Previous Next Title Page Contents

Chapter 8
VPN

This Chapter describes the VPN capabilities and configuration required for common situations.

Overview

This section describes the VPN (Virtual Private Network) support provided by your Broadband VPN Gateway.

A VPN (Virtual Private Network) provides a secure connection between 2 points, over an insecure network - typically the Internet. This secure connection is called a VPN Tunnel.

There are many standards and protocols for VPNs. The standard implemented in the Broadband VPN Gateway is IPSec.

IPSec

IPSec is a near-ubiquitous VPN security standard, designed for use with TCP/IP networks. It works at the packet level, and authenticates and encrypts all packets traveling over the VPN Tunnel. Thus, it does not matter what applications are used on your PC. Any application can use the VPN like any other network connection.

IPsec VPNs exchange information through logical connections called SAs (Security Associations). An SA is simply a definition of the protocols, algorithms and keys used between the two VPN devices (endpoints).

Each IPsec VPN has two SAs - one in each direction. If IKE (Internet Key Exchange) is used to generate and exchange keys, there are also SA's for the IKE connection as well as the IPsec connection.

There are two security modes possible with IPSec:

The Broadband VPN Gateway does NOT support Transport Mode.
The Broadband VPN Gateway always uses Tunnel Mode.

IKE

IKE (Internet Key Exchange) is an optional, but widely used, component of IPsec. IKE provides a method of negotiating and generating the keys and IDs required by IPSec. If using IKE, only a single key is required to be provided during configuration. Also, IKE supports using Certificates (provided by CAs - Certification Authorities) to authenticate the identify of the remote user or gateway.

If IKE is NOT used, then all keys and IDs (SPIs) must be entered manually, and Certificates can NOT be used. This is called a "Manual Key Exchange".

When using IKE, there are 2 phases to establishing the VPN tunnel:

Because the IKE and IPsec connections are separate, they have different SAs (security associations).

Policies

VPN configuration settings are stored in Policies.

Each policy defines:

Generally, you will need at least one (1) VPN Policy for each remote site for which you wish to establish VPN connections.

It is possible, and sometimes necessary, to have multiple Policies for the same remote site. In this case, the order (sequence) of the policies is important. The policies are examined in turn, and the first matching policy will be used.

VPN Configuration

The general rule is that each endpoint must have matching Policies, as follows:

Remote VPN address
Each VPN endpoint must be configured to initiate or accept connections to the remote VPN client or Gateway.
Usually, this requires having a fixed Internet IP address. However, it is possible for a VPN Gateway to accept incoming connections from a remote client where the client's IP address is not known in advance.
Traffic Selector
This determines which outgoing traffic will cause a VPN connection to be established, and which incoming traffic will be accepted. Each endpoint must be configured to pass and accept the desired traffic from the remote endpoint.
If connecting 2 LANs, this requires that:
  • Each endpoint must be aware of the IP addresses used on the other endpoint.
  • The 2 LANs MUST use different IP address ranges.
IKE parameters
If using IKE (recommended), the IKE parameters must match (except for the SA lifetime, which can be different).
IPsec parameters
The IPsec parameters at each endpoint must match.

 

Common VPN Situations

 

VPN Pass-through

Figure 44: VPN Pass-through

Here, a PC on the LAN behind the Router/Gateway is using VPN software, but the Router/Gateway is NOT acting as a VPN endpoint. It is only allowing the VPN connection.

Client PC to VPN Gateway

Figure 45: Client PC to VPN Server

In this situation, the PC must run appropriate VPN client software in order to connect, via the Internet, to the Broadband VPN Gateway. Once connected, the client PC has the same access to LAN resources as PCs on the local LAN (unless restricted by the network administrator).

Connecting 2 LANs via VPN

Figure 46: Connecting 2 VPN Gateways

This allows two (2) LANs to be connected. PCs on each endpoint gain secure access to the remote LAN.

 

VPN Configuration

This section covers the configuration required on the Broadband VPN Gateway when using Manual Key Exchange (Manual Policies) or IKE (Automatic Policies).

Details of using Certificates are covered in a later section.

VPN Policies Screen

To view this screen, select VPN Policies from the VPN menu. This screen lists all existing VPN policies. If no policies exist, the list will be empty.

Figure 47: VPN Policies

Note that the order of policies is important if you have more than one policy for particular traffic. In that case, the first matching policy (for the traffic under consideration) will be used.

