To configure a client-to-site or site-to-site VPN using certificates created by External CA, you must create the following VPN certificates for the VPN service to be able to authenticate.
Before You Begin
Use an external CA to create the following certificates. For an example using XCA, see How to Create Certificates with XCA.
X.509 certificate type | Installation location | File type | Chain of trust | X.509 extensions |
---|---|---|---|---|
Root certificate |
VPN Settings on the firewall |
PEM |
Trust anchor |
|
Server certificate |
VPN Settings on the firewall |
PKCS12 |
End instance |
|
Client certificate |
Client operating system or VPN client |
PKCS12 |
End instance |
|
Step 1. Install the Root Certificate
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN > VPN Settings .
- Click Lock.
- Click the Root Certificates tab.
- Right-click the table and select Import PEM from File or Import CER from File.
- Select the file containing the root certificate and click Open. The Root Certificate window opens.
- Enter a Name. This is the name that is displayed for this certificate throughout the VPN configuration.
- Select the Usage.
- Barracuda Personal – Select to use this certificate for client-to-site VPN using the TINA protocol.
- IPsec Personal – Select to use this certificate for client-to-site VPN using the IPsec protocol.
- Barracuda Site-to-Site – Select to use this certificate for site-to-site VPN tunnels using the TINA protocol.
- IPsec Site-to-Site – Select to use this certificate for site-to-site VPN tunnels using the IPsec protocol.
- (optional) Click on the Certificate revocation tab and configure the CRL host.
- Click Load paths from certificate to use the CRL information included in the certificate.
-
You can also manually enter the URI, Login, and optional Proxy settings.
-
(optional) Click on the OCSP tab and configure the OCSP server.
Host – Enter the DNS resolvable hostname or IP address of the OCSP server.
Port – Enter the listening port.
Use SSL – Click to enable SSL.
Phibs Scheme – Select ocsp. This allows you to use OCSP as a directory service.
-
OCSP Server Identification
- This root certificate – The OCSP server certificate signing the OCSP answer was issued by this root certificate.
- Other root certificate – The OCSP server certificate signing the OCSP answer was issued by another root certificate. This other root certificate must be imported via the Other root setting.
- Explicit Server certificate – The OCSP server certificate signing the OCSP answer might be self-signed or another certificate. This X.509 certificate must be imported via the Explicit X.509 setting.
- Click OK.
The root certificate is now listed in the Root Certificates tab.
Step 2. Install the Server Certificate
Install the server certificate signed by the root certificate uploaded in step 1.
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN-Service > VPN Settings .
- Click Lock.
- Click the Server Certificates tab.
- Import the server certificate.
- Right-click the table and select Import Certificate from File.
- In the Open window, select the server certificate file and click Open.
- Enter the Certificate Name, and then click OK. The certificate is now listed in the Server Certificates tab.
- Import the private server key.
- Right-click the server certificate and select Import Private Key From File.
- In the Open window, select the private server key file and then click Open.
- Click Send Changes and Activate.
Your server certificate appears with the private key under the Server Certificates tab.
Step 3. Create a Service Certificate/key
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN-Service > VPN Settings .
- Click Lock.
- Click the Service Certificates/Keys tab.
- Right-click the table and select New Key.
- Enter a Key Name and click OK.
- Select the Key Length and click OK.
- Click Send Changes and Activate.
Your server certificate appears under the Service Certificates/Keys tab.
You now have root, server, and service certificates for your VPN service. Depending on the Usage selected in step 1, you can now configure your client-to-site or site-to-site VPN.