R3166-R3206-HP High-End Firewalls VPN Configuration Guide-6PW101
143
2. Configuration procedure
a. Configure Firewall A
# Create a PKI entity.
• Select VPN > PKI > Entity from the navigation tree and then click Add.
• Type en as the PKI entity name.
• Type device-a as the common name.
• Type 2.2.2.1 as the IP address of the entity.
• Click Apply.
# Create a PKI domain.(The RA URL given here is just an example. Configure the RA URL as required.)
• Select VPN > PKI > Domain from the navigation tree and then click Add.
• Type 1 as the PKI domain name.
• Type CA1 as the CA identifier.
• Select en as the local entity.
• Select RA as the authority for certificate request.
• Type h t t p : / / 1.1.1.1 0 0 / c e r t s r v / m s c e p / m s c e p . d l l as the URL for certificate request.
• Type 1.1.1.102 as the IP address of the LDAP server, 389 as the port number, and 2 as the version
number.
• Select Manual as the certificate request mode.
• Click Display Advanced Config to display the advanced configuration items.
• Select the Enable CRL Checking check box.
• Type ldap://1.1.1.102 as the URL for CRLs.
• Cl
ick Apply.
# Generate an RSA key pair.
• Select VPN > PKI > Certificate from the navigation tree and then click Create Key.
• Click Apply to generate an RSA key pair.
# Retrieve the CA certificate.
• Select VPN > PKI > Certificate from the navigation tree and then click Retrieve Cert.
• Select 1 as the PKI domain.
• Select CA as the certificate type.
• Click Apply.
# Request a local certificate.
• Select VPN > PKI > Certificate from the navigation tree and then click Request Cert.
• Select 1 as the PKI domain.
• Click Apply.
# Retrieve the CRL.
• After retrieving a local certificate, select VPN > PKI > CRL from the navigation tree.
• Click Retrieve CRL of the PKI domain of 1.
# Configure IKE proposal 1, using RSA signature for identity authentication.
• Select VPN > IKE > Proposal from the navigation tree and then click Add.