Configure IPsec VPN Authority Settings

Before you begin

Create a Layer 2 IPsec VPN service. For more information, see About Server-Client Credentials.

About this task

The authentication mechanism between a VPN gateway and a VPN client operates in hybrid mode, which employs a combination of certificates and passwords for VPN peer authentication. Use this task to import certificates in PFX or DER formats, to import a pair of DER-formatted files, one containing a certificate and the other its accompanying private key, and convert their format from DER to PEM.
Note

Note

Extreme Networks VPN gateways do not support password-encrypted certificates.

For hybrid mode authentication, ExtremeCloud IQ distributes the certificates as follows:

  • VPN Certificate Authority: The CA certificate is loaded on VPN clients so that they can validate the server certificate that the VPN gateway presents.
  • VPN Server Certificate: The server certificate on the VPN gateway is used during IKE Phase 1 negotiations to authenticate itself to the VPN client.
  • VPN Server Cert Private Key: The private key accompanies the public key in the server certificate. This is also loaded on the VPN gateway.

Procedure

  1. If you do not have a certificate or key that you want to use, select Import.
  2. To import a PFX-formatted file, which contains a certificate and private key combined, and convert its format from PFX to PEM:
    1. Choose Select, navigate to and select the .PFX file.
    2. Select Convert the certificate format from PFX to PEM.
    3. Enter the password that was used to encrypt the PFX file.
    4. Select Import.
      Later, when you use the PEM-formatted file that contains both the certificate and private key, you must choose the same file as both the VPN Certificate and the VPN Cert Private Key.
  3. To import a pair of DER-formatted files, one containing a certificate and the other its accompanying private key, and convert their format from DER to PEM:
    1. Choose Select, navigate to and select the .DER file.
    2. Select Convert the certificate format from DER to PEM.
    3. Select the type of file you are importing; in this case, Certificate.
    4. Select Import.
    5. To import the private key file matching the public key in the certificate you just imported, repeat Steps a-c, but select Key for the file type.
    6. When importing a DER-formatted private key, enter the password used to encrypt the file.
    7. Select Import.
      When you choose the VPN Server Certificate and VPN Server Cert Private Key, make sure they correspond to each other.