...
1.1.1) Use a browser to connect to the Unified Firewall, switch to the menu Certificate Management → Certificates and click on the “+” icon to create a new certificate.
1.1.2) First, create a CA (Certificate Authority). Modify the following parameters for it and then click Create:
- For the Certificate type, select Certificate.
- Certificate Authority must be selected as the template.
- Enter any Common Name.
- Assign any private key password.
- Set a validity period.
- You can leave the settings Encryption Algorithm, Key Size and Hash Algorithm in the default
- Type: From the drop-down menu, select the option CA for VPN/web-server certificate.
- Private Key Encryption: Make sure that the option RSA is selected.
- Private Key Size: From the drop-down menu, select the option 4096 bit.
- Common Name (CN): Set a descriptive common name for the CA (in this example IKEv2_CA).
- Validity: Select a validity period for this CA. A CA usually requires a long period of validity, which is why it is set to 5 years in this example.
- Private key password: Set a password for the private key. This is used to encrypt the private key.
1.1.3) Next, create a VPN certificate for the headquarters. Modify the following parameters for it and then click Create:
- For the Certificate type, select Certificate.
- Certificate must be selected as the template.
- Assign any private key password.
- Set a validity period.
- Select the VPN CA from
- Type: From the drop-down menu, select the option VPN certificate.
- Signing CA: From the drop-down menu, select the CA created in step 1.1.2 .
- Private Key Encryption: Make sure that the option RSA is selected.
- Private Key Size: From the drop-down menu, select the option 4096 bit.
- Common Name (CN): Set a descriptive common name for certificate at the headquarters (in this example IKEv2_Headquarter).
- Validity: Select a validity period for this certificate. A VPN certificate for a site-to-site VPN connection usually requires a long period of validity, which is why it is set to 5 years in this example.
- as the "Signing CA".
- In the CA password field, enter the password that you assigned CA password: Enter the private key password set in step 1.1.2.Private key password: Set a password for the private key. This is used to encrypt the private key of the VPN certificate
- You can leave the settings Encryption Algorithm, Key Size and Hash Algorithm in the default.
1.1.4) Next, create a VPN certificate for the branch office. Modify the following parameters for it and then click Create:
- For the Certificate type, select Certificate.
- Certificate must be selected as the template.
- Assign any private key password.
- Set a validity period.
- Select the VPN CA from step 1.1.2 as the "Signing CA".
- In the CA password field, enter the password that you assigned
- Type: From the drop-down menu, select the option VPN certificate.
- Signing CA: From the drop-down menu, select the CA created in step 1.1.2.
- Private Key Encryption: Make sure that the option RSA is selected.
- Private Key Size: From the drop-down menu, select the option 4096 bit.
- Common Name (CN): Set a descriptive common name for certificate at the branch office (in this example IKEv2_Office).
- Validity: Select a validity period for this CA. A VPN certificate for a site-to-site VPN connection usually requires a long period of validity, which is why it is set to 5 years in this example.
- CA password: Enter the private key password set in step 1.1.2.Private key password: Set a password for the private key. This is used to encrypt the private key of the VPN certificate
- You can leave the settings Encryption Algorithm, Key Size and Hash Algorithm in the default.
1.1.5) Under Certificate management, go to the certificate of the branch office and click the export button.
...
3.1) Open the configuration for the router in LANconfig and switch to the menu item IP router → Masq. → Port forwarding table.
3.2) Enter the following parameters:
...