DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Self signed cert creation for VPN for dummies
- hornbyp
- Offline
- Big Contributor
Less
More
- Posts: 1323
- Thank you received: 0
22 Oct 2018 14:08 #93208
by hornbyp
I thought I'd better correct myself (again):oops:
I wrote the above, partly because it didn't seem to work...but it turns out it can be made to work, just not as reliably as using a 'built-in' 'Remote Dial-in User ' account. Mainly, this a timing issue, possibly with my phone. Looking at Syslog, I can see it's sometimes still working after the phone has given in.
There is also the caveat, that an Internal user (even if just a 'stub' entry) has to exist, that references the matching Peer ID .
I'd assumed that when you use a certificate, it had to go to the internal list of users, find the Peer Id and then check the certificate against it. In fact, what it does, is check the certificate against each 'Peer Id ' entry in turn, until/if it finds a match. This is authentication of the IPsec part of the connection. Only if L2TP is being used, does it do the Username/Password checking - which can indeed be done via Radius.
I found a bug / strange behaviour though: Having matched thePeer ID , the 2860 looks for the first internal user that references it. It then reports that user as being authenticated (for IPSec). If more than one user references the same Peer ID , it can easily misreport it, because of this algorithm. I've not worked out why it doesn't just report the Peer ID , rather than trying to fabricate a username to go with it.
One reason might be, is because if it matches aPeer ID , but no referencing user exists in the internal list of Remote Dial-in Users , it will not authenticate IPSec and it will not use Radius to check the Username/Password for L2TP...
The manual mentions none of this
Replied by hornbyp on topic Re: Self signed cert creation for VPN for dummies
Because the built-in list of "Remote Dial-in usersI wrote:
" is now part of the mechanism, you can no longer use Radius for authentication (at least I can't see how).
I thought I'd better correct myself (again)
I wrote the above, partly because it didn't seem to work...but it turns out it can
There is also the caveat, that an Internal
I'd assumed that when you use a certificate, it had to go to the internal list of users, find the
I found a bug / strange behaviour though: Having matched the
One reason might be, is because if it matches a
The manual mentions none of this
Please Log in or Create an account to join the conversation.
- tekwipz
- Topic Author
- Offline
- New Member
Less
More
- Posts: 4
- Thank you received: 0
24 Oct 2018 19:51 #93223
by tekwipz
lol, the manual is kind of lacking about different VPN configurations I'm going to try and set up Radius, seems like a good method and a interesting to play around with
Replied by tekwipz on topic Re: Self signed cert creation for VPN for dummies
hornbyp wrote:
I wrote:
The manual mentions none of this
lol, the manual is kind of lacking about different VPN configurations
Please Log in or Create an account to join the conversation.
- hornbyp
- Offline
- Big Contributor
Less
More
- Posts: 1323
- Thank you received: 0
02 Nov 2018 01:13 #93267
by hornbyp
I was right about about not being able to use it - but wrong about the reason.
The "Generate " option under Certificate Management >> Local Certificate does not generate a Certificate - it generates a Request for a Certificate ; the idea being to cut and paste the request from the screen into a file, which you then take to your friendly Certificate Authority to have made into a certificate. When you import it back into the 2860, it marries up the request with the certificate - and now, when you view it, you see a certificate - not a 'request'. (If you've set up a Root CA on the 2860, you can sign it there and then - it's still a certificate for the 2860 itself to use though)
Replied by hornbyp on topic More corrections, in the light of experience :-(
You cannotI foolishly wrote:
use the 2860's built-in Root Certificate Authority (CA). Although you can create certificates, you cannot export their private keys. So these certificates are effectively issued only to the Router.
I was right about about not being able to use it - but wrong about the reason.
The "
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek