Section 35.1.7.3, Example – Westermo RedFox Series User Manual
Page 806
Westermo OS Management Guide
Version 4.17.0-0
thus this use case cannot be configured via the Web interface. However,
a similar service can be achieved via the trusted peer use case, see
❼ For comments on other settings, see the related example in
Example
Alice’s Configuration
Bob’s Configuration
tunnel
tunnel
ipsec 0
ipsec 0
enable
enable
no aggressive
no aggressive
pfs
pfs
no ike
no ike
no esp
no esp
no peer
peer 10.10.1.2
no outbound
no outbound
local-id dn "C=US, O=ACME, CN=Alice"
local-id dn "C=US, O=FOOBAR, CN=Bob"
remote-id dn "C=US, O=FOOBAR, CN=*"
remote-id dn "C=US, O=ACME, CN=Alice"
local-subnet 10.0.1.0/24
local-subnet 10.0.2.128/29
remote-subnet 10.0.2.0/24 shared
remote-subnet 10.0.1.0/24
method cert
method cert
local-cert AliceCert
local-cert BobCert
no remote-cert
no remote-cert
remote-ca dn "C=US, O=FOOBAR, CN=FoobarCA"
remote-ca dn "C=US, O=ACME, CN=AcmeCA"
no initiator
initiator
dpd-action clear
dpd-action restart
dpd-delay 30
dpd-delay 30
dpd-timeout 120
dpd-timeout 120
sa-lifetime 28800
sa-lifetime 28800
ike-lifetime 3600
ike-lifetime 3600
end
end
end
end
35.1.7.3
IKE with trusted peer certificates
As an alternative to installing trusted CA certificates, Alice and Bob can import
each others certificates and use as trusted peers.
In this user scenario, a VPN unit such as Alice will have to upload/import
❼ Bob’s certificate (BobCert),
❼ her own certificate (AliceCert), and
❼ the private key associated with her certificate.
In most cases Alice would also import her CA certificate (CA
A
), although this is not
required for this trust model. Typically she would then upload/import her private
806
➞ 2015 Westermo Teleindustri AB