Configure IPsec VPN Authority Settings

First, create or edit a Layer 2 IPsec VPN service. For more information, see Configure Layer 2 IPsec VPN Services.

The authentication mechanism between a VPN gateway and a VPN client operates in hybrid mode, which employs a combination of certificates and passwords for VPN peer authentication. Use this task to import certificates in PFX or DER formats, to import a pair of DER-formatted files, one containing a certificate and the other its accompanying private key, and convert their format from DER to PEM.
Note

Note

Default certificates are intended to be used for testing only.

Extreme Networks VPN gateways do not support password-encrypted certificates.

For hybrid mode authentication, ExtremeCloud IQ distributes the certificates as follows:

  • VPN Certificate Authority: The CA certificate is loaded on VPN clients so that they can validate the server certificate that the VPN gateway presents.
  • VPN Server Certificate: The server certificate on the VPN gateway is used during IKE Phase 1 negotiations to authenticate itself to the VPN client.
  • VPN Server Cert Private Key: The private key accompanies the public key in the server certificate. This is also loaded on the VPN gateway.

This task is part of the network policy configuration workflow. Use this task to configure IPsec VPN Authority settings.

  1. Go to Configure > Network Policies.
  2. Select an existing network policy, and then select Edit, or select Add.
  3. After you save the Policy Details, select 5 Branch Routing.
  4. From the Router Settings menu, select VPN Service.
  5. In the Optional Settings section, expand IPsec VPN Authority Settings.
  6. If you do not have a certificate or key that you want to use, select Import.
  7. To import a PFX-formatted file, which contains a certificate and private key combined, and convert its format from PFX to PEM:
    1. Choose Select, navigate to and select the .PFX file.
    2. Select Convert the certificate format from PFX to PEM.
    3. Enter the password that was used to encrypt the PFX file.
    4. Select Import.
      Later, when you use the PEM-formatted file that contains both the certificate and private key, you must choose the same file as both the VPN Certificate and the VPN Cert Private Key.
  8. To import a pair of DER-formatted files, one containing a certificate and the other its accompanying private key, and convert their format from DER to PEM:
    1. Choose Select, navigate to and select the .DER file.
    2. Select Convert the certificate format from DER to PEM.
    3. Select the type of file you are importing; in this case, Certificate.
    4. Select Import.
    5. To import the private key file matching the public key in the certificate you just imported, repeat Steps a-c, but select Key for the file type.
    6. When importing a DER-formatted private key, enter the password used to encrypt the file.
    7. Select Import.
      When you choose the VPN Server Certificate and VPN Server Cert Private Key, make sure they correspond with each other.
For information about Optional Settings > Server-Client Credentials, see Server-Client Credentials.
9038986-00 Rev AA