Filter
Top Products
Web Interface
A. Create a Self-signed Certificate for IPsec authentication:
The step to actually create self-signed certificates is performed outside the WebUI using a suitable software
product. The certificate should be in the PEM (Privacy Enhanced Mail) file format.
B. Upload all the client self-signed certificates:
1. Go to Objects > Authentication Objects > Add > Certificate
2. Enter a suitable name for the Certificate object
3. Select the X.509 Certificate option
4. Click OK
C. Create Identification Lists:
1. Go to Objects > VPN Objects > ID List > Add > ID List
2. Enter a suitable name, for example sales
3. Click OK
4. Go to Objects > VPN Objects > ID List > Sales > Add > ID
5. Enter the name for the client
6. Select Email as Type
7. In the Email address field, enter the email address selected when you created the certificate on the client
8. Create a new ID for every client that you want to grant access rights according to the instructions above
D. Configure the IPsec tunnel:
1. Go to Interfaces > IPsec > Add > IPsec Tunnel
2. Now enter:
• Name: RoamingIPsecTunnel
• Local Network: 10.0.1.0/24 (This is the local network that the roaming users will connect to)
• Remote Network: all-nets
• Remote Endpoint: (None)
• Encapsulation Mode: Tunnel
3. For Algorithms enter:
• IKE Algorithms: Medium or High
• IPsec Algorithms: Medium or High
4. For Authentication enter:
• Choose X.509 Certificate as authentication method
• Root Certificate(s): Select all your client certificates and add them to the Selected list
• Gateway Certificate: Choose your newly created firewall certificate
• Identification List: Select your ID List that you want to associate with your VPN Tunnel. In our case that
will be sales
5. Under the Routing tab:
• Enable the option: Dynamically add route to the remote network when a tunnel is established.
6. Click OK
E. Finally configure the IP rule set to allow traffic inside the tunnel.
9.4.3. Roaming Clients Chapter 9. VPN
410