How to Set Up VPN Certificates

Similar documents
How to Set Up External CA VPN Certificates

Authentication, Encryption, Transport, and VPN Routing

Authentication, Encryption, Transport, IP Version and VPN Routing

How to Configure a Remote Management Tunnel for Barracuda NG Firewalls

How to Configure a Remote Management Tunnel for an F-Series Firewall

Barracuda Networks NG Firewall 7.0.0

How to Create a TINA VPN Tunnel between F- Series Firewalls

How to Configure Authentication and Access Control (AAA)

Configuration of Shrew VPN Client on RV042, RV042G and RV082 VPN Routers through Windows

Configuring SSL. SSL Overview CHAPTER

Implementation Guide - VPN Network with Static Routing

Digital Certificates. About Digital Certificates

How to Configure SSL Interception in the Firewall

VMware Horizon View Deployment

How to Configure a Dynamic Mesh VPN with the GTI Editor

How to Configure a Client-to-Site IPsec IKEv2 VPN

How to Configure a Client-to-Site L2TP/IPsec VPN

Table of Contents 1 IKE 1-1

Configuring Cisco VPN Concentrator to Support Avaya 96xx Phones Issue 1.0. Issue th October 2009 ABSTRACT

Lab Guide. Barracuda NextGen Firewall F-Series Microsoft Azure - NGF0501

Configuring SSL CHAPTER

High Availability Synchronization PAN-OS 5.0.3

3. In the upper left hand corner, click the Barracuda logo ( ) then click Settings 4. Select the check box for SPoE as default.

Configuring SSL. SSL Overview CHAPTER

Example - Reverse Proxy for Exchange Services

Configuring OpenVPN on pfsense

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

Numerics I N D E X. 3DES (Triple Data Encryption Standard), 48

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

Digi Application Guide Configure VPN Tunnel with Certificates on Digi Connect WAN 3G

Configure the IM and Presence Service to Integrate with the Microsoft Exchange Server

Double-clicking an entry opens a new window with detailed information about the selected VPN tunnel.

Mavenir Systems Inc. SSX-3000 Security Gateway

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP

Configuring Certificate Authorities and Digital Certificates

HP Instant Support Enterprise Edition (ISEE) Security overview

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

History Page. Barracuda NextGen Firewall F

How to Configure SSL Interception in the Firewall

Send documentation comments to

Defining IPsec Networks and Customers

LDAP Directory Integration

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

NGF0401 Instructor Slides

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Configuring L2TP over IPsec

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.

L2TP Over IPsec Between Windows 2000 and VPN 3000 Concentrator Using Digital Certificates Configuration Example

Series 5000 ADSL Modem / Router. Firmware Release Notes

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 6.0 Version

LDAP Directory Integration

Manage Certificates. Certificates Overview

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

Remote Access via Cisco VPN Client

This chapter describes how to configure digital certificates.

AirWatch Mobile Device Management

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

Release Notes. Release Purpose... 1 Platform Compatibility... 1 Upgrading Information... 1 Browser Support... 2 Known Issues... 3 Resolved Issues...

PKI Trustpool Management

PKI Configuration Examples

Sample excerpt. Virtual Private Networks. Contents

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

How to Configure Guest Access with the Ticketing System

Managing Certificates

How to Configure a Dynamic Mesh VPN with the GTI Editor

Use Shrew Soft VPN Client to Connect with IPSec VPN Server on RV130 and RV130W

vcloud Director Tenant Portal Guide vcloud Director 8.20

Create Decryption Policies to Control HTTPS Traffic

General Firewall Configuration

DoD Common Access Card Authentication. Feature Description

BIG-IP System: SSL Administration. Version

MWA Deployment Guide. VPN Termination from Smartphone to Cisco ISR G2 Router

This version of the des Secure Enterprise MAC Client can be used on Mac OS X 10.7 Lion platform.

HTTPS--HTTP Server and Client with SSL 3.0

Connection Profiles, Group Policies, and Users

Viewing System Status, page 404. Backing Up and Restoring a Configuration, page 416. Managing Certificates for Authentication, page 418

Identity Firewall. About the Identity Firewall

Configuring LDAP. Finding Feature Information

User Manual. SSV Remote Access Gateway. Web ConfigTool

Setting up L2TP Over IPSec Server for remote access to LAN

Security Certifications Compliance

MAGNUM-SDVN Security Administration Manual

Microsoft Exchange Server 2013 and 2016 Deployment

Managing External Identity Sources

VII. Corente Services SSL Client

Forescout. Configuration Guide. Version 4.2

ForeScout CounterACT. Configuration Guide. Version 4.1

SSH Communications Tectia SSH

L2TP IPsec Support for NAT and PAT Windows Clients

Configuring PKI CHAPTER

How to Configure Syslog Streaming

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

Configuration Guide Barracuda NG Firewall. TheGreenBow IPsec VPN Client. Written by: TheGreenBow TechSupport Team Company:

Chapter 5 Virtual Private Networking

HP FlexFabric 5700 Switch Series

Public Key Enabling Oracle Weblogic Server

Transcription:

For the VPN service, you can use either self-signed certificates or certificates that are generated by an external CA. In this article: Before You Begin Before you set up VPN certificates, verify that the VPN service has been properly created and configured. For more information on how to create a service, see How to Configure Services. Set Up Certificates with the Barracuda CA for a Barracuda VPN If you want to use a Barracuda VPN with the Barracuda CA installed on the Barracuda NG Firewall, complete the following steps: Step 1. Create the Default Certificate and Private Key 1. 2. 3. 4. 5. 6. Open the VPN Settings page (Config > Full Config > Virtual Servers > your virtual server > Click Lock. Click the Settings tab. Click the Click here for Server Settings link. If you are using the Access Control service, enter its IP Address in the Access Control Service section of the Server Settings window. Create the certificate. This certificate will be signed by the self-signed Barracuda root certificate that is included with the Barracuda NG Firewall. 1. In the Default Server Certificate section, click Ex/Import and select New/Edit Certificate. 2. In the Certificate View window, fill out the Subject section completely and then click OK. You must set the SubAltName with the FQDN that resolves to the listening IP address of the VPN service. 7. 8. 9. Create the default key by clicking Ex/Import in the Default Key section and then selecting New x-bit RSA key (where x is 512, 1024, or 2048). Click OK. Click Send Changes and Activate. Step 2. Import the Default Certificate and Private Key 1. Open the VPN Settings page (Config > Full Config > Virtual Servers > your virtual server > 2. Click Lock. 3. Click the Settings tab. 4. Click the Click here for Server Settings link. 5. If you are using the Access Control service, enter its IP Address in the Access Control Service section of the Server Settings window. 6. In the Default Server Certificate section, click Ex/Import and select either Import PEM from file or Import from PKCS12, depending on the external certificate format. 7. In the Default Key section, click Ex/Import and select Import Private Key from File. 1 / 9

If the certificates match, the Default Server Certificate and the Default Server Key display "Valid" in green. 8. 9. Click OK. Click Send Changes and Activate. Set Up Certificates with an External CA for a Barracuda, IPsec, or L2TP/IPsec VPN Requirements X.509 Certificate Type Root Certificate (e.g., RootCrt.crt) Installation Location Barracuda NG Firewall File Type PEM Chain of Trust Trust Anchor X.509 Extensions and Value Key Usage: Certificate sign; CRL sign 2 / 9

Server Certificate (e.g., ServerCrt.pem and ServerCrtprivate.pem) Barracuda NG Firewall PKCS12 End Instance Key Usage: Digital Signature Subject Alternative Name: DNS: tag with the FQDN which resolves to the IP the VPN Service listens on. For example: DNS: vpn.yourdomain.com X.509 certificates on the Barracuda NG Firewall must not have identical SubjectAlternativeNames settings and must not contain the management IP address of the Barracuda NG Firewall. Client Certificate (if needed) Client OS or VPN Client PKCS12 End Instance Key Usage: Digital Signature Install the Root Certificate 1. Open the VPN Settings page (Config > Full Config > Virtual Servers > your virtual server > 2. Click Lock. 3. Click the Root Certificates tab. 4. Right-click the table and select Import PEM from File or Import CER from File, depending on the root certificate format. 5. In the Open window, select the root certificate file and click Open. 6. In the Root Certificate window, configure the following settings under the Certificate details tab: Name A descriptive name for the root certificate. For example, RootCert. Usage The types of VPNs that will use this root certificate. For example, Barracuda Personal and IPsec Personal. 7. Click OK. The root certificate appears under the Root Certificates tab. Install the Server Certificate 1. Open the VPN Settings page (Config > Full Config > Virtual Servers > your virtual server > 2. Click Lock. 3. Click the Server Certificates tab. 4. Import the server certificate. 1. Right-click the table and select Import Certificate from File. 2. In the Open window, select the server certificate file and click Open. 3. Enter the Certificate Name (e.g., ServerCertificate), and then click OK. The certificate appears under the Server Certificates tab. 5. Import the private server key. 1. Right-click the server certificate and select Import Private Key From File. 2. In the Open window, select the private server key file (e.g. ServerCertprivate.pem) and then click Open. 6. Click Send Changes and Activate. 3 / 9

Your server certificate appears with the private key under the Server Certificates tab. Create a Service Certificate/Key 1. 2. 3. 4. 5. 6. 7. Open the VPN Settings page (Config > Full Config > Virtual Servers > your virtual server > Click Lock. Click the Service Certificates/Keys tab. Right-click the table and select New Key. Enter a Key Name. Select the required Key Length. Click Send Changes and Activate. Your server certificate appears under the Service Certificates/Keys tab. Server Settings Overview The following sections provide more details on the server settings: General Settings From the General Settings tab of the Server Settings window, you can configure these settings: Section Setting Description Access Control Service IP Addresses Sync Authentication to Trustzone The IP address of the access control service to use. Propagates authentication information to the other systems in the same trustzone. 4 / 9

Server Configuration Use port 443 [default: Yes] CRL Poll Time Global TOS Copy Global Replay Window Size [0] Use Site to Site Tunnels for Authentication [Yes] Pending Session Limitation [Yes] Prebuild Cookies on Startup [No] Tunnel HA Sync Maximum Number of Tunnels Allow Fast Requests WANOpt Master Defines if incoming VPN connections on port 443 should be accepted or not. VPN tunnels connecting to this port are limited to the TCP transport protocol. Port 443 can only be used by one service. If this port is redirected to another machine by the firewall service or a SSL VPN is running, disable port 443 for client-to-site VPN connections. The time interval in minutes for fetching the Certificate Revocation List. Entering 0 results in a poll time of 15 minutes. Enables the Type of Service (ToS) flag for site-to-site tunnels. By default, the ToS flag is globally disabled (setting: Off). Individual tunnel ToS policies override the global policy settings. If ToS policies assigned to VPN tunnels or transports packets are not forwarded instantly according to their sequence number, you can configure the replay window size for sequence integrity assurance to avoid IP packet "replaying." The window size specifies a maximum number of IP packets that can be on hold, until it is assumed that packets have been sent repeatedly and sequence integrity has been violated. Individual window size settings are configurable per tunnel and transport, overriding global policy settings. To specify that tunnel- and transportspecific settings should be used, enter 0 (default). To view the specified replay window size, double-click the tunnel on the VPN page to open the Transport Details window (attribute: transport_replaywindow). Typically, a tunnel registers itself at the firewall, creating an auth.db entry with the tunnel network and the tunnel credentials. You can then create a firewall rule with the tunnel name or credentials as a condition. This feature is rarely used (maybe not at all). Enforces a limit of five sessions. Additional session requests are dropped. Prebuilds the cookies when the VPN service is started. This can slow the VPN service startup but increases the speed of tunnel builds. Typically, cookies are built on demand while a VPN tunnel is initiated. Enable this setting to prevent high system load on Barracuda NG Firewalls that are concentrating a large number of VPN tunnels. High system load caused by the VPN service can occur, if a large number of VPN tunnels are established simultaneously after a reboot or Internet Service Provider outage. Synchronization is only provided for TINA tunnels and transports using either UDP or ESP. Synchronization of hybrid, TCP, or IPsec tunnels is not available. During an HA takeover, the initialization of all VPN tunnels and transports requires a very CPU-intensive RSA handshake procedure. As long as less than approximately 200 tunnels and transports are terminated, this initialization happens very quickly and does not decrease overall system performance. Due to real-time synchronization to the HA partner unit, the system load during a takeover can be decreased, providing faster tunnel re-establishment. By default, this setting is disabled. It can be activated using Tunnel HA Sync through the VPN server settings. Barracuda Networks recommends that you only activate this setting when using more than 200 ESP or UDP TINA tunnels. The maximum number of concurrent client-to-site and site-to-site tunnels accepted by the VPN service. Leave the default setting or select one of the values available from the drop-down list. Allows a fast request rate. If the tunnel endpoint inherits the WANOpt settings from the tunnel partner, select Yes. If the tunnel partner inherits the WANOpt settings from the tunnel endpoint, select No. Do not set both tunnel endpoints to the same value. 5 / 9

Default Server Certificate Section Subject/Issuer Default Key These two fields display the certificate subject and issuer. Note, that L2TP and IPsec require server certificates with SubAltName: DNS:your.vpnserver.com If the VPN server demands a key but the key is not stated explicitly, you can generate it by clicking Ex/Import and selecting a suitable option. For a successful client-to-site connection, you must define a default server certificate. Advanced Settings From the Advanced Settings tab of the Server Settings window, you can configure these settings: Section VPN Interface Configuration VPN Next Hop Interface Configuration IKE Parameters Custom Ciphers Description In these sections, configure the VPN interfaces and next hop interfaces. To add and configure virtual interfaces equipped with unique index numbers, click Add. Indexed virtual interfaces may, for example, be required for direct OSPFv2 or RIP multicast propagation of VPN networks. After assigning the interface with a local IP address, it may be directly used within the OSPF router configuration. The interfaces become active and visible on the Control > Network page of the corresponding Barracuda NG Firewall as soon as a tunnel endpoint using the indexed interface has been created. Indexed VPN interfaces are labeled as follows: vpn[index] For example: vpn1 In the VPN Interface Properties window, edit the following settings for each interface: VPN Interface Index The unique index number of the VPN interface. MTU The Maximum Transmission Unit size. You can select either 1398 or 1500. IP Addresses The IP addresses that should be started on the vpnx interface. You can enter a space-delimited list of IP addresses. Multicast Addresses The multicast addresses that should be propagated into this field. You can enter a space-delimited list of IP addresses. For example, to transport OSPF multicast via the VPN tunnel, enter 224.0.0.5 224.0.0.6 In this section, configure the global IKE settings for all configured IPsec tunnels. You can edit the following settings: Exchange Timeout (s) The maximum period to wait until the request for IPsec tunnel connection establishment has to be approved by the remote peer (default: 30 seconds). Tunnel Check Interval (s) The interval between queries for a valid exchange that is assignable to an IPsec tunnel (default: 5 seconds). If a tunnel that is configured with direction assignment Active has been terminated, it will be re-established automatically when the check interval expires. If a tunnel that is configured with direction assignment Passive has been terminated, a corresponding status message is triggered and the interface is updated on the VPN page. Dead Peer Detection Interval (s) The interval between keep-alive checks on the remote peer (default: 5 seconds). Use IPSec dynamic IP If the service is connected to the Internet via a dynamic link (dynamic IP address), select Yes. The server IP address is not yet known at configuration time and IKE then listens to all local IP addresses. IPSec Log Level The debug log level of IKE. The debug log may be very noisy. Do not select a log level greater than 0 if the log is not required for solving an issue. In this section, add or remove custom ciphers. Certificate Import Settings Overview The following sections provide more details on the settings for importing certificates: 6 / 9

Certificate Detail Settings From the Certificate details tab, you can configure these settings: Section Setting Description Certificate Name Certificate Details Comment CRL Error Handling Usage The certificate's subject and issuer. The certificate name for easier recognition. The tunnel types that the certificate is valid for. The following tunnel types are available: Personal Site-to Site IPSec Personal IPSec Site-to-Site An optional description of the certificate. Timeout (min.) The length of time after which the fetching process is started again if all URIs of the root certificate fail. Action The action that is taken if the CRL is not available after the fetching process that is started after the Timeout. You can select one of the following actions: Terminate all sessions Every VPN session relating to this root certificate is terminated. Do not allow new sessions New VPN sessions relating to this root certificate are not allowed. Ignore A log entry is created but does not have any effect on VPN connections relating to this root certificate. Certificate Revocation Settings From the Certificate details tab, you can either import or manually add a CRL URI. If a CRL is already included within the certificate, import the CRL URI by clicking Load paths from certificate. To add a CRL URI manually, configure the settings in the URI, Login, and Proxy sections and then click Add. Section Setting Description 7 / 9

URI Login Proxy Protocol Host URL-Path User / Password Proxy Port User / Password The required connection protocol. The following protocols are available: Protocol Default Port Comment LDAP 389 DNS-resolvable LDAPS 636 DNS-resolvable HTTP 80 - HTTPS 443 - The DNS-resolvable host name or IP address of the server that makes the CRL available. The path to the CRL. For example: cn=vpnroot,ou=country,ou=company,dc=com?,cn=* When the CRL is made available through SSL-encrypted LDAP (LDAPS), use the fully qualified domain name (that is the resolvable host name) in the CN subject to refer to the CRL. For example, if a server's host name is server.domain.com, enter the following in the URL path: cn=vpnroot,ou=country,ou=company,dc=com, cn=server.domain.com The A-Trust LDAP server requires the CRL distribution point referring to it to terminate with a CN subject. Therefore, as from Barracuda NG Firewall 3.6.3 when loading the CRL from a certificate, the search string "?cn=*" will automatically be appended if the CRL is referring to an LDAP server and if a search string (CN subject) is not available in the search path by default. Note that existing configurations will remain unchanged and that the wildcard CN subject does not conflict with other LDAP servers. The username and corresponding password. This information is necessary if the LDAP or HTTP server requires authentication. The DNS-resolvable host name or IP address of the proxy server. The proxy server port used for connection requests. The username and corresponding password. This information is necessary if the proxy server requires authentication. OCSP Settings From the OCSP tab, you can configure these settings: Host Port Setting Use SSL Description The DNS-resolvable hostname or host IP address. The OCSP server listening port. Enforces an SSL connection to the OCSP server. Phibs Scheme Allows selection of an OCSP scheme (default: ocsp). CA Root Other root Explicit X509 Specifies how the OCSP server is verified. You can select the following options: This root certificate The OCSP server certificate signing the OCSP answer was issued by this root certificate. Other root certificate The OCSP server certificate signing the OCSP answer was issued by another root certificate. This other root certificate must be imported via the Other root setting. Explicit Server certificate The OCSP server certificate signing the OCSP answer might be self-signed or another certificate. This X.509 certificate must be imported via the Explicit X.509 setting. Take into consideration that the extended certificate usage is set to OCSP signing in the OCSP-server certificate when you select This root certificate or Other root certificate. If CA Root is set to Other root certificate, click Ex/Import to import the certificate in either PEM or PKCS12 format. If CA Root is set to Explicit Server, click Ex/Import to import the certificate in either PEM or PKCS12 format. 8 / 9

Figures 9 / 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback