Configuring a Site-to-Site VPN
For our exercise, let’s use our SecureCorp.com archetype arrangement architectonics to
build a VPN amid the Washington, D.C., PIX (PIX1) and the Prague PIX
(PIX2).To body a site-to-site IPsec VPN application the VPN wizard, baddest VPN
Wizard from the Wizards menu.The VPN Astrologer window appears, as apparent in
Figure 9.64.
Click the Armpit to Armpit VPN radio button and baddest alfresco from the Select
interface on which the VPN will be enabled pull-down list. Bang Abutting to
proceed to the Alien Armpit Peer window, apparent in Figure 9.65.
From this window, you can accept to use preshared keys or certificates. Using
digital certificates is a added defended VPN adit agreement than aggregate keys.
For simplicity, however, let’s configure the site-to-site VPN application preshared keys.
www.syngress.com
Figure 9.64 The VPN Astrologer Window
522 Chapter 9 • PIX Device Manager
Using our SecureCorp.com archetype architecture, blazon 192.168.2.2 in the
Peer IP Abode field.This is the alien IP abode of the PIX firewall named
PIX2, amid in Prague. Next, blazon an alphanumeric cord in the Pre-shared
Key and Reenter Key fields.This key cord should be at atomic eight characters
in breadth and should not be calmly guessable. Bethink the key entered in this
step, because you will be adapted to access it afresh back configuring the remote
PIX firewall. After you bang Next, the IKE Policy window appears, as apparent in
Figure 9.66.
Select adapted Encryption, Authentication, and DH Group settings
using the drop-down lists. It is important to bethink the specific settings you
select, because you will charge to body an identical agreement on the remote
PIX firewall.
NOTE
3DES, which enables stronger encryption capabilities, is alone available
with a 3DES authorization from Cisco.
www.syngress.com
Figure 9.65 The Alien Armpit Peer Window
PIX Device Manager • Chapter 9 523
Click Abutting to advance to the Transform Set window, apparent in Figure 9.67.
www.syngress.com
Figure 9.66 The IKE Policy Window
Figure 9.67 The Transform Set Window
524 Chapter 9 • PIX Device Manager
Similar to the IKE Policy window, the Transform Set awning permits you to
select Encryption and Authentication variables. Again, bethink your selections
for agreement on the alien PIX firewall, and bang Next.The abutting window
you see is the IPSec Traffic Selector window, apparent in Figure 9.68. From this
window, you will actuate the centralized addresses that will bisect the tunnel.
For the purposes of our exercise, we will use the absolute centralized arrangement as
the bounded armpit network. Alternatively, you could accept to alone admittance a subset of
addresses beyond the VPN. Bang the Browse button and baddest the centralized network
address, 172.20.0.0. Bang OK and, from the IPSec Traffic Selector
window, bang the -> button.The abode 172.20.0.0/16 should arise in the
Selected window. Bang Abutting to proceed.
Now that we accept accustomed the bounded armpit arrangement to be transported across
the VPN, we charge baddest the alien arrangement to which the VPN will connect.
The abutting window to arise is absolutely agnate to the one we aloof completed. From
this window, access the IP abode of the Prague centralized network, 172.16.0.0,
with a subnet affectation of 255.255.0.0.A popup window will appear, advertence that
there is no host/network for 172.16.0.0 in the PIX configuration.When
prompted, bang OK to add the new arrangement entry, and the Create Host/
www.syngress.com
Figure 9.68 The IPSec Traffic Selector Window
PIX Device Manager • Chapter 9 525
Network window appears. Complete the all-important fields in the Create Host/
Network window and bang OK. Bang the -> button to add the new arrangement to
the Selected window.
Finally, bang Finish to complete the VPN Astrologer and acknowledgment to the VPN tab.
Before you can use the VPN, you charge echo the agreement action on the
PIX firewall in Prague.This can be able via a PDM affair with the
remote firewall, via the command line, or application added Cisco software such as
CSPM.After finishing the alien firewall configuration, you are accessible to begin
testing and application the VPN.