Gateway-to-Gateway VPN with Certificate

14  Download (0)

Full text

(1)

Product

SonicWALL PRO 2040 with SonicOS Enhanced 3.1.0.11 SonicWALL TZ 150 Wireless with SonicOS Standard 3.1.0.11 Microsoft Windows Server 2003, Standard Edition

This document describes how to configure a SonicWALL Internet security appliance running SonicOS Enhanced and SonicOS Standard to implement a VPN Tunnel with Certificates.

This document contains the following sections: • Import CA certificate to appliance • Create local certificates for appliances

• Create VPN Tunnel (IKE using 3rd Party Certificates) • Diagnostics

Gateway SonicWALL TZ 150 connects the internal LAN 10.10.150.0/24 to the Internet. Gateway SonicWALL TZ 150´s LAN interface has the address 10.10.150.254, and its WAN (Internet) interface has the address 10.10.10.2.

Gateway SonicWALL PRO 2040 connects the internal LAN 10.121.1.0/24 to the Internet. Gateway SonicWALL PRO 2040´s WAN (Internet) interface has the address 10.10.10.2. Gateway SonicWALL PRO 2040's LAN interface address, 10.121.1.254.

(2)

Setup Process Tasks

• Connect the management workstation to a SonicWALL TZ 150 LAN interface. • Set the IP address of the management workstation to 192.168.168.100.

• Log in to the management GUI of the SonicWALL security appliance using a current Web browser. • Change the IP address of the internal (LAN) interface to 10.10.150.254 and apply the changes.

• Set the IP address of the management workstation to 10.10.150.100 and login again to the SonicWALL security appliance.

• Change the IP address of the external (WAN) interface to 10.10.10.2 and apply the changes. • Connect the management workstation to the SonicWALL PRO 2040 LAN interface.

• Set the IP address of the management workstation to 192.168.168.100.

• Log in to the management GUI of the SonicWALL security appliance using a current Web browser. • Change the IP address of the internal (LAN) interface to 10.121.1.254 and apply the changes.

• Set the IP address of the management workstation to 10.121.1.100 and login again to the SonicWALL security appliance.

(3)

Setup Procedures for the SonicWALL TZ 150

Import the certificate of the CA to the security appliance.

The Certification Authority is part of the Microsoft Windows Server 2003 in the Microsoft Management Console 2.0. To

activate the Certification Authority please follow START > Administrative Tools > Certification Authority. The

Certification Authority must run as Standalone Root CA.

Please select your Certification Authority, in this example it is SonicDEMO.

Open the CA (for example: SonicDEMO) with a right mouse click. Select properties.

(4)
(5)

This starts the Certificate Export Wizard.

Please use for the export file the following format: Export File Format: DER encoded binary X.509 (.CER)

This file can now be copied to the management console, which is connected to TZ 150.

Log into the SonicWALL security appliance’s Management GUI using a current Web browser. Proceed to the VPN > CA

Certificates page. Under the Please select a CA cert to import section, import the CA certificate by clicking on the Select

icon. This will bring up the Select File dialog page.

(6)

Obtain a local certificate.

Proceed to the VPN > Local Certificates page. Under the Generate Certificate Signing Request section, request a local

certificate by filling the needed fields.

For this scenario we also need the additional attribute Email, which can be specified under “Subject Alternative Name

(Optional)” and select E-mail Address. As value we use “TZ150@sonicwall.com”

By clicking on the Generate icon, the request will be generated and needs to be stored.

This will bring up the Export dialog page.

(7)

Create a signed certificate

Back to the CA server in the

Certification Authority

application.

With the right mouse click on the active CA (e.g. SonicDEMO) > All Tasks > Submit new request we import the CA request from our Appliance TZ 150 to the CA system into the container “pending requests”

To make this request a valid certificate we have to activate it.

In the container pending requests select the actual request (last in the row) and with a right mouse click > All Tasks >

Issue

This step will move the request from pending requests to Issued certificates Export it to a file.

(8)

Under Details, copy the content with Copy to File.

Please use for the export file the following format: Export File Format: DER encoded binary X.509 (.CER)

(9)

Back to the management console TZ 150, the signed certificate can be now imported.

(10)

VPN-Tunnel Definition

Proceed to the VPN > Settings page. Under the VPN Policies section, add a new policy.

Note: the email-address is case-sensitive.

(11)

Setup Procedures PRO 2040

Import the certificate of the CA to the appliance.

Log into the SonicWALL security appliance’s Management GUI using a current Web browser. Proceed to the System >

Certificates page. Under the Import section, import the CA certificate by selecting “Import a CA certificate …” and

clicking on the Select icon.

(12)

Obatain a local certificate.

Proceed to the System > Certificates page and click the New Signing Request bottom.

(13)

With the Generate botton we create the request and can save it to a file.

Create a signed certificate.

Please proceed the same way as TZ 150.

(14)

The new certificate for the PRO 2040 will show up in the list of certificates.

Setup Procedures VPN-Tunnel

All other settings are default for this “Main Mode” tunnel.

Diagnostics

The Diagnostic Tools are located on the System > Diagnostics page. To test network connectivity you can pick Ping from the list of Diagnostic Tools.

Figure

Updating...

References

Related subjects :