SSL Certificate Based VPN Virtual Private Network Use Case Summary This article outlines the process for configuring a Series 3 CradlePoint router to use SSL Certificates for VPN Authentication. A VPN (virtual private network) is a network that connects two or more separate, often physically removed, local networks by building a secured tunnel over a public network. SSL (secure sockets layer) is a cryptographic protocol developed to provide communication security on a public network. For the establishment of a VPN tunnel, authentication based on an SSL certificate offers a higher level of security than a pre-shared key. This document only covers SSL Certificate authentication; for detailed instructions on configuring a VPN tunnel, or directions for Pre-Shared Key authentication, please review the VPN Guide. Configuration Part 1: Configure Certificate Configuration Difficulty: Expert If you have an existing Certificate Authority (CA), create a new certificate and sign it, then follow the instructions in Section A to upload the file to the CradlePoint router. If you have neither CA nor certificates, skip to Section B on page 3 of this document. We will create both in the CradlePoint s Certificate Manager. 1
Section A: Importing an Existing Certificate File - Step 1: Select Security in the menu, then Certificate Management then PKCS12. - Step 2: Give this file a name for identification within the CradlePoint s Certifcate Manager. - Step 3: If the file is password protected, key in the Passphrase, otherwise leave this field blank. - Step 4: Click the Select File button, locate the correct file, and click Open to select it. - Step 5: Click Import/Upload Certificate and then click OK within the confirmation dialog. - Step 6: Proceed to Part 2 of this document. Section B: Creating a CA and Certificate on the CradlePoint Router - Step 1: Select Security in the menu, then Certificate Management then Local Certificates. 2
- Step 2: Click Add to create a new certificate. - Step 3: Create the CA file: o Within the General Description section, give this file a unique name. o Within the Issuer section, check Set as CA certificate. o Fill out the Subject fields. o o Set the key duration in Days. Set the Public Key Algorithm for this CA file. 3
- Step 4: Click Save. - Step 5: Create a new certificate file. o Give it a unique name. o Within the Issuer section click Sign with CA certificate then click the drop-down arrow next to Certificate name and select the file we created during steps 3-4. o Fill out the Subject, Validity and PK Algorithm fields. o Click Apply then click OK to accept the confirmation dialog. - Step 6: Select PKCS12 in the menu. - Step 7: Click the drop-down arrow next to Name to select the file we created during Step 6 and click the Export/Download Certificate button. o Optional: Key in the passphrase to protect this file. 4
- Step 8: Follow the instructions in your browser to save the file. - Step 9: Import this file onto the device terminating the other end of the VPN tunnel. o Note: Each unique Endpoint will require its own specific certificate. Repeat Steps 5 10 for each additional endpoint. Part 2: Configure Global VPN Settings - Step 1: Click on the Networking tab and select Tunnels and then IPSec VPN. 5
6
- Step 2: If the VPN Service is disabled, check the box to Enable VPN Service and then press Save. - Step 3: Under Global VPN Settings section, click the drop-down arrow next to Certificate Name. - Step 4: Select the certificate you loaded or created in Part 1 of this guide. - Step 5: Click Apply to allow this certificate to be used within Global VPN Settings. o NOTE: You will still be able to add VPN tunnels based on Pre-Shared keys. However, any other tunnels configured to use Certificate as the Authentication Mode will use THIS file. - Step 6: Click Yes to proceed with applying the change. o NOTE: This will temporarily drop all active tunnels. If your router is currently in production, choose No instead and complete this step later during a scheduled maintenance window. - Step 7: Click OK within the confirmation dialog and proceed to Part 3 of this guide. o NOTE: If you instead see an error indicating the certificate has no CA associated with it, verify that the certificate selected is signed, and that it is in the correct file format. Part 3: Configure the VPN Tunnel - Step 1: Click Add to configure a new tunnel. - Step 2: Give the tunnel a unique name that does not contain any spaces. - Step 3: Click the drop-down arrow next to Authentication Mode and select Certificate. - Step 4: Enable ASN1.DN Identity if the remote end of the VPN tunnel is a CradlePoint, Cisco, Juniper, or another device that requires this option. o NOTE: DO NOT enable this option if you are using a Check Point device. - Step 5: (Optional) Switch the tunnel Initiation Mode to Always On to allow the CradlePoint router to automatically start and restart the tunnel. 7
- Step 6: Click Next. - Step 7: Proceed with the rest of the tunnel configuration normally. Refer to the VPN Guide for additional explanation of available options, and links to vendor-specific configuration examples. 8