Westermo RedFox Series User Manual

Page 801

Advertising
background image

Westermo OS Management Guide

Version 4.17.0-0

it is recommended to use SNTP/NTP (see

sections 19.3.2

,

19.5.2

(Web),

and

19.7.22

(CLI)) as the date/time can be reset to Unix epoch (January

1, 1970) if left without power for some time.

4. Defining local and remote IKE identities: For Alice and Bob to identify each

other using certificates, use of Distinguished Name(ID_DER_ASN1_DN) is
recommended. As stated in

section 35.1.2

, identity methods domain name

(ID_FQDN), email (ID_USER_FQDN), and IP address (ID_IPV4_ADDR) are pos-
sible too, but requires the specific identity to be included as subjectAlt-
Name in the certificate. E.g., if Bob wish to wish to identify himself as
[email protected] (email style), his certificate needs to include ”subjec-
tAltName=email:[email protected]”, and he should set ”local-id email
[email protected]in his IPsec tunnel configuration. Correspondingly, Al-
ice would set ”remote-id email [email protected]”” in her IPsec tunnel
configuration.

For examples using Distinguished Name as identity, see

sections 35.1.7.1

-

35.1.7.3

.

Using ”auto” for the local-id setting (”no local-id”) together with certifi-
cate based authentication means that Alice will identify herself with the
ID_DER_ASN1_DN method, and automatically extract her DN string value
from her certificate.

Warning on using ”auto” mode for ”remote-id”

As of WeOS v4.17.0 use of ”auto” mode for ”remote-id” together with
certificate authentication is discouraged. That option may change be-
haviour or even be removed in future versions of WeOS, thus its use
will pose risks when doing future upgrades. (Use of ”auto” mode with
PSK authentication is fine, though).

Further details: when using certificates in WeOS v4.17.0, if Alice uses ”auto”-
mode to identify Bob (”no remote-id”) WeOS will expect Bob to identify
himself using method:

❼ ”ID_DER_ASN1_DN” when no peer IP address or domain name is set

(she considers Bob to be a road-warrior (”no peer”)). Furthermore,
there will be no restriction on what DN string Bob presents as long as
his certificate is valid and issued by a trusted CA.

❼ ”ID_IPV4_ADDR” when a peer IP address or domain name is set (e.g.,

”peer 1.2.3.4”). Thus, in this case Bob would have to include the cor-
responding IP address in the certificate (e.g., ”subjectAltName=IP:1.2.3.4”)

➞ 2015 Westermo Teleindustri AB

801

Advertising
This manual is related to the following products:

Wolverine Series, Falcon Series, Viper Series

Popular Brands
Popular manuals