4.5.2.1 Self-signed Certificate Usage Scenario
Figure 205 – Self-signed Certificate Usage Scenario
Scenario Application Timing
When the enterprise gateway owns the root CA and VPN tunnelling function, it can generate its own local certificates by
being signed by itself or import any local certificates that are signed by other external CAs. It can also import the trusted
certificates for other CAs and Clients. In addition, since it has the root CA, it also can sign Certificate Signing Requests (CSR) to
form corresponding certificates for others. These certificates can be used for two remote peers to verify their identity during
establishment of a VPN tunnel.
Scenario Description
Router 1 generates the root CA and a local certificate (HQCRT) signed by itself. Import a trusted certificate (BranchCRT) –a
BranchCSR certificate of Gateway 2 signed by root CA of Router 1.
Gateway 2 creates a CSR (BranchCSR) to let the root CA of the Gateway 1 sign it to be the BranchCRT certificate. Import the
certificate into Router 2 as a local certificate. Import the certificates of the root CA of the Router 1 onto Router 2 as the
trusted ones.
Establish an IPSec VPN tunnel with IKE and X.509 protocols by starting from either peer so that all client hosts in both of
these subnets can communicate with each other.
Parameter Setup Example
For Network-A at HQ
The following tables list the parameter configuration as an example for the "My Certificate" function used in the user
authentication of the IPSec VPN tunnel establishing, as shown in the diagram above. The configuration example must be
combined with the ones in the following two sections to complete the whole user scenario.
Use default value for those parameters that are not mentioned in the tables.
To Next Page
Loading...
Need help?
General