Example IPsec site-to-site and X509 authentication configuration

This example explains how to create a site-to-site IPsec tunnel using X509 authentication between two Smoothwalls.

Prerequisites

1. Create a Certificate Authority on the local system, see our help topic, Importing and creating certificate authorities and their certificates.
2. Create certificates for the local and remote systems by using Host and Domain Name as the ID type, see our help topic, Importing and creating certificates.
3. Install the local certificate as the default local certificate on the local system.
4. Export the Certificate Authority certificate in PEM format.
5. Export the remote certificate in the PKCS#12 container format.
6. Import and install the certificate as the default local certificate on the remote system.

Procedure

1. To create the tunnel for the primary system, on the NETWORK menu, under the VPN submenu, click IPsec subnets.
2. Enter a descriptive Name for the tunnel and select the Enabled option to make sure that the tunnel can be started once configuration is completed.
3. Select the external Local IP address to use for this tunnel and specify the Local network that the secondary system can access. This should be given in the IP address / network mask format and should correspond to an existing local network. For example, 192.168.10.0/255.255.255.0.
4. From the Local ID type list, select "Default local Certificate ID" and leave the Local ID value empty. Its value is retrieved by the Smoothwall automatically during the connection process.
5. If the secondary system has a static IP address or host name, enter the Remote IP or hostname. If the secondary system has a dynamic IP address, leave this blank.
6. Specify the Remote network on the secondary system that the primary system can access. This should be given in the IP address/network mask format and should correspond to an existing local network. For example, 192.168.20.0/255.255.255.0.
7. From the Remote ID type list, select "User specified Host & Domain Name" and enter the ID value (the host name) of the secondary system’s default local certificate.
8. From the Authenticate by list, select "Certificate provided by peer" and leave the Preshared Key and Preshared Key again blank.
9. To reduce bandwidth consumption select the Use compression option and do not select the Initiate the connection option. It's the responsibility of all secondary systems to initiate their own connection to the primary Smoothwall system.
10. Enter a descriptive Comment, for example, "Tunnel to Branch Office" and to create the tunnel specification and add it to the Current tunnels section, click Add.

In this example, the advanced settings can remain set to their default values.

Follow-up tasks

• The next step is to create a matching tunnel specification on the remote system.
• Creating the tunnel on the secondary system .
• Making sure that the VPN subsystem is working on both systems.
• Initiating VPN connections.