Use VPN management software to modify client access for certificate-based authentication. For the VPN gateway to trust mobile devices, you must add the certificate of the external CA in the VPN gateway and use the external CA to sign the device certificate of the VPN gateway.
The following sections describe how to accomplish the preceding tasks for each supported VPN gateway:
Nokia IP VPN Gateway
Nokia IP Security Platform
Cisco VPN 3000 Series Concentrator
Nokia IP VPN Gateway
Use VPN Manager to modify client access for certificate-based authentication:
To add the external CA in VPN Manager
To issue a device certificate for the IP VPN Gateway To add the external CA in VPN Manager
1. In the SSM GUI, save the CA certificate of AutomaticCRS as a file.
Choose Services > Certificate Enrollment > AutomaticCRS > Edit > Properties > Protocol Properties > View > Save As and save the certificate as AutomaticCRS.cer.
2. In VPN Manager, import the CA certificate of AutomaticCRS.
Choose Edit > VPN Global Properties > Policy Configuration > Certification Authorities and click the right mouse button. Choose Import External Certification Authority > Browse and locate AutomaticCRS.cer.
3. Select AutomaticCRS to be used for IKE Authentication.
Choose Gateway > Properties > Client Access > IPSec Clients > Client Policy > Select Certification Authority for IKE authentication and select AutomaticCRS.
To issue a device certificate for the IP VPN Gateway 1. In VPN Manager, create a PKCS #10 certificate signing request:
a. Choose Gateway Properties > Certificates > Device Certificates > Request.
b. Select AutomaticCRS.cer and click Submit.
c. Click Export to save the certificate as AutomaticCRS.cer.
You can also click Copy to copy the certificate to the clipboard.
2. Use the SSM CLI enroll command to request certification from AutomaticCRS.
3. In VPN Manager, import the device certificate.
Choose Gateway Properties > Certificates > Device Certificates > Import and locate AutomaticCRS.cer.
Nokia IP Security Platform
Use Check Point SmartDashboard to modify client access for certificate-based authentication.
To modify client access to the IP security platform
1. Start the Check Point SmartDashboard software and choose Manage > Servers > New >
Certificate Authority to import the CA certificate that the CA vendor issued for AutomaticCRS.
2. Choose Manage > Network Objects > Check Points, select the CustomerCluster gateway, and click Edit to edit the general properties of the gateway.
3. Add the device certificate of AutomaticCRS in the gateway properties:
a. Click VPN to specify settings for the VPN domain.
b. Click Add to add the RemoteAccess community to the list of VPN communities that the gateway participates in.
c. Click Add under Certificate List to open the Certificate Properties dialog box.
d. Select the external CA in the Certificate Authority list.
e. Click Generate to generate a certification request.
f. Type a distinguished name in the DN text field.
g. Select the Define Alternate Name option and click Add to add the IP address of the external interface of the Check Point gateway. Mobile VPN Client uses the IP address to locate the CA.
h. Click View to display the certification request. Copy and paste the certification request to a text editor and save it as a file.
i. Use the SSM CLI enroll command to request certification from AutomaticCRS.
j. In the Certificate Properties dialog box, click Get to get the certificate.
Note
If you do not use the NSSM internal CA any more, remove the device certificate of CompanyVPNCA from the gateway properties.
Note
Save the configuration. If the connection is cut before you save the configuration, you lose all the changes.
4. Use the vpn nssm_topology command on the SmartCenter Server to export MobileDeviceProfile to the SSM database.
Cisco VPN 3000 Series Concentrator
Use Cisco VPN 3000 Concentrator Series Manager to modify client access for certificate-based authentication:
To add the certificate of the external CA to the VPN gateway
To request a device certificate for the VPN gateway from the external CA
To modify client access
To modify the VPN policy for certificate-based authentication in the database To add the certificate of the external CA to the VPN gateway
1. Start the Cisco VPN 3000 Concentrator Series Manager.
2. Choose Administration > Certificate Management > Click here to install a certificate >
Install a CA certificate > Upload File from Workstation, and click Browse to locate AutomaticCRS.cer.
3. Click Install.
To request a device certificate for the VPN gateway from the external CA 1. Start the Cisco VPN 3000 Concentrator Series Manager.
2. Choose Administration > Certificate Management > Click here to enroll with a Certificate Authority > Enroll via PKCS10 Request (Manual).
3. Create a PKCS #10 certification request.
The common name (CN) appears in digital certificate lists. Enter the common name IdentityfromAutomaticCRS.
4. Click Enroll.
5. Use the SSM CLI enroll command to request certification from AutomaticCRS.
6. In the Cisco VPN 3000 Concentrator Series Manager, choose Administration > Certificate Management > Installation > Install certificate obtained via enrollment.
7. Click Install > Upload File from Workstation and click Browse to locate the certificate file.
8. Click Install.
The device certificate appears in the Certificate Manager in the Identity Certificates list.
To modify client access
1. in the Cisco VPN 3000 Concentrator Series Manager, choose Configuration > Policy Management > Traffic Management > SAs, select CertificateSA, and click Modify to modify the IPSec security association for certificate-based authentication.
2. In IKE Parameters, select IdentityfromAutomaticCRS in the Digital Certificate list.
To modify the VPN policy for certificate-based authentication in the database Enter the following command from the command line on the server:
policypush -uContentManager -p1XvT456y https://host_name[:port]
address=123.45.6.7 name=MobileDeviceProfile method=client-cert action=drop
internal_addr=true
ca_cert_1=directory/etc/CompanyVPNCA.cer ca_cert_2=directory/etc/AutomaticCRS.cer
Where host_name is the host name of the SSM Web server. You do not need to enter the port number if you use the default HTTPS port, 443.
SSM replaces the VPN policy called MobileDeviceProfile in the SSM database with the new policy.
Modifying Content
Map the enrollment service content information entry of the external CA to the user group to authorize the user group to enroll certificates from the external CA.
To modify content
1. In the SSM GUI main view, Settings pane, click Content Delivery > User Groups to open the User Groups view.
2. Search for and select AutomaticContentUpdateUserGroup.
3. Choose Edit > Map to Content and map the enrollment service content information entry for the AutomaticCRS external CA to the user group.