Simplified RAS with certificates

When computers with changing IP addresses dial in, the identity of the remote site is unknown when the IKE negotiation (phase 1) begins. The communication relies on default values for IKE proposal lists and IKE proposal groups. During negotiation, the identity is communicated and this is used to determine the parameters for phase 2 (IPsec proposal list and PFS group). For this to occur, every single user must be entered individually into the VPN router configuration.

With certificate-based RAS, the identity is communicated via the certificate. To avoid having to make individual user entries in the router configuration, common parameters for phase 2 can be defined for all users who are identified by certificate. All the user requires for simplified RAS is a valid certificate with a signature from the publisher of the root certificate in the device. Moreover, the parameters used by the client during dial in must agree with the default values in the VPN router.

Note: Information about configuring the VPN client is available in the relevant documentation from the software manufacturer.

To configure the simplified dial-in in LANconfig, enable the option VPN > General > Simplified RAS with certificates activated. If necessary, the default parameters can be found under VPN > IKE/IPSec > Default parameters.

Important: By activating the simplified RAS with certificates, all clients with a valid certificate signed by the issuer of the device's root certificate can dial in to the corresponding network. No further configuration of the router is necessary! Unwanted dial-in connections are then prevented exclusively by blocking the certificates and using a certificate revocation list (CRL).