In this guide, we describe how ZyWALL and SafeNet VPN client software, both as IPSec/VPN tunnel end points, authenticate each other through PKI. We use CA (Certificate Authority) service provided by Windows 2000 server in this example. The whole procedure includes
Step 1.
Create certificate request on ZyWALL.
Step 2. Enroll
the certificate request to Windows 2000.
Step
3. Create certificate request on SafeNet.
Step
4. Enroll the certificate request to Windows 2000.
Step
5. Setup VPN rule on ZyWALL
Step
6. Setup VPN rule on SafeNet.
|
PC |
ZyWALL A |
PC |
|
10.1.133.0/24 |
LAN: 10.1.133.1 |
192.168.1.36 |
Step 1. Create Certificate Request on ZyWALL top
1. Go to VPN->My Certificates -> Click Create button.
2. Input a name, for this Certificate so you can identify this Certificate later. In Subject Information, give this certificate a Common Name by either Host IP Address, Host Domain Name or E-Mail address. Organizational Unit, Organization, Country are optional fields, you are free to either enter them or not. Finally, specify the key length and select Create a certification request and save it locally for later manual enrollment.
3. Wait for 1-2 minutes until "Request Generation Successful" displays. During this period, ZyWALL is working on creation of private, public key pair, and certificate request.
4. After creating certificate request, ZyWALL would return Successful Message.
5. In My Certificates tab, you can get a new entry in grey color. This is the Certificate Request you just created. Click Details to export the request.
Step 2. Enroll Certificate Request top
In this support note, we utilize certificate enrollment service from Microsoft Windows 2000 CA server. The enrollment procedure of your CA server may be different, you may need to check your CA service provider for details. For how to setup Windows 2000 CA server, users may refer to http://www.microsoft.com.
2. Issue the URL to access the CA server, type in User Name/Password/Domain fields.
3, Select Request a Certificate, then press Next> button.
4. Choose Advanced request, the press Next> button.
5. Choose "Submit a certificate request using a base64...", then press Next> button.
6. Right click your mouse, then paste the certificate request you get in step 2.1.
7. Click "Download CA certification path"
8. A file download would pop out, press Save button, and choose the local folder you would like to store the certification path.
9. Double click the saved file, Select Certificates, right click the Certificate, choose All Tasks-> Export...
10. Certificate Export Wizard would be popped up, then press Next>.
11. Choose DER encoded binary X.509(.CER), then press Nxet>,
12. Specify the path to store your exported Certificate.
13. Click Finish.
14. Go to ZyWALL WEB GUI -> VPN -> My Certificates -> click Import button.
15. Click Browse... button to find the location you stored ZyWALL's certificate then press Apply button.
16. After a while, if you see the gray entry turns to a black one, then it means the import of ZyWALL's certifcate is successful.
17. Repeat the same procedure from 9 to 13, to export CA's certificate. Note that you may get more than one CA server's certificate, it's not necessary to export all of the CA server's certificates, you can double click ZyWALL's certificate, such as zywall_a.cert.cert in this example, and select Certification Path to view the nearest CA server's name, and then - export that CA server's certificate.
Import the saved CA server's certificate. Click Browse... button, and then select the location.
18. After import CA's certificate, you will get this display.
Step 3. Create Certificate Request on SafeNet top
1. Go to Program Files -> SoftRemote -> Certificate Manager -> Request Certificate...
2. Input a name, for this Certificate so you can identify this Certificate later. Specify the file path to store Request File. Then click OK.
Step 4. Enroll Certificate Request top
1. In this support note, we utilize certificate enrollment service from Microsoft Windows 2000 CA server. The enrollment procedure of your CA server may be different, you may need to check your CA service provider for details. For how to setup Windows 2000 CA server, users may refer to http://www.microsoft.com.
2. Issue the URL to access the CA server, type in User Name/Password/Domain fields.
3, Select Request a Certificate, then press Next> button.
4. Choose Advanced request, the press Next> button.
5. Choose "Submit a certificate request using a base64...", then press Next> button.
6. Click Browse link, specify the file path where you stored certificate request in Certificate Manager, then click Read! button.
7. The content of the Certificate Request is pasted in the blank field.
8. Click "Download CA certification path"
9. A file download would pop out, press Save button, and choose the local folder you would like to store the certificate.
10. Import the saved file into Certificate Manager by clicking Import Certificate... button
11. Select Certificate Request Response File. Specify the file path you stored the certificate.
12. After import is successful, you would see the imported certificate in My Certificates tab.
Step 5. Using Certificate in VPN on ZyWALL top
1. Activate the rule
2. Give this VPN rule a name "toRemote"
3. Select Key Management to "IKE"
4. Select Negotiation Mode to "Main"
5. Edit Local: Address Type="Subnet Address", Starting IP
Address="10.1.33.0", End IP Address/Subnet Mask="255.255.255.0"
6. Edit Remote: Address Type="Single Address", Starting IP
Address="192.168.1.36".
7. Authentication Key, Select Certificate, and choose certificate you
enrolled for this device from drop down list.
8. Fill in My IP address= "192.168.1.35"
9. Peer ID type= "Subject Name", content is the subject name of
ZyWALL B's certificate "CN=test2"
10. Secure Gateway Address= "192.168.1.36"
11. Encapsulation Mode="Tunnel"
12. Leave other options as default.
13. You can check detailed settings by clicking Advanced button.
Step 6. Using Certificate in VPN on SafeNet top
1. Create a new connection.
2. In Remote Party Identity and Addressing, ID type=IP Subnet, Subnet=10.1.33.0, Mask=255.255.255.0. Select Connect using Secure Gateway Tunnel, ID Type=Distinguished Name, Gateway IP Address=192.168.1.35. Then press Edit Name...
3. Input ZyWALL's Certificate's Subject Name, test1, in the Name field.
4. Click My Identity in the left frame. Select Certificate=Select automatically during IKE negotiation.
5. Select Security Policy in the left frame, choose Main Mode as Phase 1 Negotiation Mode.
6. Select Authentication (Phase 1) -> Proposal 1 in the left frame. Specify Authentication Method=RSA Signuatures, Encrypt Alg=DES, Hash Alg=MD5, SA Life=1200 seconds, Key Group=Diffie-Hellman Group 1.
7. Select Key Exchange (Phase 2) -> Proposal 1 in the left frame. SA Life=1200 seconds, Compress=None, check Encapsulation Protocol (ESP), Encrypt Alg=DES, Hash Alg=MD5, Encapsulation=Tunnel.
