Use VPN management software to generate a client profile for an entire group of clients, such as all mobile devices. Distribute the same client profile to all users in the group. Mobile VPN Client uses online certificate enrollment to request VPN certificates from a CA.
For VPN gateway to trust the certificates of the mobile devices, you must add the certificate of the SSM internal CA to the VPN gateway. For Mobile VPN Client to trust the VPN gateway, you use the SSM internal CA to sign the device certificate of VPN gateway.
Create a client profile for online certificate enrollment and export it to the SSM database.
The following sections describe how to accomplish the preceding tasks for each supported VPN gateway:
Nokia IP VPN Gateway
Nokia IP Security Platform
Cisco VPN 3000 Series Concentrator
Nokia IP VPN Gateway
Use VPN Manager to configure client access for certificate-based authentication:
To add the SSM internal CA as an external CA in VPN Manager
To issue a device certificate for IP VPN Gateway
To configure client access for certificate-based authentication
To configure mobile devices
To add the SSM internal CA as an external CA in VPN Manager
1. In the SSM GUI, save the CA certificate of CompanyVPNCA as a file or copy the certificate to the clipboard.
Choose Services > Certificate Enrollment > CompanyVPNCA > Edit > Properties > Protocol Properties > View > Save As and save the certificate as CompanyVPNCA.cer.
2. In VPN Manager, import the CA certificate of CompanyVPNCA:
a. Choose Edit > VPN Global Properties > Policy Configuration > Certification Authorities.
b. Click the right mouse button in the Certification Authorities pane.
c. Choose Import External Certification Authority, click Browse and locate CompanyVPNCA.cer, or paste the certificate from the clipboard.
3. Select CompanyVPNCA to use for IKE Authentication:
a. Choose Gateway > Properties > Client Access > IPSec Clients > Client Policy.
b. in the Select Certification Authority for IKE authentication list, select CompanyVPNCA.
4. Choose Actions > Apply Changes to apply the changes to the gateway configuration.
To issue a device certificate for IP VPN Gateway
1. In VPN Manager, create a PKCS #10 certificate signing request:
a. Choose Gateway > Properties > Certificates > Device Certificates > Request.
b. In the Select Certification Authority to request certificate from list, select CompanyVPNCA and click Submit.
c. Click Export to save the request as device.p10.
You can also click Copy to copy the certificate to the clipboard.
2. In the SSM GUI, import the certificate request for signing.
a. Choose Services > Certificate Enrollment > CompanyVPNCA > Certificates issued by CompanyVPNCA > Edit > Create New > Import PKCS #10 file > Browse and locate device.p10.
You can also paste the certificate to the field.
b. Specify a lifetime for the certificate in years.
Specify long lifetimes for device certificates. If the device certificate expires, Mobile VPN Client cannot authenticate the IP VPN Gateway and connections fail.
c. Press Export to save the certificate as device.cer.
3. In VPN Manager, import the device certificate.
Choose Gateway Properties > Certificates > Device Certificates > Import and locate device.cer.
4. Choose Actions > Apply Changes to apply the changes to the gateway configuration.
To configure client access for certificate-based authentication 1. Configure IP VPN Gateway to allow certificate-based authentication:
a. In VPN Manager, choose Gateway > Properties > Client Access > IPSec Clients > Client Access.
b. In Certificate Clients, check the Allow clients to connect using certificate based authentication box.
c. Click New to create the *@internal.com client access filter.
2. Configure IP VPN Gateway to use CRL retrieval and SCEP for online certificate enrollment:
a. Choose Edit > VPN Global Properties > Policy Configuration > Certification Authorities
> Edit > Properties > Settings to open the CRL/SCEP Configuration dialog box.
b. In the Certificate Revocation List group, check the Enable on-line CRL retrieval box.
c. In the CRL Distribution Point group, check the CRL DP is found in this certificate or CRL DP is found in subordinate certificate box.
3. If you use IP VPN Gateway v6.1 or v6.2, perform the following additional steps:
a. In the On-line Certificate Enrollment group, check the Enable on-line certificate enrollment (SCEP) box.
b. In the HTTP URL text field, type the CA URL of the SSM EGW entity:
http://host_name/nssm/pki/scep/
where host_name is the host name or IP address of the SSM Web server.
c. In the CA Entity Name field, enter CompanyVPNCA.
4. Choose Actions > Apply Changes to apply the changes to the gateway configuration.
To configure mobile devices
1. Click the Remote Clients tab and select MobileDeviceProfile.
2. Choose Profile > Properties to modify the profile to use certificate-based authentication:
3. In Gateway Access Filters, select MobileDeviceAccessFilter and click Edit to modify the gateway access filter:
a. In the Use authentication method group, select Certificates.
b. In the Select client access rights by client identity list box, select the *@internal.com domain.
4. If you use IP VPN Gateway v6.1 or v6.2, perform the following additional steps:
a. In the Certificate Request Information group, check the Enable on-line certificate enrollment box.
b. In the Domain text box, enter the same domain name as in step 3.
5. Click Profile > Export Profiles to Nokia Security Service Manager to export the profile to SSM.
6. Use the SSM content manager account to log onto SSM.
Nokia IP Security Platform
Use the Check Point SmartDashboard software to create an external profile for certificate-based authentication.
To create an external user profile for certificate-based authentication 1. Start the Check Point SmartDashboard software.
2. Choose New > External User Profile > Match by domain to open the External User Profile Properties dialog box.
3. Give the external user profile the name MobileDeviceProfile.
4. In the Domain Name matching definitions group, check the Free format and Domain Name boxes and enter a domain name for the user.
The VPN policy inherits the domain name and SSM uses the domain name to authorize certification requests.
If you use this domain name when you specify self-provisioning rules in SSM, use the same case (uppercase or lowercase) in both SmartDashboard and the SSM GUI or CLI.
In this example, the domain name is customer.com.
5. Click the Authentication tab and selected Undefined in the Authentication Scheme list.
6. Click the Encryption tab and select IKE as the client encryption method.
7. Click Edit to edit IKE settings and check the Public Key box.
8. Click the Groups tab and add the MobileDeviceUserGroup to the Belongs to Groups box.
Cisco VPN 3000 Series Concentrator
First use the Cisco VPN 3000 Concentrator Series Manager to configure client access for certificate-based authentication. Then use the policy push command to add a VPN policy for certificate-based authentication to SSM.
To configure client access for certificate-based authentication 1. Start the Cisco VPN 3000 Concentrator Series Manager.
2. Choose Configuration > Tunneling and Security > IPSec > IKE Proposals > Add, to define an IKE proposal:
a. Give the proposal the name IKE-3DES-SHA1-RSAcert.
b. Select RSA Digital Certificate in the Authentication Mode list.
c. Enter values for the other fields.
d. Click Add.
e. Move the proposal to the Active Proposals list and set it as the first proposal in the list.
For more information about the settings that Mobile VPN Client supports, see the Nokia Security Service Manager Administration Guide.
3. Choose Configuration > Policy Management > Traffic Management > SAs > Add to define an IPSec security association for certificate-based authentication:
a. Give the security association the name CertificateSA.
b. In IPSec Parameters, select the following values to match the default configuration in the policy push templates:
In the Authentication Algorithm list, select ESP/SHA/HMAC-160.
In the Encryption Algorithm list, select AES-256.
c. In IKE Parameters:
In the Digital Certificate list, select the common name of an identity certificate that CompanyVPNCA signed.
In the Certificate transmission group, select the Identify certificate only option.
In the IKE Proposal list, select IKE-3DES-SHA1-RSAcert.
4. Choose Configuration > User Management > Groups > Add Group to create a user group for certificate-based authentication:
a. Give the user group the name CertificateGroup.
b. Enter a password in the Password field.
c. Select Internal in the Type list.
d. Click the IPSec tab and select CertificateSA in the IPSec SA list.
e. To enable the IKE peer identity validation feature, select Required in the IKE Peer Identity Validation list.
If the certificate of a peer does not provide sufficient information to perform an identity check, the VPN gateway drops the tunnel.
f. Check the IKE Keepalives box to enable the VPN gateway to monitor the continued presence of Mobile VPN Client and to report its own presence to Mobile VPN Client.
g. Select Remote Access in the Tunnel Type list.
h. Select None in the Authentication list.
i. Select Common Name (CN) in the DN Field box.
j. Uncheck the Mode Configuration box.
k. Optionally, click the Client Config tab to specify settings for split tunneling:
In the Split Tunneling Policy section, select the Only tunnel networks in the list option.
In the Split Tunneling Networks List, select Protected Network.
5. Click Add 6. Save the changes.
7. Choose Configuration > Policy Management > Group Matching > Policy to configure the policy for certificate group matching.
8. Check the Default to Group box and select CertificateGroup in the Default to Group list.
To use SSM policy push
Enter the following command in the SSM server to add a VPN policy for certificate-based authentication to SSM:
policypush -uContentManager -p1XvT456y https://host_name[:port]
address=123.45.6.7 name=MobileDeviceProfile method=client-cert action=drop
internal_addr=true
ca_cert_1=directory/etc/CompanyVPNCA.cer
Where host_name is the host name of the SSM Web server. You do not need to enter the port number if you use the default HTTPS port, 443.
SSM replaces the VPN policy called MobileDeviceProfile in the SSM database with the new policy.