Справочник Пользователя для SonicWALL 5.8.1
VPN > Settings
901
SonicOS 5.8.1 Administrator Guide
Configuring a VPN Policy with IKE using a Third Party Certificate
Warning
You must have a valid certificate from a third party Certificate Authority installed on
your SonicWALL before you can configure your VPN policy with IKE using a third
party certificate.
your SonicWALL before you can configure your VPN policy with IKE using a third
party certificate.
To create a VPN SA using IKE and third party certificates, follow these steps:
Step 1
In the VPN > Settings page, click Add. The VPN Policy window is displayed.
Step 2
In the Authentication Method list in the General tab, select IKE using 3rd Party
Certificates.The VPN Policy window displays the 3rd party certificate options.
Certificates.The VPN Policy window displays the 3rd party certificate options.
Step 3
Type a Name for the Security Association in the Name field.
Step 4
Type the IP address or Fully Qualified Domain Name (FQDN) of the primary remote SonicWALL
in the IPsec Primary Gateway Name or Address field. If you have a secondary remote
SonicWALL, enter the IP address or Fully Qualified Domain Name (FQDN) in the IPsec
Secondary Gateway Name or Address field.
in the IPsec Primary Gateway Name or Address field. If you have a secondary remote
SonicWALL, enter the IP address or Fully Qualified Domain Name (FQDN) in the IPsec
Secondary Gateway Name or Address field.
Step 5
Under IKE Authentication, select a third party certificate from the Local Certificate list. You
must have imported local certificates before selecting this option.
must have imported local certificates before selecting this option.
Step 6
Select one of the following Peer ID types from the Peer IKE ID Type menu:
–
E-Mail ID and Domain Name - The Email ID and Domain Name types are based on
the certificate's Subject Alternative Name field, which is not contained in all certificates
by default. If the certificate contains a Subject Alternative Name, that value must be
used. For site-to-site VPNs, wild card characters (such as * for more than 1 character
or ? for a single character) cannot be used. The full value of the E-Mail ID or Domain
Name must be entered. This is because site-to-site VPNs are expected to connect to a
single peer, as opposed to Group VPNs, which expect multiple peers to connect.
the certificate's Subject Alternative Name field, which is not contained in all certificates
by default. If the certificate contains a Subject Alternative Name, that value must be
used. For site-to-site VPNs, wild card characters (such as * for more than 1 character
or ? for a single character) cannot be used. The full value of the E-Mail ID or Domain
Name must be entered. This is because site-to-site VPNs are expected to connect to a
single peer, as opposed to Group VPNs, which expect multiple peers to connect.