Set up VPN connections to support certificates

Note: VPN connections, which support certificates, can only be set up, if the LANCOM has the correct time. If the device does not has the actual correct time, the validity of the certificates can not be evaluated. The certificates will be rejected and no connection will be set up.

Several areas of the configuration have to be changed to set up VPN connections to support certificates.

IKE proposals
IKE proposal lists
IKE key
VPN parameters
Connection parameters

Note: Some of the values may already be available in your device depending on its firmware version. In this case you just have to check that the values are set correctly.

Note: If you are reconfiguring a remote device for certificate support with the method described below, and that device can only be reached via a VPN tunnel, then it is imperative that you reconfigure the remote device first before adjusting the connection in the local device. Changing the local configuration first would make the remote device unattainable!

The proposals lists are to be supplemented with two new proposals with the exact description of 'RSA-AES-MD5' and 'RSA-AES-SHA', both of which use 'AES-CBC' for encryption and 'RSA signature' as the authentication mode, and which differ only in their hash method (MD5 and SHA1). I

LANconfig: VPN / IKE param. / IKE proposals

WEBconfig: LCOS menu tree / Setup / VPN E Proposals / IKE

A new list will be required in the proposals lists with the exact name 'IKE_RSA_SIG' which contains the two new proposals 'RSA-AES-MD5' and 'RSA-AES-SHA'.

LANconfig: VPN / IKE param. / IKE proposal lists

WEBconfig: LCOS menu tree / Setup / VPN E Proposals / IKE proposal lists

In the list of IKE keys, all certificate connections must be set up with the corresponding identities.

LANconfig: VPN / IKE-Param. / IKE key

WEBconfig: LCOS menu tree / Setup / VPN / Proposals / IKE-Keys

Once it is no longer required, the preshared key can be deleted.
- The type of the identities is reset to ASN.1 Distinguished Names (local and remote).
- The identities are entered exactly as they stand in the certificates. The individual values such as 'CN', 'O' or 'OU' can be separated by commas or slashes.
All of the values entered in the certificates must be listed in the same order. If necessary, check the certificate contents by using the Control Panel. To do this, click on Start / Control Panel / Internet Options, the 'Contents' tab and the button Certificates. Open the certificate and use the 'Details' tab to select the corresponding value. For the applicant you will find, for example, the necessary ASN.1 Distinguished Names and their abbreviations here. The values listed from top to bottom in the certificates must be entered into the IKE key from left to right. Observe the use of upper and lower case!

Note: Special characters in the ASN.1 Distinguished Names can be entered by typing in the hexadecimal ASCII codes after a leading backslash. For example, "\61" corresponds to a small "a".

Note: The display of certificates under Microsoft Windows shows for some values older short forms, for instance 'S' instead of 'ST' for 'stateOrPrivinceName' or 'G' instead of 'GN' for 'givenName'. Only use the new short forms 'ST' and 'GN'.
In the IKE connection parameters, the default IKE proposal lists for incoming aggressive-mode and main-mode connections must be set to the proposal list 'IKE_RSA_SIG'. Also observe the settings in the default IKE group which are adjusted in the following step as necessary.

LANconfig: VPN / Parameter WEBconfig: LCOS menu tree / Setup / VPN
Finally, the VPN connection parameters must be set up to use the correct IKE proposals ('IKE_RSA_SIG'). The values for 'PFS group' and 'IKE group' must agree with the values set in the IKE connection parameters. Configuration with LANconfig

LANconfig: VPN / General / Connection parameters

WEBconfig: LCOS menu tree / Setup / VPN E VPN layers