ICR-1601
116
can sign Certificate Signing Requests (CSR) to form corresponding certificates for others.
These certificates can be used for two remote peers to make sure their identity during establishing
a VPN tunnel.
Scenario Description
Gateway 1 generates the root CA and a local certificate (HQCRT) signed by itself. Import a trusted
certificate (BranchCRT) –a BranchCSR certificate of Gateway 2 signed by root CA of Gateway 1.
Gateway 2 creates a CSR (BranchCSR) to let the root CA of the Gateway 1 sign it to be the BranchCRT
certificate. Import the certificate into the Gateway 2 as a local certificate. In addition, also import the
certificates of the root CA of the Gateway 1 into the Gateway 2 as the trusted ones. (Please also refer
to following two sub-sections.)
Establish an IPSec VPN tunnel with IKE and X.509 protocols by starting from either peer, so that all client
hosts in these both subnets can communicate with each other.
Parameter Setup Example
For Network-A at HQ
Following tables list the parameter configuration as an example for the "My Certificate" function used
in the user authentication of IPSec VPN tunnel establishing, as shown in above diagram.
The configuration example must be combined with the ones in following two sections to complete the
whole user scenario.
Use default value for those parameters that are not mentioned in the tables.
[My Certificate]-[Root CA Certificate Configuration]
Key Type: RSA Key Length: 1024-bits
Country(C): TW State(ST): Taiwan Location(L): Tainan
Organization(O): AMITHQ Organization Unit(OU): HQRD
Common Name(CN): HQRootCA E-mail: hqrootca@amit.com.tw
[My Certificate]-[Local Certificate Configuration]
Key Type: RSA Key Length: 1024-bits
Country(C): TW State(ST): Taiwan Location(L): Tainan
Organization(O): AMITHQ Organization Unit(OU): HQRD
Common Name(CN): HQCRT E-mail: hqcrt@amit.com.tw
To Next Page
Loading...
