We have launched the new version of the DrayTek website, and this content is no longer being maintained.
You will find more information on our new site; however, we will keep this page for a few months.

How to establish IPsec with X.509 from Smart VPN Client to Vigor3900?

Vigor3900 can act as a CA server, and we can use the feature to generate and sign a X.509 certificate for a PC, then make PC use it to create IPsec tunnel. The examples below will show how to achieve the purpose with three parts.

 

Part A: Certificate Generation and Import

  1. Check if the Current System Time in Vigor3900 is equal to the Time on PC via Online Status page.

a1

  1. Open Certificate Management >> Trusted CA Certificate page, click Build RootCA.

a2

 

  1. We will see Add Success Message and then can see the RootCA certificate listing in Trusted CA page.

a3

  1. Open Certificate Management >> Local Certificate page, click Generate to generate local certificate.

a4

 

  1. We will see Add Success Message and then can see the local certificate listing in Local Certificate page.

a5

 

  1. Open Certificate Management >> Local Certificate page, click Generate to generate certificate for PC.

    a6

  2. Select the certificate for PC and then click Download.

a7

  1. Select PKCS12 Certificate as the format, input the PKCS12 Password and then click Download. The certificate will be saved to the PC with file name “pc.p12”.

a8

  1. Delete certificate for PC on the Local Certificate page.

a9

  1. Upload the downloaded PKCS12 Certificate “pc.p12” to Vigor3900 via Certificate Management>> Remote Certificate page.

    a10

  2. Make srue the certificate status is “OK”

    a11

  3. Open Certificate Management >> Trusted CA Certificate to download the Trusted CA Certificate with PKCS12 format from Vigor3900 to PC. The Trusted CA certificate file will be saved with file name “RootCA.p12”.

    a12

  4. Run “mmc” on Windows PC to open the computer management console. Select Certificates then click Add.

    1. Certificates snap-in wizard will pop up, select Computer account then click Next.

      aa13 1

    2. Select Local computer and click Finish.

      aa13 2

    3. Certificates component has been added successfully.

      aa13 3

  5. Import certificate pc.p12 as Personal Certificate.

    1. In Personal, right click on Certificates and then click ALL Tasks >> “Import...”.

      aa14 1

    2. When Certificate Import Wizard starts, click Browse to select the certificate for PC which we downloaded from Vigor3900, then click Next.

      aa14 2

    3. Type the password for the private key, and then click Next.

      aa14 3

    4. Select Place all certificates in the following store “Personal”, then click Next.

      aa14 4

    5. Click Finish to complete the Certificate Import Wizard.

      aa14 5

    6. We can see the certificate “pc” is placed in Personal Certificates.

      aa14 6

  6. Import certificate “RootCA.p12” as Trusted Certificate.

    1. In Trusted Root Certification Authorities, right click on Certificates and then click ALL Tasks >> Import.…

      aa15 1

    2. When Certificate Import Wizard starts, click Browse to select the RootCA certificate which we downloaded it from Vigor3900, then click Next.

      aa15 2

    3. Type the password for the private key, and then click Next.

      aa15 3

    4. Select Place all certificates in the following store “Trusted Root Certification Authorities”, then click Next.

      aa15 4

    5. Click Finish to complete the Certificate Import Wizard.

      aa15 5

    6. We can see the certificate “3900vivian” is placed in Trusted Root Certification Authorities.

      trusted CA

 

 

Part B: Create IPsec VPN Profile on Vigor3900 for PC to dial In

Open VPN and Remote Access >> VPN Profiles, select IPsec and then click Add to add new VPN profile.

  1. Select Enable for Remote Dial-In User option.

  2. Input Vigor3900's local IP /Subnet Mask

  3. Specify Remote Host IP. If the remote host has a dynamic IP, please use 0.0.0.0.

    b1 1

  4. Select “RSA” as Auth Type.

  5. Leave Local Certificate and Local ID fields as default. (This could be ignored for IPsec Remote Dial-In)

  6. In Remote ID field, there are five types:

 

  • Accept Any means Accept connection as long as they have the same certificate issuer.
  • Subject AlterName: IP means Accept connection with the same IP as Subject AlterName. (The remote certificate must be generated with IP ID Type)
  • Subject AlterName: Domain Name means Accept connection with same Domain Name as Subject AlterName. (The remote certificate must be generated with Domain Name ID Type)
  • Subject AlterName: Email means Accept connection with the same Email. (The remote certificate must be generated with ID Type Email)
  • Certificate means Accept connection with the same certificate (selected in Remote Certificate field).

 

b1 ID type

  1. In Remote Certificate, select the certificate “pc”.

  2. Apply the settings.

    b1 2

 

Part C: Use Smart VPN Client to dial IPsec VPN to Vigor3900

  1. Run Smart VPN Client and Insert a VPN profile.

    c1

  2. In Dial to VPN window:

    1. Input Profile Name

    2. Select “IPsec Tunnel” as Type of VPN

    3. Enter VPN Server IP or Host Name

    4. Click OK.

      c2

  3. In IPsec Policy Setting window,

    1. Select “Standard IPsec Tunnel” as Type of IPsec, and then input Remote Subnet and Remote Subnet Mask (which is the local network IP of Vigor3900)

    2. For Key-exchange Method, select “DH Group 2”

    3. Select Security Method as “ESP” and “3DES with MD5”

    4. For Authentication Method, select “Certificate Authentication” and then click Browse to choose a certificate.

    5. Select the trusted CA we imported and click OK.

    6. Click OK to save the settings

      c3

  4. Click Activate. Dial to VPN window will pop up, and then click OK.

    c4

  5. Ping Vigor3900's LAN IP on the PC to trigger the IPsec tunnel. When seeing reply from the IP, it means IPsec tunnel is up.

    c5

  6. We may see the IPsec connection status from VPN and Remote Access >> Connection Management page.

    c6

 

Was this article helpful?
1How to establish IPsec with X.509 from Smart VPN Client to Vigor3900? has been viewed------ 1 ------times.