当前位置：网站首页>Pfsense configuring IPSec site to site tunneling using certificate authentication Guide

Pfsense configuring IPSec site to site tunneling using certificate authentication Guide

2022-04-21 20:12:00 【Iron Man】

stay pfSense Site to site IPsec VPN And routing Internet Configuration Guide in , This paper introduces how to configure by using shared key IPsec VPN And routing Internet The process of , In this paper , Using certificates to configure IPsec VPN Methods . Compared with the authentication method of pre shared key , Using certificate authentication will be relatively complex , But the security will be improved . Because the two methods are only different in Authentication , Therefore, this paper tries to simplify the narrative process , Unless otherwise indicated , Everything else goes with pfSense Site to site IPsec VPN And routing Internet The configuration guidelines are consistent .

If you need to further exchange your experience in firewall , You can join QQ Group 286850453 Discuss . Also welcome to pay attention to wechat public account ”pfSense A firewall ”, It is convenient to receive first-hand articles pushed in time .

Create certificate

At the site A And sites B Create a certification authority on (CA) And certificates . For the sake of distinguishing , Site A Dark theme , Site B The light color theme .

Site A

establish CA

Navigate to System > Certificate management ,CAs tab
Click on ” “ add to
The setting options are shown in the figure below ：

pfSense Use certificate authentication configuration IPsec Site to site tunnel guide _pfsense ipsec certificate

Create certificate

Navigate to System > Certificate management , certificate tab
Click on ” “ add to
The setting options are shown in the figure below ：

pfSense Use certificate authentication configuration IPsec Site to site tunnel guide _pfsense ipsec certificate _02

Certificate Properties section , The certificate type is user certificate , Alternate name enter the host name and... Respectively IP Address (LAN Address ), This information will be in phase 1 Used for authentication in .

pfSense Use certificate authentication configuration IPsec Site to site tunnel guide _pfsense ipsec certificate _03

Site B

establish CA As shown in the figure below ：

pfSense Use certificate authentication configuration IPsec Site to site tunnel guide _pfsense ipsec certificate _04

Create the certificate as shown in the figure below ：

pfSense Use certificate authentication configuration IPsec Site to site tunnel guide _pfsense ipsec certificate _05

pfSense Use certificate authentication configuration IPsec Site to site tunnel guide _pfsense ipsec certificate _06

Import CA

For mutual authentication , The firewalls of the two sites need to import each other's CA.

1、 On two sites , Export the created... Separately CA. Click the icon shown in the figure below , export CA certificate .

pfSense Use certificate authentication configuration IPsec Site to site tunnel guide _pfsense ipsec certificate _07

2、 Import each other's CA. Navigate to System > Certificate management ,CAs tab , Click the Add button below , In the certificate source option , Choose to import an existing certification authority . Open the other party's certificate file with a text program , Copy the contents to the certificate data column , And click save .

pfSense Use certificate authentication configuration IPsec Site to site tunnel guide _pfsense ipsec certificate _08

After the save ,CAs Under tabs , There will be two sites CA Information . The following figure shows the site A And sites B Of CA list ：

pfSense Use certificate authentication configuration IPsec Site to site tunnel guide _pfsense ipsec certificate _09

pfSense Use certificate authentication configuration IPsec Site to site tunnel guide _pfsense ipsec certificate _10

The revision phase 1 Set up

Modify site A And sites B The stage of 1 Set up , Will propose ( authentication ) Change it to Mutual certificate( Mutual certificate ), And adjust the corresponding option settings . Adopt certification according to ID Different types , There are three ways of mutual authentication ：

1、 Use ANSI.1 Proprietary name . Use... In the certificate ANSI.1 Use proper names to authenticate each other .ANSI.1 The distinguished name can be viewed by clicking the certificate details icon in the certificate list , As shown in the figure below DN Later ：

pfSense Use certificate authentication configuration IPsec Site to site tunnel guide _pfsense ipsec certificate _11

pfSense Use certificate authentication configuration IPsec Site to site tunnel guide _pfsense ipsec certificate _12

pfSense Use certificate authentication configuration IPsec Site to site tunnel guide _pfsense ipsec certificate _13

2、 Use FQDN. Use when creating a certificate , Enter in the alternate name section of the certificate properties FQDN To authenticate .

pfSense Use certificate authentication configuration IPsec Site to site tunnel guide _pfsense ipsec certificate _14

pfSense Use certificate authentication configuration IPsec Site to site tunnel guide _pfsense ipsec certificate _15

3、 Use IP Address . Use when creating a certificate , Enter in the alternate name section of the certificate properties IP Address to authenticate .

pfSense Use certificate authentication configuration IPsec Site to site tunnel guide _pfsense ipsec certificate _16

pfSense Use certificate authentication configuration IPsec Site to site tunnel guide _pfsense ipsec certificate _17

The above three kinds of certification ID Type tested , Can be authenticated and connected normally , Use any one of them .

Using certificate authentication is compared with shared key authentication IPsec VPN One more tunnel is created CA And certificate process , The proposal ( authentication ) Options are set differently , in addition to , The other settings of the two are exactly the same , I won't go into that here .

版权声明
本文为[Iron Man]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/04/202204211832447667.html