IP or host name address of the primary system. Unlike the first tunnel specification, this can't remain blank. The secondary system acts as the initiator of the connection. Therefore, it needs a destination IP address to make first contact.
6. Enter the Remote network on the primary system that the secondary system can access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.10.0/255.255.255.0.
7. From the Remote ID type list, select User specified Host & Domain Name. This matches the primary system’s certificate type of Host and Domain Name, as listed in Example IPsec Site-to-Site and X509 Authentication Configuration.
8. Enter the Remote ID value (the host name) of the primary system’s default local certificate.
9. Authenticate by From the list, select Certificate provided by peer. This instructs the Smoothwall to authenticate the primary system by validating the certificate it presents as its identity credentials and leave Preshared Key and Preshared Key again blank.
10. If you selected it on the primary system, select the Use compression option and because the secondary system is responsible for its connection to the primary Smoothwall, select the Initiate the connection option
11. Enter a descriptive Comment, for example, "Tunnel to Head Office" and click Add.

Follow-up tasks

• Once the tunnel specifications have been created, the tunnel can be started. To do this, first make sure that the VPN subsystem is connected to both the primary and secondary systems.
• Making sure that the VPN subsystem is working on both systems.
• Initiating VPN connections.