Configuring branch office connection IPSec settings

1. To change branch office IPSec settings, select ProfilesBranch Office, then click Edit for the associated connection that you want to configure. The Branch OfficeEdit Connection screen appears (Figure 3).

Figure 3 ProfilesBranch OfficeEdit Connection screen



2. Use the drop-down list to change the tunnel type for the connection. To configure IPSec settings, select IPSec as the tunnel type. The default type is IPSec.
   
   

   Note: If you change the Tunnel Type, the fields in the Authentication portion of this screen change to reflect the different configuration requirements for the selected Tunnel Type.

   
   
3. Configure the IPSec authentication attributes in the Authentication section of the screen. This portion of the screen allows you to configure the authentication that is used between the local and remote branch office gateways. The fields that appear in this screen depend on whether you are using an IPSec, PPTP, or L2TP tunnel type. The IPSec authentication fields are described in the following steps.
4. Enter the Pre-Shared Key: Text or Hex String. This is an alphanumeric text or hexadecimal string that is used between the local and remote branches for authentication. In order for authentication to occur, you must use the same pre-shared string on both the local and remote branch offices.
5. Configure the Certificates section of the screen. Certificates are associated with each endpoint gateway and allow for mutual authentication between two connections. The certificate portion of the screen includes information about the remote branch office system, the authority that issued the certificate, and the certificate identification.
6. Configure the Remote Identity. This is the name of the remote peer initiating the tunnel connection. You can use either a Subject Distinguished Name (Subject DN) or a Subject Alternative Name to uniquely identify the remote branch office system. Specifying both a full subject DN and a subject alternative name on this screen allows the remote peer to use either identity form when making a connection.
7. Select a Valid Issuer Certificate Authority from the drop-down list box. This CA is the issuer of the remote peer's certificate or a higher level CA in the remote peer's certificate hierarchy. The CA must have the trusted flag set via the certificates screen. If a CA hierarchy is being used, all intermediary CAs below the trusted CA must have been imported to the gateway. These Certificate Authorities are configured from the SystemCertificates: Generate Certificate Request screen.
8. Configure the Subject Distinguished Name. If you are using a distinguished name to identify the remote branch office site, you can choose to enter the DN as either a relative distinguished name or a full distinguished name. The DN entered here must exactly match the DN in the remote peer's certificate.
9. Configure the Relative distinguished name. The Relative distinguished name has the following supported components:
   
   

   Note: Do not include the attribute type as part of your entries in the Relative section. For example, for a name of CN=Mygateway, your entry would be Mygateway (without the CN attribute type).

   
   
• Common Name -- Enter the Common Name with which the server is associated.
• Org Unit -- Enter the Organizational Unit with which the server is associated.
• Organization -- Enter the Organization with which the server is associated.
• Locality -- Enter the Locality in which the server resides.
• State/Province -- Enter the State or Province in which the server resides.
• Country -- Enter the Country in which the user resides.
10. Enter the Full distinguished name. You can directly enter the Full Distinguished Name (FDN) in this field rather than entering the individual components in the previously described Relative distinguished name fields. For example:

CN=Mygateway, O=MyCompany, C=US

11. Configure the Subject Alternative Name. You can optionally use a Subject Alternative Name in place of a Subject DN, and specify the format of the name. The following formats are acceptable.
• Email Name (for example, net_admin@company.com)
• DNS Name (for example, gateway.cleveland.company.com)
• IP Address (for example, 192.168.34.21)
12. Specify the Local Identity. The Local Identity is the name your gateway that you want to use to identify itself when initiating or responding to a connection request. You can use either a Subject Distinguished Name (Subject DN) or a Subject Alternative Name to uniquely identify your system. If you select a subject alternative name from your gateway's certificate, then that identity is used in place of your gateway's subject DN when communicating with peers.
    
    

    Note: Your gateway's server certificate only has subject alternative names if your CA issued the certificate with the alternative names. For example, with the Entrust PKI the VPN connector can issue certificates with DNS names, IP addresses, or Email alternative names.

    
    
13. Configure the Server Certificate. Click the drop-down list box to view all certificates that have been issued to the server. Server Certificates are configured from the SystemCertificates: Generate Certificate Request screen.