R U/L/H Series
User Guide, Rev. 00 (May 2015)
30
It is possible to create IPsec connection with non-static-IP-devices. In order to do this please click
Mobile clients tab. Configuration is similar to the tunnel configuration, but there are less settings
(for example there is no PSK field-you should add pre-shared keys for mobile clients in Keys and
Certificates tab).
IMPORTANT:
When configuring IPsec connection you will sometimes want to add custom routing.
This topic is covered in next section.
3.2.15
Generating SSL certificates
In order to use SSL authentication creating few files and copying them into adequate fields under
OpenVPN or IPsec tabs of www configuration is needed. This can be done using PC with Linux and
openssl installed. There is also Windows version of software available at
http://gnuwin32.sourceforge.net/packages/openssl.htm
.
At first we need to create folder, in which all our keys and certificates will be stored. Let's say it
will be ~/keys. We create two files in it: list of certificates and file enumerating them:
touch index.txt
echo 00 > serial
and subdirectories, where the certificates and keys will be stored:
mkdir private certs newcerts crl
In order to create certificates, the certificate authority (CA) is needed . It is ,,main'' certificate used
to create other certificates. After creating private CA key:
openssl genrsa -des3 -out private/cakey.pem 1024
Warning:
please remember the CA password!
The CA certificate is generated:
openssl req -new -x509 -days 365 -key private/cakey.pem -out cacert.pem
When creating a certificate user has to provide some information like country, state/province, city,
company name, e-mail address and common name. The last field is most important, it has to be
unique for every device.
After creating CA certificate generation of certificate for every device used is needed.
At first the private key is generated:
openssl genrsa -des3 -out private/device1key.pem
Then we generate certificate request:
openssl req -new -key private/device1key.pem -out device1req.pem
Here user has to enter country, state etc. again. They can be the same as before except the common
name.
Certificate authority signs the certificate:
openssl ca -notext -in device1req.pem -out device1cert.pem
If certificate will be used on U/L/H modem, password on private key has to be disabled:
openssl rsa -in private/device1key.pem -out private/device1key.pem_nopass
The whole process is repeated for every device (unique common names and filenames have to be
unique for different devices!).
If IPsec protocol will be used, certain fields in www configuration under Ipsec/Tunnels tab have to
be filled in. Content of
device1cert.pem
file should be pasted into the Certificate field and contents
of
device1key.pem_nopass
into the Key field. Peer Certificate field can be filled with another
device's certificate file or left empty. In this case the CA certificate has to be provided under Keys
and Certificates tab. Contents of
cacert.pem
file should be inserted there.
If the OpenVPN protocol will be used, under OpenVPN tab content of
cacert.pem
has to be pasted
into CA cert field, content of
device1cert.pem
into Server/Client cert field and
device1key.pem_nopass
into Server/Client private key field. The Diffie- Hellman parameters file has
to be created for VPN connection:
openssl dhparam -out dh1024.pem 1024
And its content should be copied into DH PEM field. This file is common for all devices in VPN
network.