In the Gateways section, click Add to create a new gateway.To use a certificate for BOVPN tunnel authentication, from Fireware Web UI: This helps to avoid disruptions in critical services such as VPN. If you use a certificate for authentication, it is important to track when the certificates expire. If the peer certificate is not part of the chain, the Firebox rejects Phase 1 tunnel negotiations. The certificate from the VPN peer must be part of the certificate chain that includes the specified root or intermediate CA certificate. The Firebox uses the CA certificate to verify the certificate received from VPN peer. In Fireware v12.6.2 or higher, when you select a certificate for authentication, you can specify a root or intermediate CA certificate for VPN peer verification. For more information about EC certificates, see About Elliptic Curve Digital Signature Algorithm (ECDSA) certificates. ECDSA certificates are also known as EC certificates. In Fireware v12.5 or higher, you can specify an ECDSA certificate in the BOVPN configuration. For more information about X.509 certificates, see RFC 4945. If a third-party VPN peer sends a X.509 hash and URL certificate request to the Firebox to start security association (SA) negotiations, the Firebox drops those packets. The Firebox does not support the X.509 Certificate - Hash and URL type, which sends a hash and URL of the X.509 certificate rather than the certificate itself. The Firebox supports the X.509 Certificate - Signature type. For more information about the EKU identifier, see RFC 4945. To see a list of available certificates that do not include an EKU identifier, select Show All Certificates. An EKU identifier specifies the purpose of the certificate. When you add a new BOVPN gateway and select the certificate credential method, you see a list of certificates that include the Extended Key Usage (EKU) identifier known as "IP security IKE intermediate" (OID 1.3.6.1.5.5.8.2.2). When a BOVPN tunnel is created, the IPSec protocol checks the identity of each endpoint with either a pre-shared key (PSK) or a certificate imported and stored on the Firebox. Certificates for Branch Office VPN (BOVPN) Tunnel Authentication
0 Comments
Leave a Reply. |