Note: VPN connections, which support certificates, can only be set up, if the LANCOM has the
correct time. If the device does not has the actual correct time, the validity of the
certificates can not be evaluated. The certificates will be rejected and no connection will be
set up.
Several areas of the configuration have to be changed to set up VPN connections to support certificates.
- IKE proposals
- IKE proposal lists
- IKE key
- VPN parameters
- Connection parameters
Note: Some of the values may already be available in your device depending on its firmware
version. In this case you just have to check that the values are set correctly.
Note: If you are reconfiguring a remote device for certificate support with the method described
below, and that device can only be reached via a VPN tunnel, then it is imperative that you
reconfigure the remote device first before adjusting the connection in the local device. Changing
the local configuration first would make the remote device unattainable!
- The proposals lists are to be supplemented with two new proposals with the exact description of 'RSA-AES-MD5' and 'RSA-AES-SHA', both of which use 'AES-CBC' for encryption and 'RSA signature' as the authentication mode, and which differ only in their hash method (MD5 and SHA1). I
LANconfig: VPN / IKE param. / IKE proposals
WEBconfig: LCOS menu tree / Setup / VPN E Proposals / IKE
- A new list will be required in the proposals lists with the exact name 'IKE_RSA_SIG' which contains the two new proposals 'RSA-AES-MD5' and 'RSA-AES-SHA'.
LANconfig: VPN / IKE param. / IKE proposal lists
WEBconfig: LCOS menu tree / Setup / VPN E Proposals / IKE proposal lists
- In the list of IKE keys, all certificate connections must be set up with the corresponding identities.
LANconfig: VPN / IKE-Param. / IKE key
WEBconfig: LCOS menu tree / Setup / VPN / Proposals / IKE-Keys
- Once it is no longer required, the preshared key can be deleted.
- The type of the identities is reset to ASN.1 Distinguished Names (local and remote).
- The identities are entered exactly as they stand in the certificates. The individual values such as 'CN', 'O' or 'OU' can be separated by commas or slashes.
Note: Special characters in the ASN.1 Distinguished Names can be entered by typing in the hexadecimal ASCII codes after a leading backslash. For example, "\61" corresponds to a small "a".Note: The display of certificates under Microsoft Windows shows for some values older short forms, for instance 'S' instead of 'ST' for 'stateOrPrivinceName' or 'G' instead of 'GN' for 'givenName'. Only use the new short forms 'ST' and 'GN'. - In the IKE connection parameters, the default IKE proposal lists for incoming aggressive-mode and main-mode connections must be set to the proposal list 'IKE_RSA_SIG'. Also observe the settings in the default IKE group which are adjusted in the following step as necessary.
- LANconfig: VPN / Parameter WEBconfig: LCOS menu tree / Setup / VPN
- Finally, the VPN connection parameters must be set up to use the correct IKE proposals ('IKE_RSA_SIG'). The values for 'PFS group' and 'IKE group' must agree with the values set in the IKE connection parameters. Configuration with LANconfig
LANconfig: VPN / General / Connection parameters
WEBconfig: LCOS menu tree / Setup / VPN E VPN layers