The Certificate Authority (CA) certificate used for the IPSec VPN is about to expire on our Smoothwall.
We have a large number of installs, so it will take too a long time to replace all the certificates.
Is there a way we can still use the old certificates?
For L2TP connections, a new CA and certificates is needed. Once the CA expires, the L2TP connections will no longer connect. You do not need to use the CA to verify the certificate for authentication purposes. You can use the public key of the peer certificate on the CA instead; but for that to work, the public key of the peer certificate needs to be installed on the Smoothwall.
IPSec Subnet and Roadwarrior Connections
- Export the public key of certificate VPN1 as a PEM and import it on Smoothwall 2 — see https://help.smoothwall.net/Latest/Content/modules/tunnel/cgi-bin/vpn/cacertfile.htm
- Export the public key of certificate VPN2 as a PEM and import it on Smoothwall 1
- Change the Authenticate by option on both Smoothwalls to Certificate presented by peer — see https://help.smoothwall.net/Latest/Content/modules/tunnel/cgi-bin/vpn/subnets.htm and https://help.smoothwall.net/Latest/Content/modules/tunnel/cgi-bin/vpn/rw.htm
The VPN subsystem will now use the peer certificate public key as comparison to authenticate the connection — validity dates are ignored.
Note: The certificate lists the new certificate but that the marker for Key is marked with a red cross. This is because the private key is not present; we have only imported the public key of the certificate.
|Last updated:||Author:||Contributions by:|
|23 August 2016||Tanja|