beautypg.com

Westermo RedFox Series User Manual

Page 800

background image

Westermo OS Management Guide

Version 4.17.0-0

❼ Remote-id: Auto (or type ”IP Address”, Identifier ”10.1.2.3” or ”alice.example.com”)
❼ DPD Action: Restart

35.1.7

Use of certificates for IKE authentication

WeOS supports IKE authentication via certificates and pre-shared keys (PSKs),
with certificate based authentication as recommended method. While PSK based
authentication can be somewhat simpler to configure, certificate based authen-
tication is often considered more secure, and makes it easier to manage setups
with multiple road-warriors.

This section provides additional hints when using certificate based authentication
of IPsec tunnels in WeOS.

1. Load/import certificates: To use certificates for IKE based authentication

you must first create/acquire certificates and private keys, and load them
onto your WeOS unit(s). See

section 7.1.8

for more information on load-

ing/importing certificates onto your WeOS unit.

2. Use case and PKI model: What certificates to load onto your WeOS unit will

depend on your specific use case. Three common use cases supported by
WeOS.

Common CA: Alice (IPsec Responder, typically a VPN Gateway), Bob

(IPsec Initiator/VPN PC client or gateway) use a common CA. This would
be a typical scenario when a company wish to allow their employees
or branch offices to connect securely to the central office. See

sec-

tion 35.1.7.1

for more information.

Different CAs: Alice and Bob have certificates issued by different CAs.

This would be a typical scenario when you wish to communicate se-
curely between units of different organisations. See

section 35.1.7.2

for

more information.

Trusted Peer: Alice and Bob can import each others certificates. This

approach does not require Alice and Bob to install each others CA cer-
tificates. In a way this case is similar to using PSKs, although a bit more
secure. See

section 35.1.7.3

for more information.

3. Verify/set time on unit: As certificates are valid for a certain time period

(start time and end time), it is important that the date/time is set correctly
on your WeOS unit. You can set the time manually (see

chapter 20

), but

800

➞ 2015 Westermo Teleindustri AB

This manual is related to the following products:
See also other documents in the category Westermo Equipment: