Asentria SiteBoss 530 User Manual
68
How does the unit know the VPN client is authentic (and vice versa)?
The unit uses certificate-based SSL/TLS security to authenticate the client (and the client uses the same thing to
authenticate the unit). Configuring certificates can be done with Setting Keys, but is likely more simple for a user
to use the SSLC command on the unit. The SSLC command allows unit administrators to manipulate the SSL
VPN certificates and other authentication data associated with the VPN.
The SSLC command takes a variety of command line arguments that tell it what to do. These arguments are
mainly broken down into "actions" and "items"
•
actions
o
add: add an item (load it into the unit)
o
list:
list an item (display what is already in the unit)
o
delete: delete an item
•
items
o
certificate
o
key
o
CA certificate
o
DH parameters
The idea behind this paradigm is that you do something (an action) on something (an item).
The command line arguments that specify actions and items are:
-e Specify item: certificate
-k Specify item: key
-r Specify item: CA certificate
-t Specify item: TLS-auth key
-h Specify item: DH parameters
-l Specify action: list item
-a Specify action: add item
-d Specify action: delete item
You must also specify which VPN you want this applied to with the "-v" command line argument:
-v x Specify VPN x, where x is 1 or 2
For example, to load the CA certificate for VPN 1, enter
SSLC -a -r -v 1
The unit cannot generate its own SSL authentication key/certificate. You must do this with another OpenVPN
server installation and load the certificates/keys, DH parameters, and possibly TLS-auth key (if you choose the
extra layer of security that TLS-auth provides), on the unit with the SSLC command. It is recommended you use
the SSLC command either in a trusted network environment via Telnet or via SSH. This is for two reasons:
1. The data you upload is text format, and is accepted without any application layer protocol like Xmodem.
Therefore to make eliminate communcation errors, use the protocol on a TCP-based command processor
(like Telnet or SSH).
2. Some of the things you must transfer using the SSLC command are secret data (the key and the TLS-
auth key). "Secret" means that only the unit knows about it (and possibly the server as well, if that is kept
in a secure location), and if this key is compromised then the security of the entire VPN is compromised.
The CA certificate is the certificate of the certificate authority that both the unit and the server trust. The CA signs
both the certificate for the server and the certificate for the unit. The CA certificate must exist on both machines.
The "DH parameters" item represents the Diffie Hellman parameters. By default the unit comes with 1024-bit
parameters.
So it works through NAT-ting routers, that means it uses TCP or UDP, right?
It can use either UDP or TCP, although it works optimally with UDP. Change this to suit your firewall access
policies with the
net.vpn[x].ssl.proto
key (its values are "TCP" and "UDP"), and the
net.vpn[x].ssl.port
keys (its value is an integer for the TCP/UDP port you choose).
Summary of Contents for SiteBoss 530
Page 6: ......