DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Self signed cert creation for VPN for dummies

More
22 Oct 2018 14:08 #93208 by hornbyp

I wrote: Because the built-in list of "Remote Dial-in users" is now part of the mechanism, you can no longer use Radius for authentication (at least I can't see how).


I thought I'd better correct myself (again) :oops:

I wrote the above, partly because it didn't seem to work...but it turns out it can be made to work, just not as reliably as using a 'built-in' 'Remote Dial-in User' account. Mainly, this a timing issue, possibly with my phone. Looking at Syslog, I can see it's sometimes still working after the phone has given in.

There is also the caveat, that an Internal user (even if just a 'stub' entry) has to exist, that references the matching Peer ID.

I'd assumed that when you use a certificate, it had to go to the internal list of users, find the Peer Id and then check the certificate against it. In fact, what it does, is check the certificate against each 'Peer Id' entry in turn, until/if it finds a match. This is authentication of the IPsec part of the connection. Only if L2TP is being used, does it do the Username/Password checking - which can indeed be done via Radius.

I found a bug / strange behaviour though: Having matched the Peer ID, the 2860 looks for the first internal user that references it. It then reports that user as being authenticated (for IPSec). If more than one user references the same Peer ID, it can easily misreport it, because of this algorithm. I've not worked out why it doesn't just report the Peer ID, rather than trying to fabricate a username to go with it.

One reason might be, is because if it matches a Peer ID, but no referencing user exists in the internal list of Remote Dial-in Users, it will not authenticate IPSec and it will not use Radius to check the Username/Password for L2TP...

The manual mentions none of this :roll:

Please Log in or Create an account to join the conversation.

  • tekwipz
  • Topic Author
  • Offline
  • New Member
  • New Member
More
24 Oct 2018 19:51 #93223 by tekwipz

hornbyp wrote:

I wrote:

The manual mentions none of this :roll:



lol, the manual is kind of lacking about different VPN configurations :) I'm going to try and set up Radius, seems like a good method and a interesting to play around with :P

Please Log in or Create an account to join the conversation.

More
02 Nov 2018 01:13 #93267 by hornbyp

I foolishly wrote: You cannot use the 2860's built-in Root Certificate Authority (CA). Although you can create certificates, you cannot export their private keys. So these certificates are effectively issued only to the Router.


I was right about about not being able to use it - but wrong about the reason.

The "Generate" option under Certificate Management >> Local Certificate does not generate a Certificate - it generates a Request for a Certificate; the idea being to cut and paste the request from the screen into a file, which you then take to your friendly Certificate Authority to have made into a certificate. When you import it back into the 2860, it marries up the request with the certificate - and now, when you view it, you see a certificate - not a 'request'. (If you've set up a Root CA on the 2860, you can sign it there and then - it's still a certificate for the 2860 itself to use though)

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami