beautypg.com

Ipsec roaming clients with certificates, L2tp roaming clients with pre-shared keys – Amer Networks E5Web GUI User Manual

Page 575

background image

Specify if the client will use config mode.

There are a variety of IPsec client software products available from a number of suppliers and this
manual will not focus on any specific one. The network administrator should use the client that is
best suited to their budget and needs.

9.2.4. IPsec Roaming Clients with Certificates

If certificates are used with IPsec roaming clients instead of pre-shared keys then no Pre-shared
Key object is needed and the other differences in the setup described above are:

1.

Load a Root Certificate and a Gateway Certificate into cOS Core. The root certificate needs to
have 2 parts added: a certificate file and a private key file. The gateway certificate needs just
the certificate file added.

2.

When setting up the IPsec Tunnel object, specify the certificates to use under
Authentication. This is done by doing the following:

a.

Enable the X.509 Certificate option.

b.

Select the Gateway Certificate.

c.

Add the Root Certificate to use.

3.

The IPsec client software will need to be appropriately configured with the certificates and
remote IP addresses. As already mentioned above, many third party IPsec client products
are available and this manual will not discuss any particular client.

The step to set up user authentication is optional since this is additional security to certificates.

Note: The system time and date should be correct

The cOS Core date and time should be set correctly since certificates have an expiry date
and time.

Also review Section 9.7, “CA Server Access”, which describes important considerations for
certificate validation.

9.2.5. L2TP Roaming Clients with Pre-Shared Keys

Due to the inbuilt L2TP client in Microsoft Windows, L2TP is a popular choice for roaming client
VPN scenarios. L2TP is usually encapsulated in IPsec to provide encryption with IPsec running in
transport mode instead of tunnel mode. The range chosen for this address object can be one of
the following two types:

1.

Create an IPv4 address object (let's call it l2tp_pool) which defines the range of IP addresses
which can be handed out to clients. Note that this object is a normal address book object
and not an IP Pool object.

The range chosen for this address object can be one of the following two types:

A range taken from the internal network to which clients will connect. If the internal
network is 192.168.0.0/24 then we might use the address range 192.168.0.10 to
192.168.0.20. The danger here is that an IP address might be accidentally used on the

Chapter 9: VPN

575

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: