How to use Digital Signature (X.509) to authenticate a LAN-to-LAN IPsec VPN between Vigor routers

Vigor routers support RSA(X.509) to authenticate IPsec, which enhances security of the VPN tunnels. In this article, we will take XCA as certificate provider to generate certificates for VPN routers to build an IPsec tunnel with RSA.

VPN Server Setting

1. Go to System Maintenance >> Time and Date and make sure time setting is correct

a screenshot of DrayOS Time and Date Settings

2. Go to Certificate Management >> Local Certificate and click Generate

3. Enter the certificate details, and click Generate

generate server cert

4. Click View, and copy the PEM Format Content

copy server cert

5. Run XCA, click New Certificate, and select [default]CA template in certificate tab

build rootCA

6. In the subject tab, enter RootCA details and generate a new key, then click Create to build a RootCA to sign certificates for the VPN routers

build rootCA key

7. Export the RootCA in PEM(*.crt) format, and import it in the router on Certificate Management >> Trusted CA Certificate

import rootCA

8. Back to XCA, right click in Certificate signing requests and Paste PEM data, then Import All

paste server cert

9. Right click the certificate and sign it by the RootCA we just built

sign server cert

10. Export the certificate in PEM(*.crt) format in Certificate tab, and import it in the router on Certificate Management >> Local Certificate

import server cert

11. Go to VPN and Remote Access >> IPsec General Setup, and select the local certificate we just built in IKE Authentication Method >> Certificate

select vpn cert

12. Go to VPN and Remote Access >> IPsec Peer Identity and click an Index

  • Enable this Account
  • Select a verification method, here we use Accept Subject Alternative Name to verify VPN peer certificate
  • create ipsec peer

    13. Go to VPN and Remote Access >> LAN to LAN, and click an Index

  • Enable this Profile and select Dial-In as Direction
  • Allow IPsec Tunnel, and Tick Digit Signature(X.509), then select the IPsec Peer Identity
  • Enter the LAN network of the VPN peer router in Remote Network IP/Mask
  • ipsec server
    VPN Client Setting

    14. Repeat step 1~4 and 7~10 to build a certificate for the other VPN router

    client cert

    15. Go to VPN and Remote Access >> IPsec Peer Identity and click an Index

  • Enable this Account
  • Select a verification method, here we use Accept Subject Alternative Name to verify VPN peer certificate
  • client peer

    16. Go to VPN and Remote Access >> LAN to LAN, and click an Index

  • Enable this Profile and select Dial-Out as Direction
  • Choose IPsec Tunnel to dial and enter VPN server address
  • Select Digit Signature(X.509), then select the IPsec Peer Identity in Peer ID, select the local certificate in Local ID
  • Enter the LAN network of the VPN peer router in Remote Network IP/Mask
  • VPN client

    17. Go to VPN and Remote Access >> Connection Management, select the VPN profile to Dial

    connect VPN

    We will see VPN Connection Status down below when VPN is up.

    VPN up

    Published On:2019-12-10 

    Was this helpful?