How to use X.509 certificate to create IPsec VPN between a Vigor3900 and another Vigor Router?
Vigor3900 can act as a CA server and we can use the feature to create IPsec tunnels between a Vigor3900 and another Vigor router which supports X.509 certificate for enhancing the security. Below shows an example of building an IPsec VPN tunnel with X.509 certificate between a Vigor3900 and a Vigor2920.
Note: Vigor2960 doesn't su pport acting as CA server.
1. First, go to Online Status from the web configuration page of Vigor3900. Check if the time setting for Vigor3900 is match to the time setting in System Maintenance >> Time and Date of Vigor2920.
---- For Vigor3900
---- For Vigor2920
2. Next, go to Certificate Management >> Trusted CA Certificate in Vigor3900 WUI. Choose Build RootCA. After typing the relational information, click Apply.
3. Next, download the RootCA file to the computer.
4. Open the downloaded RootCA with WordPad or NotePad. You will see a message as the following figure. Please delete the content outside the red box, i.e. keep the content from BEGIN CERTIFICATE to END CERTIFICATE. Then, save the file with the same file name. If the step is missed, the RootCA will not be uploaded to Vigor2920 successfully.
5. Open Certificate Management >> Trusted CA Certificate in Vigor2920 to upload the modified RootCA to Vigor2920.
6. Click IMPORT to open the importing page. Import the CA certificate from the computer to Vgior2920.
7. After finishing importing, make sure the certificate has been imported successfully. If yes, it will be shown as follows:
8. Next, open Certificate Management >> Local Certificate and click GENERATE to create a certificate request.
9. Type the relational information for the certificate and click Generate.
10. Copy the content listed in X509 Local Certificate Request and save as a .txt file.
11. Now, open Certificate Management >> Remote Certificate with Vigor3900. In the field of Selected File. choose the certificate request generated in Vigor2920 for uploading to Vigor3900. Remote Certificate Status is Remote Requesting.
12. Click Sign.
13. In the Issue Certificate dialog, type a key in the field of Password. e.g, 1234. Click Issue to approve the certificate request of Vigor2920.
14. Next, download the approved certificate from Vigor3900 by clicking Download. Modify the CA file by using WordPad or NotePad. Keep the content between BEGIN CERTIFICATE
and END CERTIFICATE only and delete the rest of the content, and save the file with the same name.
15. Next, import the issued certificate to Vigor2920. Please repeat the same step as Step4 to import the certificate. Open Certificate Management >> Local Certificate with Vigor2920. Click IMPORT to import the certificate to Vigor2920.
16. When it is finished, the message displayed in Status will be changed from Requesting into OK. You, also, can click View to review the status of issued certificate.
17. Now, Vigor3900 must have issued a certificate for itself and use the certificate to build a VPN tunnel with Vigor2920.
18. Open Certificate Management >> Local Certificate and choose Generate. Type relat ed information and choose Enable for the item Self Sign. Ty pe the same key (eg. 1234) in the field of Passphrase that you set fo r issuing the Root CA certificate with Vigor2920 in step 12.
19. Now, local certificate of CA for Vigor3900 has been configured. You can find that the status will display with “OK ”.
20. Now, open VPN and Remote Access >> IP sec Peer Identity with Vigor2920 to add a new VPN profile for IPsec Peer Identity.
21. Set a VPN profile. Please open VPN and Remote Access >> LAN to LAN. Click Dial-Out as Call Direction and check Always on. Click IP sec Tunnel for Dial-Out and type the WAN IP address of Vigor3900 in the field of Server IP /Host Name for VPN. Make the VPN tunnel adopting the authentication mechanism of X.509, and remember to check Digital Signature (X.509) with peer ID 3900_CA profile.
22. Set the remote network IP (i.e. LAN IP of Vigor3900) for VPN tunnel. After that, click OK.
23. Next, return to Vigor3900 to configure VPN Policy. Open VPN and Remote Access >> IPSec >> Policy Table to add a new VPN profile. Click Add to open the setting page and type related information. In the Status field, click Enable ; select the approved certificate from the Certificate drop down list. Type the LAN IP address of Vigor3900 in the field of Local IP/Subnet Mask ; Type the LAN IP address of Vigor2920 in the field of Remote IP/Subnet Mask. Click Apply.
24. Now, check if the VPN connection is built successfully. For Vigor2920, please open VPN and Remote Access >> Connection Management.
25. For Vigor3900, please open VPN and Remote Access >> IPSec >> Status.