Simplified network connection with certificates

In cases where large network infrastructures are coupled via VPN, it is advantageous for the costs and effort in configuring a new subnetwork to be confined to the local VPN router and for the central dial-in router configuration to remain unchanged. In order to achieve this simplified network connection, the dial-in devices transmit their identity with the help of a digital certificate.

If simplified dial-in with certificates is activated for the router at headquarters, then the remote routers can suggest a network to be used for the connection during the IKE negotiation in phase 2. This network is entered, for example, when setting up the VPN connection on the remote router. The router at the headquarters accepts the suggested network as long as the simplified dial-in is activated with VPN > General > Simplified RAS with certificates activated in addition to activating the option VPN > General > Allow peer to select remote network. Moreover, the parameters used by the client during dial in must agree with the default values in the VPN router.

Important: When configuring the dial-in remote sites, be sure to note that each remote site requests a specific network so that no network address conflicts arise.

If necessary, the default parameters can be found under VPN > IKE/IPSec > Default parameters.

Important: By activating the simplified RAS dial in, all remote routers that have a valid certificate signed by the publisher of the device's root certificate can dial in to the corresponding network. No further configuration of the router is necessary! Unwanted dial-in connections are then prevented exclusively by blocking the certificates and using a CRL. The simplified connection of networks with certificates is therefore limited to models that support certificate revocation lists (CRL).

Simplified network connection with certificates – proadaptive VPN