4.5.4.1 Self-signed Certificate Usage Scenario
Figure 209 – Self-signed Certificate Usage Scenario
Scenario Application Timing
(same as the one described in "My Certificate" section)
When the enterprise gateway owns the root CA and VPN tunnelling function, it can generate its own local certificates by self-
signing it. It also imports the trusted certificates for other CAs and Clients. These certificates can be used for two remote
peers to verify their identity during establishment of a VPN tunnel.
Scenario Description
(same as the one described in "My Certificate" section)
Router 1 generates the root CA and a local certificate (NTCCRT) self-signed. Import a trusted certificate (BranchCRT) –a
BranchCSR certificate of Router 2 signed by root CA of Router 1.
Router 2 creates a CSR (BranchCSR) to let the root CA of the Router 1 sign it to be the BranchCRT certificate. Import the
certificate into Router 2 as a local certificate. It imports the certificates of the root CA of Router 1 into Router 2 as the trusted
ones. (Please also refer to "My Certificate" and "Issue Certificate" sections).
Establish an IPSec VPN tunnel with IKE and X.509 protocols by starting from either peer so that all client hosts in both of
these subnets can communicate with each other.
Parameter Setup Example
(same as the one described in "My Certificate" section)
For Network-A at HQ
The following tables list the parameter configuration as an example of the "Trusted Certificate" function used in the user
authentication of the IPSec VPN tunnel establishing, as shown in diagram above. The configuration example must be
combined with the ones in "My Certificate" and "Issue Certificate" sections to complete the setup for the whole user
scenario.
To Next Page
Loading...
Need help?
General