Data - VPN Policies Screen

VPN List

Policy Name
The name of the policy. When creating a policy, you should select a suitable name.
Enable
This indicates whether or not the policy is currently enabled. Use the "Enable/Disable" button to toggle the state of the selected policy.
Remote VPN Endpoint
The IP address of the remote VPN endpoint (Gateway or client).
Key Type
This will indicate "Manual" (manual key exchange) or "IKE" (Internet Key Exchange)

Operations

Add
To add a new policy, click the "Add" button. See the following section for details.
Edit
To Edit or modify an existing policy, select it and click the "Edit" button.
Move
There are 2 ways to change the order of policies:
  • Use the up and down indicators on the right to move the selected row. You must confirm your changes by clicking "OK". If you change your mind before clicking "OK", click "Cancel" to reverse your changes.
  • Click "Move" to directly specify a new location for the selected policy.
Enable/Disable
Use this to toggle the On/Off state of the selected policy.
Copy
If you wish to create a policy which is similar to an existing policy, select the policy and click the "Copy" button.
Remember that the new policy must have a different name, and there can only be one active (enabled) policy for each remote VPN endpoint.
Delete
To delete an exiting policy, select it and click the "Delete" button.
View Log
Clicking the "View Log" button will open a new window and display the VPN log.

 

Adding a New Policy

  1. To create a new VPN Policy, click the "Add" button on the VPN Policies screen. This will start the VPN Wizard, as shown below.

    Figure 48: VPN Wizard - Start

    Figure 49: VPN Wizard - General

    General Settings

    Policy Name
    Enter a suitable name. This name is not supplied to the remote VPN. It is used only to help you manage the policies.
    Enable Policy
    Enable or disable the policy as required. For each remote VPN, only 1 policy can be enabled at any time.
    Remote VPN Endpoint
    The Internet IP address of the remote VPN endpoint (Gateway or client).
    • Dynamic. Select this if the Internet IP address is unknown. In this case, only incoming connections are possible.
    • Fixed. Select this if the remote endpoint has a fixed Internet IP address.
    Keys
    Select Manually assigned or IKE (Internet Key Exchange) as required.
    If you are setting up both endpoints, using IKE is recommended.

  2. Click Next to continue. You will see a screen like the following:
  3. Figure 50: VPN Wizard - Traffic Selector

     

    Local IP addresses

    Type
    • Any - no additional data is required. Any IP address is acceptable.
      • For outgoing connections, this allows any PC on the LAN to use the VPN tunnel.
      • For incoming connections, this allows an PC using the remote endpoint to access any PC on your LAN.
    • Single address - enter an IP address in the "Start IP address" field.
    • Range address - enter the starting IP address in the "Start IP address" field, and the finish IP address in the "Finish IP address" field.
    • Subnet address - enter the desired IP address in the "Start IP address" field, and the network mask in the "Subnet Mask" field.
    The remote VPN must have these IP addresses entered as it's "Remote" addresses.

    Remote IP addresses

    Type
    • Single address - enter an IP address in the "Start IP address" field.
    • Range address - enter the starting IP address in the "Start IP address" field, and the finish IP address in the "Finish IP address" field.
    • Subnet address - enter the desired IP address in the "Start IP address" field, and the network mask in the "Subnet Mask" field.
    The remote VPN should have these IP addresses entered as it's "Local" addresses.

  4. Click Next to continue. The screen you will see depends on whether you previously selected "Manual Key Exchange" or "IKE".

Manual Key Exchange

Figure 51: VPN Wizard - Manual Key Exchange

These settings must match the remote VPN. Note that you cannot use both AH and ESP.

Manually assigned Keys

AH Authentication
AH (Authentication Header) specifies the authentication protocol for the VPN header, if used. (AH is often NOT used)
If AH is not enabled, the following settings can be ignored.
Keys
  • The "in" key here must match the "out" key on the remote VPN, and the "out" key here must match the "in" key on the remote VPN.
  • Keys can be in ASCII or Hex (0..9 A..F)
  • For MD5, the keys should be 32 hex/16 ASCII characters.
  • For SHA-1, the keys should be 40 hex/20 ASCII characters.
SPI
  • Each SPI (Security Parameter Index) must be unique.
  • The "in" SPI here must match the "out" SPI on the remote VPN, and the "out" SPI here must match the "in" SPI on the remote VPN.
  • Each SPI should be at least 3 characters.
ESP Encryption
ESP (Encapsulating Security Payload) provides security for the payload (data) sent through the VPN tunnel. Generally, you will want to enable both Encryption and Authentication.
  • The "3DES" algorithm provides greater security than "DES", but is slower.
  • The "in" key here must match the "out" key on the remote VPN, and the "out" key here must match the "in" key on the remote VPN.
ESP Authentication
Generally, you should enable ESP Authentication. There is little difference between the available algorithms. Just ensure each endpoint use the same setting.
  • The "in" key here must match the "out" key on the remote VPN, and the "out" key here must match the "in" key on the remote VPN.
  • Keys can be in ASCII or Hex (0..9 A..F)
  • For MD5, the keys should be 32 hex/16 ASCII characters.
  • For SHA-1, the keys should be 40 hex/20 ASCII characters.
ESP SPI
This is required if either ESP Encryption or ESP Authentication is enabled.
  • Each SPI (Security Parameter Index) must be unique.
  • The "in" SPI here must match the "out" SPI on the remote VPN, and the "out" SPI here must match the "in" SPI on the remote VPN.
  • Each SPI should be at least 3 characters.

 

For Manual Key Exchange, configuration is now complete.

 

IKE Phase 1

If you selected IKE, the following screen is displayed after the Traffic Selector screen.

Figure 52: VPN Wizard - IKE Phase 1

IKE Phase 1 (IKE SA)

Direction
Select the desired option:
  • Initiator - Only outgoing connections will be created. Incoming connection attempts will be rejected.
  • Responder - Only incoming connections will be accepted. Outgoing traffic which would otherwise result in a connection will be ignored.
  • Both Directions - Both incoming and outgoing connections are allowed.
Local Identity
This setting must match the "Remote Identity" on the remote VPN. IP address is the more common method.
Remote Identity
This setting must match the "Local Identity" on the remote VPN.
IP address is the more common method.
Authentication
  • RSA Signature requires that both VPN endpoints have valid Certificates issued by a CA (Certification Authority).
  • For Pre-shared key, enter the same key value in both endpoints. The key should be at least 8 characters (maximum is 128 characters). Note that this key is used for the IKE SA only. The keys used for the IPsec SA are automatically generated.
Encryption
Select the desired method, and ensure the remote VPN endpoint uses the same method. The "3DES" algorithm provides greater security than "DES", but is slower.
IKE Exchange Mode
Select the desired option, and ensure the remote VPN endpoint uses the same mode. Main Mode provides identity protection for the hosts initiating the IPSec session, but takes slightly longer to complete. Aggressive Mode provides no identity protection, but is quicker.
IKE SA Life Time
This setting does not have to match the remote VPN endpoint; the shorter time will be used. Although measured in seconds, it is common to use time periods of several hours, such 28,800 seconds.
DH Group
Select the desired method, and ensure the remote VPN endpoint uses the same method. The smaller bit size is slightly faster.
IKE PFS
If enabled, PFS (Perfect Forward Security) enhances security by changing the IPsec key at regular intervals, and ensuring that each key has no relationship to the previous key. Thus, breaking 1 key will not assist in breaking the next key.
This setting should match the remote endpoint.

Click Next to see the following IKE Phase 2 screen.

Figure 53: VPN Wizard - IKE Phase 2

IKE Phase 2 (IPsec SA)

IPsec SA Life Time
This setting does not have to match the remote VPN endpoint; the shorter time will be used. Although measured in seconds, it is common to use time periods of several hours, such 28,800 seconds.
IPSec PFS
If enabled, PFS (Perfect Forward Security) enhances security by changing the IPsec key at regular intervals, and ensuring that each key has no relationship to the previous key. Thus, breaking 1 key will not assist in breaking the next key.
AH Authentication
AH (Authentication Header) specifies the authentication protocol for the VPN header, if used.
AH is often NOT used. If you do enable it, ensure the algorithm selected matches the other VPN endpoint.
ESP Encryption
ESP (Encapsulating Security Payload) provides security for the payload (data) sent through the VPN tunnel. Generally, you will want to enable both ESP Encryption and ESP Authentication.
Select the desired method, and ensure the remote VPN endpoint uses the same method. The "3DES" algorithm provides greater security than "DES", but is slower.
ESP Authentication
Generally, you should enable ESP Authentication. There is little difference between the available algorithms. Just ensure each endpoint use the same setting.

 

For IKE, configuration is now complete.

 

Examples

This section describes some examples of using the Broadband VPN Gateway in common VPN situations.

Example 1: Connecting 2 Broadband VPN Gateways

In this example, 2 LANs are connected via VPN.

Figure 54: Connecting 2 Broadband VPN Gateways

Note

Configuration Settings

Setting

LAN A Gateway

LAN B Gateway

Notes

Name
Policy 1
Policy 1
Name does not affect operation. Select a meaningful name.
Remote Endpoint
205.17.11.43
202.11.13.211
Other endpoint's WAN (Internet) IP address.
Local
IP addresses
Any
Any
Use a more restrictive definition if possible.
Remote
IP addresses
192.168.1.1 to 192.168.1.254
192.168.0.1 to 192.168.0.254
Address range on other endpoint.
Use a more restrictive definition if possible.
Key Exchange
IKE
IKE
Must match
IKE SA Parameters
IKE Direction
Both ways
Both ways
Does not have to match. Either endpoint can block 1 direction.
Local Identity
IP address
IP address
IP address is the most common ID method
Remote Identity
IP address
IP address
IP address is the most common ID method
IKE Authentication method
Pre-shared Key
Pre-shared Key
Certificates are not widely used.
Pre-shared Key
Xxxxxxxxxx
Xxxxxxxxxx
Must match
IKE Authentication algorithm
MD5
MD5
Must match
IKE Encryption
DES
DES
Must match
IKE Exchange mode
Main Mode
Main Mode
Must match
DH Group
Group 1 (768 bit)
Group 1 (768 bit)
Must match
IKE SA Life time
28800
28800
Does not have to match. Shorter period will be used.
IKE PFS
Disable
Disable
Must match
IPSec SA Parameters
IPSec SA Life time
28800
28800
Does not have to match. Shorter period will be used.
IPSec PFS
Disabled
Disabled
Must match
AH authentication
Disabled
Disabled
AH is rarely used
ESP authentication
Enable/MD5
Enable/MD5
Must match
ESP encryption
Enable/DES
Enable/DES
Must match

 

Example 2: Windows 2000/XP Client to LAN

In this example, a Windows 2000/XP client connects to the Broadband VPN Gateway and gains access to the local LAN.

Figure 55: Windows 2000/XP Client to Broadband VPN Gateway

 

To use 3DES encryption, you need Service Pack 3 or later installed on Windows 2000.

 

Broadband VPN Gateway Configuration

Setting
Value
Notes
Name
Win Client
Name does not affect operation. Select a meaningful name.
Remote Endpoint
172.16.9.10
Other endpoint's WAN (Internet) IP address.
Local
IP addresses
Subnet address:
192.168.0.0
255.255.255.0
Allows access to entire LAN. Use a more restrictive definition if possible.
Remote
IP addresses
172.16.9.10
For a single client, this is the same as the Gateway.
Key Exchange
IKE
Must match
IKE SA Parameters
IKE Direction
Responder
Only want to accept client connections.
Local Identity
IP address
Required.
Remote Identity
IP address
Required
IKE Authentication method
Pre-shared Key
Certificates are not widely used.
Pre-shared Key
Xxxxxxxxxx
Must match client PC
IKE Authentication algorithm
SHA-1
Must match client PC
IKE Encryption
3DES
Must match client PC
IKE Exchange mode
Main Mode
Must match client PC
DH Group
Group 1 (768 bit)
Must match client PC
IKE SA Life time
28800
Does not have to match client PC. Shorter period will be used.
IKE PFS
Disable
Must match client PC
IPSec SA Parameters
IPSec SA Life time
28800
Do not have to match. Shorter period will be used.
IPSec PFS
Disable
Must match client PC
AH authentication
Disabled
AH is rarely used
ESP authentication
Enable/MD5
Must match client PC
ESP encryption
Enable/DES
Must match client PC

 

Windows Client Configuration

  1. Select Start - Programs - Administrative Tools - Local Security Policy.
  2. Right click IP Security Policy on Local Machine and select Create IP Security Policy

    Figure 56: Windows 2000/XP - Local Security Settings

  3. Click "Next", then enter a policy name, for example "DUT To Win2K", then click "Next".
  4. Step through the Wizard:
  5. The following "Properties - Rules" screen will be displayed.
  6. Figure 57: Windows 2000/XP - Policy Properties

  7. Deselect the "Use Add Wizard" checkbox, then click "Add" to view the screen below.

    Figure 58: IP Filter List

  8. Type "To DUT" for the name, then click "Add" to see a screen like the following.

    Figure 59: Filter Properties: Addressing

  9. Enter the Source IP address and the Destination IP address.
  10. Click "OK" to save your settings and close this dialog.

    Figure 60: New Rule Properties: IP Filter List

  11. On the resulting screen (above), ensure the "To DUT" filter is selected, then click the Filter Action tab to see a screen like the following

    Figure 61: New Rule Properties: Filter Action

  12. Select Require Security, then click the "Edit" button, to view the Require Security Properties screen.

    Figure 62: Require Security Properties

  13. Select Negotiate security (this selects IKE), then click "Add".

    Figure 63: Modify Security Method

  14. On the resulting screen (above), select High [ESP] then click "OK" to save your changes and return to the Require Security Properties screen.

    Figure 64: Require Security Properties

  15. Ensure the following settings are correct, then click "OK" to return to the Filter Action tab of the Edit Rule Properties screen.
  16. VPN Setting
    Windows Setting
    IKE enabled
    Negotiate security
    AH disabled
    AH Integrity: <None>
    ESP encryption: Enable/DES
    ESP Confidentially: DES
    ESP authentication: Enable/MD5
    ESP Integrity: MD5

  17. Click the Tunnel Setting tab, then select The tunnel endpoint is specified by this IP address. Enter the WAN (Internet) IP address of the Broadband VPN Gateway, as shown below.

    Figure 65: Tunnel Setting

  18. Click the Authentication Methods tab, then click the "Edit" to see the screen like the example below.

    Figure 66: Authentication Method

  19. Select Use this string to protect the key exchange (preshared key), then enter your preshared key in the field provided.
  20. Click "OK" to save your changes and return to the Authentication Methods tab of the Edit Rule Properties screen.
  21. Click "Close" to return to the DUT to Win2K properties screen. The "To DUT" filter should now be listed, as shown below.

    Figure 67: Windows 2000/XP Client to Broadband VPN Gateway

  22. To add the second (outgoing) rule, click "Add". For the name, enter "To Win2K", then click "Add".

    Figure 68: Windows 2000/XP Client to Broadband VPN Gateway

  23. Enter the Source IP address and the Destination IP address as shown below.

    Figure 69: Filter Properties: Addressing

  24. Click "OK" to save your changes, then "Close".

    Figure 70: Filter List

  25. Ensure the "To Win2K" filter is selected, then click the Filter Action tab.

    Figure 71: Filter Action

  26. Select Require Security, then click "Edit". On the Require Security Methods screen below, select Negotiate security.

    Figure 72: Security Methods

  27. Click the "Add" button. On the resulting Modify Security Method screen below, select High [ESP].

    Figure 73: Modify Security Method

  28. Click "OK" to save your changes, then click "OK" again to return to the Filter Action screen.
  29. Select the Tunnel Setting tab, and enter the WAN (Internet) IP address of this PC (172.10..9.10 in this example).

    Figure 74: Tunnel Setting

  30. Select the Authentication Methods tab, and click the "Edit" button to see the screen below.

    Figure 75: Authentication Method

  31. Select Use this string to protect the key exchange (preshared key), then enter your preshared key in the field provided.
  32. Click "OK" to save your settings, then "Close" to return to the DUT to Win2K Properties screen. There should now be 2 IP Filers listed, as shown below.

    Figure 76: DUT to Win2K Properties

  33. Select the General tab.

    Figure 77: Properties - General Tab

  34. Click the "Advanced" button to see the screen below.

    Figure 78: Key Exchange Settings

  35. Click the "Methods" button to see the screen below.

    Figure 79: Key Exchange Security Methods

  36. Select the first entry, and click the "Edit" button to see the following screen.

    Figure 80: IKE Security Algorithms

  37. Select "SHA1" for Integrity Algorithm, "3DES" for Encryption algorithm, and "Low(1)" for the Diffie-Hellman Group.
  38. Click "OK" to save, then "OK" again, and then "Close" to return to the Local Security Settings screen.
  39. Right click the DUT to Win2K Policy and select "Assign" to make your policy active.

Figure 81: Windows 2000/XP Client to Broadband VPN Gateway

Configuration is now complete.

 

Example 3: Windows 2000 Server to VPN Gateway

In this example, a Windows 2000 Server connects to the Broadband VPN Gateway. Users on each LAN can then gain access to the remote LAN.

Figure 82: Broadband VPN Gateway to Windows 2000 Server

Broadband VPN Gateway Configuration

This is the same as for the client setup earlier, with the exception of the IP address range for the remote endpoint.

Setting
Single Client
Server/Gateway
Remote
IP addresses
172.16.9.10
For a single client, this is the same as the Gateway address
Subnet address:
11.5.0.0
255.255.0.0
Address range used on the remote LAN.

 

Windows 2000 Server Configuration

Configuration is the same as for Example 2: Windows 2000/XP Client to except for specifying the Source and Destination addresses for the "Filter Properties". Instead, for both IP Filters, the Filter Properties- Addressing should be completed as follows.

Figure 83: Windows 2000 Server - Addressing

 

Using Certificates

Certificates are used to authenticate users. Certificates are issued to you by various CAs (Certification Authorities). These Certificates are called "Self Certificates".

Each CA also issues a certificate to itself. This Certificate is required in order to validate communication with the CA. These certificates are called "Trusted Certificates."

The Certificates screen lists both the Trusted Certificate - the certificates of each CA itself - and Self Certificates - the certificates issued to you.

Figure 84: Certificates Screen

Trusted Certificates

Subject Name (CA)
The "Subject Name" is always the company or person to whom the Certificate is issued. For trusted certificates, this will be a CA.
Issuer Name
The CA (Certification Authority) which issued the Certificate.
Expiry Time
The date on which the Certificate expires. You should renew the Certificate before it expires.
Delete button
Use this button to delete a Trusted Certificate. Select the checkbox in the Delete column for any Certificates you wish to delete, then click the "Delete" button.

Self Certificates

Name
The name you assigned to this Certificate. You should select a name which helps to identify this particular certificate.
Subject Name
The company or person to whom the Certificate is issued.
Issuer Name
The CA (Certification Authority) which issued the Certificate.
Expiry Time
The date on which the Certificate expires. You should renew the Certificate before it expires.
Delete button
Use this button to delete a Self Certificate. Select the checkbox in the Delete column for any Certificates you wish to delete, then click the "Delete" button.

 

Adding a Trusted Certificate

  1. After obtaining a new Certificate from the CA, you need to upload it to the Broadband VPN Gateway.
  2. On the "Certificates" screen, click the "Add Trusted Certificate" button to view the Add Trusted Certificate screen, shown below.

    Figure 85: Add Trusted Certificate

  3. Click the "Browse" button, and locate the certificate file on your PC
  4. Select the file. The name will appear in the "Certificate File" field.
  5. Click "Upload" to upload the certificate file to the Broadband VPN Gateway .
  6. Click "Back" to return to the Trusted Certificate list. The new Certificate will appear in the list.

Adding a Self Certificate

This process is different to obtaining a Trusted Certificate. The Broadband VPN Gateway must generate a request for the CA. You cannot request a Certificate directly. The correct procedure is as follows:

  1. On the "Certificates" screen, click the "Add Self Certificate" button to view the first screen of the Add Self Certificate procedure, shown below.

    Figure 86: Add Self Certificate (1)

  2. Complete this screen.
  3. Name
    Enter a name which helps to identify this particular certificate. This name is only for your reference.
    Subject Name
    This is the name which other organizations will see as the Holder (owner) of this Certificate. This should be your registered business name or official company name. Generally, all Certificates should have the same value in the Subject field.
    Hash Algorithm
    Select the desired option.
    Signature Algorithm
    Select the desired option. RSA is recommended.
    Signature Key Length
    Select the desired option. Normally, 1024 bits provides adequate security.

  4. Click "Next" to continue to the following screen.

    Figure 87: Add Self Certificate (2)

  5. Check that the data displayed in the Certificate Details section is correct. This data is used to generate the Certificate request. If the data is not correct, click the "Back" button and correct the previous screen.
  6. If the data is correct, copy the text in the Data to supply to CA panel to the clipboard.
  7. Apply for a Certificate:
  8. After obtaining a new Certificate, as described above, you need to upload it the Broadband VPN Gateway. Click the "Next" button to see the screen below.

    Figure 88: Add Self Certificate (3)

  9. Upload the Certificate:

CRLs

CRLs are only necessary if using Certificates.

CRL (Certificate Revocation List) files show Certificates which have been revoked, and are no longer valid. Each CA issues their own CRLs.

It is VERY IMPORTANT to keep your CRLs up-to-date. You need to obtain the CRL for each CA regularly. The "Next Update" field in the CRL shows when the next update will be available.

To add a New CRL

  1. Obtain the CRL file from your CA.
  2. Select CRL from the VPN menu. You will see a screen like the example below.

    Figure 89: Certificate Revocation Lists

  3. Click the "Add New CRL" button. You will see a screen like the following:

    Figure 90: Upload CRL

  4. Upload the CRL file:
  5. Use the "Delete" button to delete the previous (now outdated) CRL.

 



Previous Next Title Page Contents