Cisco Systems ISA550

VPN

Configuring a Site-to-Site VPN

Cisco ISA500 Series Integrated Security Appliances Administration Guide 344

• Authentication Method: Choo se one of the following authentication

methods:

-Pre-shared Key: Uses a simple, password-based key to authenticate. If

you choose this option, enter the desired value that the peer device must

provide to establish a connection in the Key field. The pre-shared key

must be entered exactly the same here and on the remote peer.

-Certificate: Uses the digital certificate from a third party Cer tificate

Authority (CA) to authenticate. If you choose this option, select a CA

certificate as the local certificate from the Local Certificate drop-down

list and select a CA certificate as the remote certificate from the Remote

Certificate drop-down list. The selected remote certificate on the local

gateway must be set as the local certificate on the remote peer.

NOTE: You must have valid CA certificates imported on your security

appliance before choosing this option. Go to the Device Management >

Certificate Management page to import the CA certificates. See

Managing Certificates for Authentication, page 418.

•WAN Int erfac e: Choose the WAN port that traffic passes through over the

IPsec VPN tunnel.

•Local Network: Choose the IP address for the local network . If you want to

configure the zone access control settings for site-to-site VPN, choose Any

for the local network. Then you can control incoming traffic from remote VPN

network to the zones over the VPN tunnels.

•Remote Network: Choose the IP address of the remote network. You must

know the IP address of the remote network before connecting the VPN

tunnel.

For the example as illustrated in Figure 3, Site A has a LAN IP address of

10.10.10.0 and Site B has a LAN IP address of 10.20.20.0. When you configure

site-to-site VPN on Site A, the local network is 10.10.10.0 and the remote

network is 10.20.20.0.

If the address object that you want is not in the list, choose Create a new

address to add a new address object or choose Create a new address

group to add a new address group object. To maintain the address and

address group objects, go to the Networking > Address Management page.

See Address Management, page175.

NOTE: The security appliance can support multiple subnets for establishing

the VPN tunnels. You should select an address group object including

multiple subnets for local and/or remote networks.