Series 3: How do I configure a VPN Tunnel using SSL Certificates?

Beverly McRae

QUICK LINKS:

SUMMARY:This article outlines how to use SSL Certificates for VPN Authentication.TERMS:

  • SSL:  Secure Socket Layer is a cryptographic protocol that provides communication security over the Internet.
  • VPN:  Virtual Private Network.  Extends a private network across a public network like the Internet.

REQUIREMENTS:

  • CradlePoint Series three router capable of terminating an IPSec VPN Tunnel: AER2100, MBR1400, MBR1200B, IBR600, IBR650, CBA400, CBA450
  • Valid SSL Certificates (CA Certificate, Router Certificate and Private Key)

First you will need to make sure your certificates are in the proper file format for the CradlePoint router to accept them.

The proper file format is X.509 PEM; Base64 encoded DER alphanumeric with Header and Footer (—–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–).  The extension of the file does not matter, but the file must be in this format.

OpenSSL can be used to convert your certificates to this file format.  It is available for free download at www.openssl.org.

Common commands for converting certificates are as follows:

Convert a DER file (.crt .cer .der) to PEM:

openssl x509 -inform der -in certificate.cer -out certificate.pem

Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM

openssl pkcs12 -in keyStore.pfx -out keyStore.pem –nodes

A file in the correct X.509 PEM format can be opened in notepad and should look like the example below.

Headers and footers of PEM formatted files:

Certificate Signing Request (CSR) file in PEM format:

—–BEGIN CERTIFICATE REQUEST—–

and

—–END CERTIFICATE REQUEST—–

Private Key file in PEM format:

—–BEGIN RSA PRIVATE KEY—–

and

—–END RSA PRIVATE KEY—–

Certificate file in PEM format:

—–BEGIN CERTIFICATE—–

and

—–END CERTIFICATE—–

 

Example SSL Certificate Signing Request file in PEM format:

—–BEGIN CERTIFICATE REQUEST—–MIIB9TCCAWACAQAwgbgxGTAXBgNVBAoMEFF1b1ZhZGlzIExpbWl0ZWQxHDAaBgNVBAsME0RvY3VtZW50IERlcGFydG1lbnQxOTA3BgNVBAMMMFdoeSBhcmUgeW91IGRlY29kaW5nIG1lPyAgVGhpcyBpcyBvbmx5IGEgdGVzdCEhITERMA8GA1UEBwwISGFtaWx0b24xETAPBgNVBAgMCFBlbWJyb2tlMQswCQYDVQQGEwJCTTEPMA0GCSqGSIb3DQEJARYAMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJ9WRanG/fUvcfKiGlEL4aRLjGt537mZ28UU9/3eiJeJznNSOuNLnF+hmabAu7H0LT4K7EdqfF+XUZW/2jRKRYcvOUDGF9A7OjW7UfKk1In3+6QDCi7X34RE161jqoaJjrm/T18TOKcgkkhRzEapQnIDm0Ea/HVzX/PiSOGuertwIDAQABMAsGCSqGSIb3DQEBBQOBgQBzMJdAV4QPAwel8LzGx5uMOshezF/KfP67wJ93UW+N7zXY6AwPgoLj4Kjw+WtU684JL8Dtr9FXozakE+8p06BpxegR4BR3FMHf6p+0jQxUEAkAyb/mVgm66TyghDGC6/YkiKoZptXQ98TwDIK/39WEB/V607As+KoYazQG8drorw==—–END CERTIFICATE REQUEST—–CONFIGURATION:

  1. To set up SSL Certificate Authentication for a VPN, navigate to INTERNET > VPN TUNNELS.
  2. If the VPN Service is disabled, click the button to Enable VPN Service.
  3. Under Global VPN Settings, check the box labeled Enable Certificate Support.
  4. Click the Upload Certificate button.                                                                                 User-added image
  5. Press the Choose File buttons to browse for your certificate files.  Make sure you choose the correct file for each type of certificate file.  All three files are required and must be in X.509 PEM format.
  6. Press the Load Certificate button.
  7. If you get an error, double-check your file formats.  Most likely, one or more file is in the wrong format. User-added image

When you configure your VPN tunnel, select Certificate for the Authentication Mode.If the remote end of the VPN tunnel is a Cisco or Juniper router, check the box labeled ASN1.DN Identity.  Otherwise, if you are using a Check Point firewall/gateway or other device, do NOT select ASN1.DN Identity.

User-added image

This document only covers SSL Certificate authentication.  For examples of VPN configurations, please refer to the CradlePoint knowledge base,https://knowledgebase.cradlepoint.com.

Share Article: