Support Center > Search Results > SecureKnowledge Details
How to configure Site-to-Site VPN between a Locally Managed 600 / 1100 appliance and a Security Gateway
Solution

This article describes configuration steps for Site-to-Site VPN between a Locally Managed 600 / 1100 appliance and a Security Gateway.

 

Site-to-Site VPN between a Locally Managed 600 / 1100 appliance and an R75 Security Gateway using certificate

This procedure describes the configuration of only the 600 / 1100 appliance side.

Note: For a Site-to-Site VPN connection with an R75 Security Gateway using a certificate, it is sufficient to sign and install the R75 Security Gateway certificate only. There is no need to export and install the Locally Managed 600 / 1100 appliance's certificate on the R75 Security Gateway.

  1. Add the R75 Security Gateway as the CA that signed the remote site's certificate:

    1. Go to "VPN" > "Certificates" > "Trusted CAs".
    2. Click "Add" (a pop up window will appear).
    3. Click "Browse" to upload the R75 Security Gateway CA's Certificate file (*.crt).
    4. Enter a CA's Name.
    5. Click "Apply". The CA (R75 Security Gateway) is added to the "Trusted CAs" list.


  2. Create a new certificate request to be signed by the R75 Security Gateway (CA):

    1. Go to "VPN" > "Certificates" > "Installed Certificates".
    2. Click "New Signing Request" to generate a new Certificate.
    3. Enter a Certificate name.
    4. In the Subject DN, enter a distinguished name (e.g., CN=myGateway).
    5. Optional: To add alternate names for the certificate - click "New" > select the "Type" - enter the "Alternate name" - click "Apply".
    6. Click "Generate". Note: The new created Certificate's status is "waiting for signed certificate".
    7. Export the signed request (download the signing request from the appliance).
    8. Send the signing request to the R75 Security Gateway's ICA management tool (the CA) for signing.
    9. When the signed certificate from the R75 Security Gateway is received back, upload it to the appliance.

    Note: For details about ICA Management Tool, refer to sk39915 (Invoking the ICA Management Tool).



  3. Upload the signed certificate to the 600 / 1100 appliance:

    To upload the signed certificate from the CA:

    1. Go to "VPN" > "Certificates" > "Installed Certificates".
    2. Click "Upload Signed Certificate".
    3. Browse to the signed certificate file (*.crt).
    4. Click "Complete". The status of the installed certificate record changes from "Waiting for signed certificate" to "Verified".

    To upload a PKCS#12 (*.p12, *.pfx) file:

    1. Click "Upload P12 Certificate".
    2. Browse to the PKCS#12 file (*.p12 or *.pfx).
    3. Edit the Certificate name, if necessary.
    4. Enter the certificate password.
    5. Click "Apply".


  4. Certificate revocation list (CRL) verification:

    By default, the 600 / 1100 appliance will perform CRL checks with the remote Peer by retrieving CRL by addressing the HTTP Server of the CA.

    1. Use the enabled CRL Verification:

      We need to verify that the HTTP server of the R75 Security Gateway (CA) is correct and reachable.

      To find the HTTP address for the CRL verification:

      1. Go to "VPN" > "Certificates" > "Installed Certificates".
      2. Double-click on the installed and verified Certificate of the R75 Security Gateway. A pop-up window named "Default certificate details" will appear.

      In the middle of the passage, we should find the "CRL Distribution Points" information - underneath it, the HTTP address, where the 600 / 1100 appliance should look for the CRL Verification.

      In scenarios when the HTTP address is not reachable, or not working properly, we can disable the CRL verification mechanism on the locally managed 600 / 1100 appliance.

    2. Disable the CRL verification of a specific trusted CA:

      1. Go to "VPN" > "Certificates" > "Trusted CAs".
      2. Edit the Trusted CA by double-clicking on it. A pop-up window will appear.
      3. Clear the following checkboxes:
        • "Retrieve CRL from HTTP Server(s)"
        • "Cache CRL on the Security Gateway"
      4. Click "Apply".


