Using PDM to Create a Site-to-Site VPN

The PDM VPN tab allows for configuring the many details of site-to-site VPN consistent with those techniques covered in the VPN chapters (9–16) and in Chapter 21, the chapter on PIX Firewall VPN. Figure 22-8 shows an example of configuring the IKE policies and the other options that can be configured.

Figure 22-8: VPN IKE policy configuration using PDM

Figure 22-9: VPN Wizard opening screen with VPN type selection

PDM v2.1 added a second wizard that’s just as friendly and powerful as the Startup Wizard. The VPN Wizard uses half a dozen pages to walk through configuring site-to- site VPNs and remote access VPNs. The site-to-site VPN configuration is used between two IPSec security gateways, which can include firewalls, VPN concentrators, or other devices that support site-to-site IPSec connectivity. With a site-to-site VPN, the local PIX Firewall provides secure connectivity between the LAN and a LAN in a different geographic location.

Figure 22-8 shows the first step is to pick the type of VPN to be created and the PIX interface to use. The Next button accepts the entries and moves on to the next screen.

The next screen, the Remote Site Peer panel, allows the administrator to identify the IP address of the remote IPSec peer that will terminate the VPN tunnel and select whether to use preshared keys or certificates for authentication. Figure 22-10 shows a possible set of choices.

Figure 22-10: VPN remote peer definition and authentication type

The next screen, IKE Policy panel, uses three drop-down list boxes to specify the encryption and authentication algorithms, plus the DH Group to be used by the IKE (Phase 1) setup process.

The next screen, Transform Set panel, uses two drop-down list boxes to specify the encryption and authentication algorithms to be used by the IPSec (Phase 2) VPN Tunnel setup process. Figure 22-11 shows the Transform Set panel, but it’s also representational of the IKE Policy.

Figure 22-11: Transform Set panel for defining encryption and authentication

The next two panels—the IPSec Traffic Selector panels—allow the administrator to define the traffic to be protected using the current IPSec tunnel. The IPSec tunnel will protect packets sent to or received from the hosts or networks selected on these panels. The first panel is used to identify the hosts and networks protected by your local PIX Firewall. Use the second panel—IPSec Traffic Selector (continued)—to identify hosts and networks protected by the remote IPSec peer.

You can select the appropriate button on this panel for identifying hosts and networks using an IP address, a host name, or a group. Figure 22-12 shows a portion of the first IPSec Traffic Selector panels, but this is similar to the one used on the second panel to identify the remote addresses. The any notation on the right side came from selecting the choices on the left side by using the upper button between the windows.

Figure 22-12: IPSec Traffic Selector panels for designating protected addresses

At this point the wizard is done. Clicking the Finish button will write the changes to the PIX configuration.