Series 3: How do I configure a VPN Tunnel using SSL Certificates?

QUICK LINKS:


SUMMARY:

This article outlines how to use SSL Certificates for VPN Authentication.


TERMS:

  • SSL:  Secure Socket Layer is a cryptographic protocol that provides communication security over the Internet.
  • VPN:  Virtual Private Network.  Extends a private network across a public network like the Internet.


REQUIREMENTS:

  • CradlePoint Series three router capable of terminating an IPSec VPN Tunnel: AER2100, MBR1400, MBR1200B, IBR600, IBR650, CBA400, CBA450
  • Valid SSL Certificates (CA Certificate, Router Certificate and Private Key)

First you will need to make sure your certificates are in the proper file format for the CradlePoint router to accept them.

The proper file format is X.509 PEM; Base64 encoded DER alphanumeric with Header and Footer (—–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–).  The extension of the file does not matter, but the file must be in this format.

OpenSSL can be used to convert your certificates to this file format.  It is available for free download at www.openssl.org.

Common commands for converting certificates are as follows:

Convert a DER file (.crt .cer .der) to PEM:

openssl x509 -inform der -in certificate.cer -out certificate.pem

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

openssl pkcs12 -in keyStore.pfx -out keyStore.pem –nodes

A file in the correct X.509 PEM format can be opened in notepad and should look like the example below.

Headers and footers of PEM formatted files:

Certificate Signing Request (CSR) file in PEM format:

—–BEGIN CERTIFICATE REQUEST—–

and

—–END CERTIFICATE REQUEST—–

Private Key file in PEM format:

—–BEGIN RSA PRIVATE KEY—–

and

—–END RSA PRIVATE KEY—–

Certificate file in PEM format:

—–BEGIN CERTIFICATE—–

and

—–END CERTIFICATE—–

 

Example SSL Certificate Signing Request file in PEM format:

—–BEGIN CERTIFICATE REQUEST—–
MIIB9TCCAWACAQAwgbgxGTAXBgNVBAoMEFF1b1ZhZGlzIExpbWl0ZWQxHDAaBgNV
BAsME0RvY3VtZW50IERlcGFydG1lbnQxOTA3BgNVBAMMMFdoeSBhcmUgeW91IGRl
Y29kaW5nIG1lPyAgVGhpcyBpcyBvbmx5IGEgdGVzdCEhITERMA8GA1UEBwwISGFt
aWx0b24xETAPBgNVBAgMCFBlbWJyb2tlMQswCQYDVQQGEwJCTTEPMA0GCSqGSIb3
DQEJARYAMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJ9WRanG/fUvcfKiGl
EL4aRLjGt537mZ28UU9/3eiJeJznNSOuNLnF+hmabAu7H0LT4K7EdqfF+XUZW/2j
RKRYcvOUDGF9A7OjW7UfKk1In3+6QDCi7X34RE161jqoaJjrm/T18TOKcgkkhRzE
apQnIDm0Ea/HVzX/PiSOGuertwIDAQABMAsGCSqGSIb3DQEBBQOBgQBzMJdAV4QP
Awel8LzGx5uMOshezF/KfP67wJ93UW+N7zXY6AwPgoLj4Kjw+WtU684JL8Dtr9FX
ozakE+8p06BpxegR4BR3FMHf6p+0jQxUEAkAyb/mVgm66TyghDGC6/YkiKoZptXQ
98TwDIK/39WEB/V607As+KoYazQG8drorw==
—–END CERTIFICATE REQUEST—–


CONFIGURATION:

  1. To set up SSL Certificate Authentication for a VPN, navigate to INTERNET > VPN TUNNELS.
  2. If the VPN Service is disabled, click the button to Enable VPN Service.
  3. Under Global VPN Settings, check the box labeled Enable Certificate Support.
  4. Click the Upload Certificate button.                                                                                 User-added image
  5. Press the Choose File buttons to browse for your certificate files.  Make sure you choose the correct file for each type of certificate file.  All three files are required and must be in X.509 PEM format.
  6. Press the Load Certificate button.
  7. If you get an error, double-check your file formats.  Most likely, one or more file is in the wrong format. User-added image


When you configure your VPN tunnel, select Certificate for the Authentication Mode.

If the remote end of the VPN tunnel is a Cisco or Juniper router, check the box labeled ASN1.DN Identity.  Otherwise, if you are using a Check Point firewall/gateway or other device, do NOT select ASN1.DN Identity.

User-added image

This document only covers SSL Certificate authentication.  For examples of VPN configurations, please refer to the CradlePoint knowledge base,http://knowledgebase.cradlepoint.com.


Category: Cradlepoint Series 3

← FAQs