  5. Configure the remote VPN site to use Certificate authentication:

    When configuring the Site to site VPN we need to make sure the 600 / 1100 appliance uses the Certificate as the Authentication Mechanism and to set the "remote site certificate issuer".

    1. Go to "VPN" tab > "Site to Site" section > "VPN Sites".
    2. Click "New" to create a new VPN Site or click "Edit" to edit an already existing VPN Site (a pop-up window will appear):
      1. Go to "Remote Site" tab > set the "Authentication" option to "Certificate".
      2. Go to "Advanced" tab > "Certificate Matching".
      3. Set the "Remote Site Certificate should be issued by" to the R75 Security Gateway's Trusted CA's Name.
    3. Click "Apply".

 

 

Site-to-Site VPN between a Locally Managed 600 / 1100 appliance with Dynamic IP address (DAIP) and a Security Gateway

  1. In SmartDashboard:

    1. Go to "Servers and OPSEC" > "Servers" > "Trusted CA" > open the "internal_ca" object.
    2. Go to "Local Security Management Server" tab > click "Save As..." button to export the internal CA Certificate from the Security Management Server / Domain Management Server.
    3. Save the CA Certificate file (*.crt).


  2. In 600/1100 appliance:

    1. Go to "VPN" > "Certificates" section > "Trusted CAs".
    2. Click "Add" (a pop up window will appear).
    3. Click "Browse" to upload the Security Management Server / Domain Management Server CA's Certificate file (*.crt).
    4. Enter a CA's Name.
    5. Click "Apply". The Management Server CA is added to the "Trusted CAs" list.
    6. Clear the box "Retrieve CRL From HTTP Server(s)".
    7. Highlight the Internal CA for the 1100 appliance (NOT the one we just imported) > click "Export" > save the file.


  3. In SmartDashboard:

    1. Go to "Servers and OPSEC" > "Servers" > right-click on the "Trusted CA" - select "New CA" > select "Trusted..."
    2. Fill the name for the new Trusted CA server (e.g., CA1100).
    3. Go to "OPSEC PKI" tab > click "Get..." button to import the CA cert (*.crt file) from Step 2-G above.
    4. In the section "Retrieve CRL From", clear the box "HTTP Server(s)".
    5. Click "OK" to save the new Trusted CA.
    6. Create an object that represents the 600/1100 appliance - go to "Manage" menu > select "Network Objects..." > click "New..." > click "Interoperable Device...":
      1. Go to "General Properties" pane > in the "IPv4 Address" field, check the box "Dynamic Address".
      2. Go to "Topology" pane > add the relevant interfaces. For External interface, check the box "Dynamic IP".
      3. Go to "IPSec VPN" pane > click "Add..." to add the VPN community.
      4. Click "Matching Criteria..." button > choose the new trusted CA created in Steps 3A-3E.
      5. Check the box "DN".
        In the WebUI of 600/1100 appliance, go to "VPN" tab > "Certificates" section > "Installed Certificates" > right-click on the "Default Certificate" > select "Details..." > in the second line "Subject: CN=...", copy the text from CN= to the end of the line (e.g., CN=00:1C:7F:22:07:70 VPN Certificate,O=00:1C:7F:22:07:70..h9h968).
        Paste this text in the "DN" field.
      6. Click "OK" to apply the changes and close this object's properties.
    7. Click "Close" to close the "Network Objects" window.
    8. Install the policy on all involved objects.


  4. In 600/1100 appliance:

    1. Go to "VPN" tab > "Site to Site" section > "VPN Sites".
    2. Highlight the involved VPN site > click "Test". You should see "OK" after couple of seconds.

    Since the 600 / 1100 appliance is assigned a Dynamic IP address, the Central Security Gateway does not know that IP address before the VPN tunnel is initiated. Therefore, you can initiate a VPN tunnel only from the 600 / 1100 side.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment