Quick links:
Product Overview
Installation
Settings and Administration
ADSL
SIP Support
Telephone ports
Network
Firewall
Wireless
VPN
Misc
Licenses
Troubleshooting
Differences
This shows you the differences between two versions of the page.
|
vpn:certificates [2010/11/02 10:42] tibor created |
vpn:certificates [2010/11/22 14:12] (current) mats |
||
|---|---|---|---|
| Line 2: | Line 2: | ||
| By using certificates instead of pre-shared keys a much higher level of security can be achieved. Certificates are used to verify the other end of an IPSec connection is a known peer, not an imposter. | By using certificates instead of pre-shared keys a much higher level of security can be achieved. Certificates are used to verify the other end of an IPSec connection is a known peer, not an imposter. | ||
| + | |||
| + | Read more: [[wp>Public_key_certificate|certificates]] | ||
| The Internet Gate can use certificates created by other authorities, create its own certificates, or even create certificates for clients connecting to it. | The Internet Gate can use certificates created by other authorities, create its own certificates, or even create certificates for clients connecting to it. | ||
| ^ :!: WARNING! All certificates are erased upon reset to factory defaults! ^ | ^ :!: WARNING! All certificates are erased upon reset to factory defaults! ^ | ||
| - | | To avoid loosing your certificates make sure you make a backup copy using the Backup to file button on the Administration page. | | + | | To avoid loosing your certificates make sure you make a backup copy using the **Backup to file** button on the [[web_gui:administration_page|Administration]] page. | |
| + | |||
| + | {{ :vpn:vpn_certificates.png?227|VPN Certificates in rel 5.30}} | ||
| - | You can access the VPN Certificates page by clicking the Certificates link at the bottom of the IPSec Overview page. | + | You can access the VPN Certificates page by clicking the **Certificates** link at the bottom of the [[web_gui:vpn_page|IPSec Overview]] page. |
| ===== Own and trusted certificates ===== | ===== Own and trusted certificates ===== | ||
| Line 42: | Line 46: | ||
| ==== Create your own certificate ==== | ==== Create your own certificate ==== | ||
| - | You can create your own self-signed certificate using the Create button on the Certificate manager page. | + | You can create your own self-signed certificate using the **Create** button on the //Certificate manager// page. |
| In the window that appears you enter details about the certificate: | In the window that appears you enter details about the certificate: | ||
| - | Subject name - (mandatory) unique, descriptive name of the person or purpose the certificate is for. | + | **Subject name** (mandatory) unique, descriptive name of the person or purpose the certificate is for. |
| - | Organisation - (optional) organization the certificate is for. (For example your company.) | + | **Organisation** (optional) organization the certificate is for. (For example your company.) |
| - | Organisation unit - (optional) organization unit the certificate is for. (For example your department.) | + | **Organisation unit** (optional) organization unit the certificate is for. (For example your department.) |
| - | DNS name - (optional) DNS domain the certificate is for. (For example your dynDNS domain.) | + | **DNS name** (optional) DNS domain the certificate is for. (For example your dynDNS domain.) |
| - | E-mail - (optional) e-mail address of contact person for the certificate. | + | **E-mail** (optional) e-mail address of contact person for the certificate. |
| - | IP Address - (optional) IP address the certificate is for. | + | **IP Address** (optional) IP address the certificate is for. |
| - | The signature algorithm used should be RSA/SHA1 for almost all users, except if the remote peer has specifically specified DSS signatures as IKE authentication mode. | + | The **signature algorithm** used should be RSA/SHA1 for almost all users, except if the remote peer has specifically specified DSS signatures as IKE authentication mode. |
| - | The created self signed certificate and private key are stored in your Internet Gate. You are **strongly** recommended to **immediately** create a backup copy of them using the Backup to file button on the Administration page.\\ | + | The created self signed certificate and private key are stored in your Internet Gate. You are **strongly** recommended to **immediately** create a backup copy of them using the **Backup to file** button on the [[web_gui:administration_page|Administration]] page.\\ |
| :!: **Certificates are erased by reset to factory defaults!** | :!: **Certificates are erased by reset to factory defaults!** | ||
| - | You give away your own certificate to whoever remote IPSec peer you want to connect or want to be able to be connected by. The Export button next to your certificate on the Certificate manager page creates a file containing your certificate that you can give away. (It does not contain your private key, as you should never give away your private key.) | + | You give away your own certificate to whoever remote IPSec peer you want to connect or want to be able to be connected by. |
| + | The **Export** button next to your certificate on the //Certificate manager// page creates a file containing your certificate that you can give away. (It does not contain your private key, as you should never give away your private key.) | ||
| The created file is of suitable format for importing into most common IPSec programs. | The created file is of suitable format for importing into most common IPSec programs. | ||
| Line 71: | Line 76: | ||
| You use your certificate to identify yourself with when connecting to a remote IPSec gateway. | You use your certificate to identify yourself with when connecting to a remote IPSec gateway. | ||
| - | The IPSec Settings page reached from the simplified IPSec Overview page always use your first own certificate when creating new connections that use certificates as authentication. You do not need to specify own certificate, only the trusted one. | + | The IPSec Settings page reached from the simplified [[web_gui:vpn_page|IPSec Overview]] page (by "Add" or "Edit/view" buttons) always use your first own certificate when creating new connections that use certificates as authentication. |
| + | You do not need to specify own certificate, only the trusted one. | ||
| - | On the VPN peer settings page reached from the advanced IPSec overview page you can specify what own certificate to use using the Certificate dropdown in the Identity – Local (this) gateway field. | + | On the [[web_gui:vpn_peer|VPN peer settings]] page reached from the [[web_gui:vpn_advanced|advanced IPSec overview]] page you can specify what own certificate to use using the **Certificate** dropdown under the "Identity – Local (this) gateway" headline. |
| Then you also need to specify which of the certificate's fields you want to use for identification: | Then you also need to specify which of the certificate's fields you want to use for identification: | ||
| - | Id type: ASN.1 Dist. Name, ID: Use ASN.1 in cert is the most common choice. This uses the Subject name field in the certificate as identification. | + | **Id type**: //ASN.1 Dist. Name//, **ID**: //Use ASN.1 in cert// is the most common choice. This uses the //Subject name// field in the certificate as identification. |
| - | Id type: Domain name and E-mail (user DN) both demands ID: Other, specify: to be selected, and the same entry as in the certificate to be entered manually. | + | **Id type**: //Domain name// and //E-mail (user DN)// both demands **ID**: //Other, specify:// to be selected, and the same entry as in the certificate to be entered manually. |
| - | You also must change Authentication Method in all three preferences in the Key exchange field to RSA signatures. (If the certificate was issued using signature algorithm DSA/SHA1 then you need to specify DSS signature here.) | + | You also must change **Authentication Method** in all three preferences (under the "Key exchange" headline) to //RSA signatures//. (If the certificate was issued using signature algorithm DSA/SHA1 then you need to specify //DSS signature// here.) |
| Local (own) and remote (trusted) certificates must both use the same Authentication method. You can't mix certificates and pre-shared key for authentication. | Local (own) and remote (trusted) certificates must both use the same Authentication method. You can't mix certificates and pre-shared key for authentication. | ||
| + | |||
| + | ====== ====== | ||
| + | \\ | ||
| + | [[vpn:start|VPN Overview]] | ||
| + | |||
