Set up VPN connections to support certificates

Important: VPN connections that support certificates are only established if the device has the correct time. Without the correct time, the device cannot correctly assess the validity of the certificates, which causes the certificates to be rejected: no connection will be established.

Several areas of the configuration have to be changed to set up VPN connections to support certificates.

IKE proposals
IKE proposal lists
IKE keys
VPN parameters
Connection parameters
Note: Some of the values may already be available in your device depending on its firmware version. In this case you just have to check that the values are set correctly.

Important: If you are reconfiguring a remote device for certificate support with the method described below, and that device can only be reached via a VPN tunnel, then it is imperative that you reconfigure the remote device first before adjusting the connection in the local device. Changing the local configuration first would make the remote device unattainable!
1. The proposals lists are to be supplemented with two new proposals with the exact description of 'RSA-AES-MD5' and 'RSA-AES-SHA', both of which use 'AES-CBC' for encryption and 'RSA signature' as the authentication mode, and which differ only in their hash method.
  
  LANconfig: VPN > IKE/IPSec > IKE proposals > IKE proposals
2. A new list will be required in the proposals lists with the exact name 'IKE_RSA_SIG' which contains the two new proposals 'RSA-AES-MD5' and 'RSA-AES-SHA'.
  
  LANconfig: VPN > IKE/IPSec > IKE proposals > IKE proposal lists
3. In the list of IKE keys, all certificate connections must be set up with the corresponding identities.
  
  LANconfig: VPN > IKE/IPSec > IKE keys & identities
  - Once it is no longer required, the preshared key can be deleted.
  - The type of the identities is reset to ASN.1 Distinguished Names (local and remote).
  - The identities are entered exactly as they stand in the certificates. The individual values such as 'CN', 'O' or 'OU' can be separated by commas or slashes.
  All of the values entered in the certificates must be listed in the same order. If necessary, check the certificate contents by using the Control Panel. To do this, use the Windows search, enter Internet options and open it. Here, go to the Content tab and click the button Certificates. Open the certificate and use the Details tab to select the corresponding value. For the applicant you will find, for example, the necessary ASN.1 Distinguished Names and their abbreviations here. The values listed from top to bottom in the certificates must be entered into the IKE key from left to right. Observe the use of upper and lower case!
  
  Important: Microsoft Windows displays some values in the certificates with outdated abbreviations, such as ‘S’ instead of ‘ST’ for 'stateOrProvinceName', or ‘G’ instead of ‘GN’ for ‘givenName’. In these cases make sure that you use the current abbreviations 'ST' and 'GN'.
  
  Note: Special characters in the ASN.1 Distinguished Names can be entered by typing in the hexadecimal ASCII codes after a leading backslash. For example, "\61" corresponds to a small "a".
4. In the IKE connection parameters, the default IKE proposal lists for incoming aggressive-mode and main-mode connections must be set to the proposal list 'IKE_RSA_SIG'. Also observe the settings in the default IKE group which are adjusted in the following step as necessary.

The default IKE proposal lists and default IKE groups in LANconfig are located under VPN > IKE/IPSec > Default parameters:

Finally, the VPN connection parameters must be set up to use the correct IKE proposals ('IKE_RSA_SIG'). The values for 'PFS group' and 'IKE group' must agree with the values set in the IKE connection parameters.

The VPN connection parameters in LANconfig are located under VPN > IKE/IPSec > VPN connections > Connection parameters: