Tion 35.1.7.1, Sections 35.1.7.1 – Westermo RedFox Series User Manual
Page 802
Westermo OS Management Guide
Version 4.17.0-0
and set his local-id accordingly (”local-id inet 1.2.3.4”).
5. Defining local and remote IP subnets: By using DN strings with common
name (CN) wild-card, a VPN gateway can easily serve multiple road-warriors
using a single IPsec tunnel. E.g., if Alice (IPsec Responder/VPN Gateway) use
DN string, C=US, O=ACME, CN=*” as remote-id, it would match certificates
with different CNs (e.g., Bob or Charlie) as long as the other relative distin-
guished names (RDNs), here C=US, O=ACME, of the presented certificate
would match.
However, if Alice is to allow multiple VPN peers to connect via a single tunnel
definition, she should allow each peer to have a local subnet (or virtual IP)
corresponding to a part of her configured remote subnet, i.e, her remote
subnet should be shared by Bob, Charlie or any other valid peer. An example
is shown in the figure below, where Alice has declared her remote subnet
10.0.2.0/24 as shared to allow Bob, Charlie and Dave to connect.
Charlie
(PC)
Dave
(PC)
Alice
(GW)
Bob
(GW)
Remote−id:
"C=US, O=ACME, CN=*"
Remote−subnet:
10.0.2.0/24 (Shared)
Peer Address: Any
Local−id:
"C=US, O=ACME, OU=RD, CN=Bob"
Virtual IP: 10.0.2.12/32
Local−id:
Local−id:
"C=US, O=ACME, CN=Dave"
Virtual IP: 10.0.2.11/32
"C=US, O=ACME, CN=Charlie"
10.0.2.128/29
10.0.1.0/24
Intranet
Internet/
Figure 35.6: By defining the remote subnet as ”shared”, one IPsec tunnel def-
inition at the responder (Alice) can serve multiple initiators (Bob, Charlie, and
Dave).
35.1.7.1
Common CA: IKE certificates within an organisation
When a company wish to use IPsec with certificate authentication within their
organisation, all entities (IPsec VPN gateways and users of VPN clients) can have
their certificate issued by the same CA. The CA can either be operated by the
company itself, or an external (professional) CA organisation.
In this user scenario, a VPN unit such as Alice will have to upload/import
802
➞ 2015 Westermo Teleindustri AB