IPsec VPN with X.509 Authentication from Windows to Vigor3900/2960 by Smart VPN Client

Vigor3900 can act as a CA server, and we can use the feature to generate and sign an X.509 certificate for a PC to create an IPsec tunnel with it. The examples below will show how to achieve the purpose with three parts.

Part A: Certificate Generation and Import

1. On the Online Status page, check if the current System Time of Vigor3900 is equal to the Time of PC.

a screenshot of Vigor3900 Device Information

2. Open Certificate Management >> Trusted CA Certificate, click Build RootCA.

a screenshot of Vigor3900 Trusted CA

3. We will see Add Success Message and then can see the RootCA certificate listing on the Trusted CA page.

a screenshot of Vigor3900 Trusted CA list

4. Open Certificate Management >> Local Certificate page, click Generate to create a local certificate.

a screenshot of Vigor3900 Local Certificate settings

5. We will see Add Success Message and then can see the local certificate listing on the Local Certificate page.

a screenshot of Vigor3900 Local Certificate List

6. Open Certificate Management >> Local Certificate page, click Generate to create a certificate for the PC.

a screenshot of Vigor3900 Local Certificate

7. Select the certificate for PC and then click Download.

a screenshot of Vigor3900 Local Certificate List

8. Select PKCS12 Certificate as the format, input the PKCS12 Password, and then click Download. The certificate will be saved to the PC with the filename pc.p12.

a screenshot of Vigor3900 Local Certificate Export

9. Delete the certificate for PC on the Local Certificate page.

a screenshot of Vigor3900 removing Local Certificate

10. Upload the downloaded PKCS12 Certificate pc.p12 to Vigor3900 via Certificate Management>> Remote Certificate page.

a screenshot of importing local certificate to Vigor3900

11. Make sure the certificate status is OK

a screenshot of Vigor3900 Remote Certificate

12. Open Certificate Management >> Trusted CA Certificate to download the Trusted CA Certificate with format PKCS12 from Vigor3900 to PC. The Trusted CA certificate file will be saved with the filename RootCA.p12.

a screenshot of downloading Trusted CA from Vigor3900

13. Run mmc on Windows PC to open the computer management console. Select Certificates then click Add.

  1. Certificates snap-in wizard will pop up, select Computer account, then click Next.
  2. a screenshot of Windows Certificates Snap-in
  3. Select Local computer and click Finish.
  4. a screenshot of Windows Certificates snap-in
  5. Certificate components have been added successfully.
  6. a screenshot of Windows Certificate Snap-in

14. Import certificate pc.p12 as Personal Certificate.

  1. In Personal, right-click on Certificates and then click ALL Tasks >> Import...
  2. a screenshot of Windows Console
  3. When Certificate Import Wizard starts, click Browse to select the certificate for PC which we downloaded from Vigor3900, then click Next.
  4. a screenshot of Windows Certificate Import Wizard
  5. Type the password for the private key, and then click Next.
  6. a screenshot of Windows Certiificate Import Wizard
  7. Select Place all certificates in the following store “Personal”, then click Next.
  8. a screenshot of Windows Certificate Import Wizard
  9. Click Finish to complete the Certificate Import Wizard.
  10. a screenshot of Windows Certificate Import Wizard
  11. We can see the certificate pc in Personal Certificates.
  12. a screenshot of Windows Console

15. Import certificate RootCA.p12 as the Trusted Certificate.

  1. In Trusted Root Certification Authorities, right-click on Certificates and then click ALL Tasks >> Import.…
  2. a screenshot of Windows Console
  3. When Certificate Import Wizard starts, click Browse to select the RootCA certificate which we downloaded from Vigor3900, then click Next.
  4. a screenshot of Certificate Import Wizard
  5. Type the password for the private key, and then click Next.
  6. a screenshot of Windows Certificate Import Wizard
  7. Select Place all certificates in the following store “Trusted Root Certification Authorities”, then click Next.
  8. a screeenshot of Windows Certificate Import Wizard
  9. Click Finish to complete the Certificate Import Wizard.
  10. a screenshot of Windows Certificate Import Wizard
  11. We can see the certificate 3900vivian in Trusted Root Certification Authorities.
  12.  acreenshot of Windows Console Trusted Toor CA List

Part B: Create IPsec VPN Profile on Vigor3900 for PC to Dial-In

Open VPN and Remote Access >> VPN Profiles, select IPsec and then click Add to create a new VPN profile.

  1. Select "Enablefor Remote Dial-In User.
  2. Input Vigor3900's local IP /Subnet Mask
  3. Specify Remote Host IP. If the remote host has a dynamic IP, please use 0.0.0.0.
  4. a screenshot of Vigor3900 IPsec profile
  5. Select “RSA” for Auth Type.
  6. Leave Local Certificate and Local ID fields as default. (This could be ignored for IPsec Remote Dial-In)
  7. In the Remote ID field, there are five types:
    • Accept Any means accept connections as long as they have the same certificate issuer.
    • Subject AlterName: IP means accept connections with the same IP as Subject AlterName. (The remote certificate must be generated with IP ID Type)
    • Subject AlterName: Domain Name means accept connections with the same Domain Name as Subject AlterName. (The remote certificate must be generated with Domain Name ID Type)
    • Subject AlterName: Email means accept connections with the same Email. (The remote certificate must be generated with ID Type Email)
    • Certificate means accept connections with the same certificate (selected in the Remote Certificate field).
  8. a screenshot of Vigor3900 Local Certificate
  9. In Remote Certificate, select the certificate “pc”.
  10. Apply the settings. 
  11. a screenshot of Vigor3900 IPsec profile

Part C: Use Smart VPN Client to Dial IPsec VPN to Vigor3900

1. Run Smart VPN Client and Insert a VPN profile.

a screenshot of Smart VPN Client

2. In Dial to VPN window:

  1. Input Profile Name
  2. Select “IPsec Tunnel” for Type of VPN
  3. Enter Vigor3900's IP or hostname in VPN Server IP or Host Name
  4. Click OK.
a screenshot of Smart VPN Client VPN profile

3. In IPsec Policy Setting window,

  1. Select “Standard IPsec Tunnel” for Type of IPsec, and then input Remote Subnet and Remote Subnet Mask (which is the local network IP of Vigor3900)
  2. For Key-exchange Method, select “DH Group 2”
  3. Select Security Method as “ESP” and “3DES with MD5”
  4. For the Authentication Method, select “Certificate Authentication” and then click Browse to choose a certificate.
  5. Select the trusted CA we imported and click OK.
  6. Click OK to save the settings
a screenshot of Smart VPN Client IPsec profie

4. Click Activate. Dial to VPN window will pop up, and then click OK.

a screenshot of Smart VPN Client Dial IPsec VPN

5. Ping Vigor3900's LAN IP on the PC to trigger the IPsec tunnel. When seeing replies from the IP, it means the IPsec tunnel is up.

a screenshot of Windows command promtp executing ping

6. We may also see the IPsec connection status on Vigor3900 from the VPN and Remote Access >> Connection Management page.

a screenshot of Vigor3900 VPN Connetion Management page

Published On:2016-01-22 

Was this helpful?