...
In order for the Unified Firewalls in the headquarter as well as in the branch office to be able to accept VPN SSL dial-in connections, a CA and two certficates one certficate have to be created on each Unified Firewall. One of the The VPN SSL certificates certificate is used in the VPN SSL settings and serves to decrypt the connections. The second VPN SSL certificate along with the certificate chain is then exported and imported into the other Unified Firewall. The imported certificate is used in the VPN SSL connection and serves to encrypt the connection.
...
- Certificate Type: Select the option Certificate.
- Template: Select the template Certificate.
- Common Name (CN): Enter a descriptive Common Name (in this example VPN-SSL-Headquarter).
- Private Key Password: Enter a password. This is used for encrypting the Private Key.
- Validity: Set the validity to at least 5 years. This is recommended, since this certificate is used for all VPN SSL connections.
- Signing CA: In the dropdown menu select the CA created in step 1.1.2.
- CA Password: Enter the Private Key Password entered in step 1.1.2.
1.1.4) Create another certificate by clicking on the "Plus" icon. This is used in the VPN SSL connection in the branch office. For this purpose modify the following parameters and click Create:For the certificate created in step 1.1.3 click on the icon for the certificate export.
1.1.6) Select the format PEM / CRT, activate the option Export Certificate Chain and click Export.
1.1.7) Switch to the menu VPN → VPN SSL → VPN SSL Settings.
1.1.8) Activate the VPN SSL service via the slider, modify the following parameters and click Save:
- Host certificate: In the dropdown menu select the VPN certificate
- Certificate Type: Select the option Certificate.
- Template: Select the template Certificate.
- Common Name (CN): Enter a descriptive Common Name (in this example VPN-SSL-Headquarter-Office).
- Private Key Password: Enter a password. This is used for encrypting the Private Key.
- Signing CA: In the dropdown menu select the CA created in step 1.1.23.
- CA Private Key Password: Enter the Private Key Password entered in step 1.1.23.
| Info |
|---|
You can also modify the Validity of the certificate if necessary. |
1.1.5) For the certificate created in step 1.1.4 click on the icon for the certificate export.
1.1.6) Select the format PEM / CRT, activate the option Export Certificate Chain and click Export.
1.1.7) Switch to the menu VPN → VPN SSL → VPN SSL Settings.
1.1.8) Activate the VPN SSL service via the slider, modify the following parameters and click Save:
- Host certificate: In the dropdown menu select the VPN certificate created in step 1.1.3.
- Private Key Password: Enter the Private Key Password entered in step 1.1.3.
- Routes: Enter the networks in CIDR notation (Classless InterDomain Routing), which should be accessible via the VPN connection. In this example, the local network at the headquarter has the IP address range 192.168.23.0/24.
- Encryption Algorithm: On the tab Site-to-Site select the option AES 256.
| Info |
|---|
If necessary, you can change the Protocol and the Port. The Adress Pool is the range of IP addresses that are assigned to the dial-in VPN SSL clients. This address range may not already be in use as an internal network in the Unified Firewall. |
- Routes: Enter the networks in CIDR notation (Classless InterDomain Routing), which should be accessible via the VPN connection. In this example, the local network at the headquarter has the IP address range 192.168.23.0/24.
- Encryption Algorithm: On the tab Site-to-Site select the option AES 256.
| Info |
|---|
If necessary, you can change the Protocol and the Port. The Adress Pool is the range of IP addresses that are assigned to the dial-in VPN SSL clients. This address range may not already be in use as an internal network in the Unified Firewall. |
1.2) Creating certificates and modifying the VPN SSL settings on the Unified Firewall in the branch office:
1.2.1) Connect to the Unified Firewall in the branch office, switch to the menu Certificate Management → Certificates and ckick on the "Plus" icon to create a new certificate.
1.2.2) Modify the following parameters to create a CA and click Create:
1.2) Creating certificates and modifying the VPN SSL settings on the Unified Firewall in the branch office:
1.2.1) Connect to the Unified Firewall in the branch office, switch to the menu Certificate Management → Certificates and ckick on the "Plus" icon to create a new certificate.
1.2.2) Modify the following parameters to create a CA and click Create:
- Certificate Type: Select the option Certificate.
- Template: Select the template Certificate Authority.
- Common Name (CN): Enter a descriptive Common Name (in this example VPN-SSL-CA-Office).
- Private Key Password: Enter a password. This is used for encrypting the Private Key.
1.2.3) Create another certificate by clicking on the "Plus" icon. This is used in the VPN SSL settings in the branch office (see step 1.2.8). For this purpose modify the following parameters and click Create:
- Certificate Type: Select the option Certificate.
- Template: Select the template Certificate Authority.
- Common Name (CN): Enter a descriptive Common Name (in this example VPN-SSL-CA-Office).
- Private Key Password: Enter a password. This is used for encrypting the Private Key.
- Validity: Set the validity to at least 5 years. This is recommended, since this certificate is used for all VPN SSL connections.
- Signing CA: In the dropdown menu select the CA created in step 1.2.2.
- CA Password: Enter the Private Key Password entered in step 1.2.2.
- is used for encrypting the Private Key.
1.2.43) Create another certificate by clicking on the "Plus" icon. This is used in the VPN SSL connection settings in the headquarterbranch office (see step 1.2.8). For this purpose modify the following parameters and click Create:
- Certificate Type: Select the option Certificate.
- Template: Select the template Certificate.
- Common Name (CN): Enter a descriptive Common Name (in this example VPN-SSL-Office-Headquarter).
- Private Key Password: Enter a password. This is used for encrypting the Private Key.: Enter a password. This is used for encrypting the Private Key.
- Validity: Set the validity to at least 5 years. This is recommended, since this certificate is used for all VPN SSL connections.
- Signing CA: In the dropdown menu select the CA created in step 1.12.2.
- CA Password: Enter the Private Key Password entered in step 1.12.2.
| Info |
|---|
You can also modify the Validity of the certificate if necessary. |
1.2.54) For the certificate created in step 1.2.43 click on the icon for the certificate export.
1.2.65) Select the format PEM / CRT, activate the option Export Certificate Chain and click Export.
1.2.76) Switch to the menu VPN → VPN SSL → VPN SSL Settings.
1.2.87) Activate the VPN SSL service via the slider, modify the following parameters and click Save:
...
| Info |
|---|
| If necessary, you can change the Protocol and the Port. The Adress Pool is the range of IP addresses that are assigned to the dial-in VPN SSL clients. This address range may not already be in use as an internal network in the Unified Firewall. |
2) Importing the certificates:
...
2.1.1) On the Unified Firewall in the headquarter go to the menu Certificate Management → Certificates and click on the button for the certificate import.
2.1.2) Leave the setting on Import Certificate, select the certificate file exported in the branch office in step 1.2.6) and click Import.
| Info |
|---|
Since the Private Key has not been exported no passwords have to be entered. |
2.2) Importing the VPN SSL certificate on the Unified Firewall in the branch office:
2.2.1) On the Unified Firewall in the branch office go to the menu Certificate Management → Certificates and click on the button for the certificate import.
2.2.2) Leave the setting on Import Certificate, select the certificate file exported in the headquarter in step 1.1.6) and click Import.
| Info |
|---|
Since the Private Key has not been exported no passwords have to be entered. |
3) Setting up the VPN SSL connections and the firewall rules:
...