Generating mobile peer identities

This section explains how to create mobile user identities

with mobile user accounts that have already been configured in the IPsec VPN reference directory (the firewall's internal LDAP directory in this example).

External PKIs

In the certification authority (CA) that manages the identities of IPsec mobile peers:

  1. Generate the identities of all IPsec mobile peers.
  2. Export these identities (certificate + private key).
  3. Download the identities of individual mobile peers on their workstations.

Internal PKIs (PKIs on an SNS firewall)

If the CA that manages the identities of mobile peers must be created

  1. Go to Configuration > Objects > Certificates and PKI.
  2. Click on Add.
  3. Select Root authority or Sub-authority if this CA is under a root CA in your PKI.
    A wizard will automatically appear.
  4. Enter a Name (EAP- IKEv2 in this example).
    The ID will automatically be filled in with the name of the CA. This name can be changed.
  5. Enter the attributes of the authority:
    • Organization (O),
    • Organizational Unit (OU),
    • Locality (L),
    • State (ST),
    • Country (C).

EXAMPLE
Organization (O): Stormshield
Organizational unit (OU): Documentation
Locality (L): Lille
State (ST): Nord
Country (C): France.

  1. Click on Next.
  2. Enter then confirm the Password that protects the CA.
  3. You can enter a contact E-mail address for this CA.
  4. The default Validity suggested is 3650 days (recommended value).
    This value can be changed.
  5. Key type: SECP or BRAINPOOL key types are recommended.
  6. Select the Key size (bits).
  7. Click twice on Next.
    A summary of the information on the CA will be shown.
  8. Confirm by clicking on Finish.

If you wish to set this CA as the firewall's default CA:

  1. Select this CA,
  2. Click on Actions and select Set as default.

Creating the identity of the firewall for the IPsec VPN

If the identity of the firewall used for the IPsec VPN does not yet exist:

  1. Go to Configuration > Objects > Certificates and PKI.
  2. Select the CA used for the IPsec VPN.
  3. Click on Add and select Server identity.
  4. In the Fully Qualified Domain Name (FQDN) field, enter the name of the peer (e.g., FW-EAP-IKEv2.stormshield.eu).
    The ID will automatically be filled in with the name of the peer. This name can be changed.
  5. Click on Next.
  6. Enter the password of the CA that signs this identity.
  7. Click on Next.
  8. Select a Validity duration in days (365 days suggested by default).
  9. Select the Key type: BRAINPOOL or SECP key types are recommended.
  10. Select a Key size.
  11. Click twice on Next.
    A summary of the identity will appear.
  12. Click on Finish to confirm the creation of the user identity.

Creating the identity of each peer

  1. Go to Configuration > Objects > Certificates and PKI.
  2. Select the CA used for the IPsec VPN.
  3. Click on Add and select User identity.
  4. In the Common name (CN) field, enter the name of the peer (e.g., User1 EAP).
    The ID will automatically be filled in with the name of the peer. This name can be changed.
  5. Enter the e-mail address of the peer (user1@stormshield.eu in this example).
    6. NOTE
    This e-mail address must be the same as the one configured for the user account that is used for the EAP method (internal directory in this example).
  6. Click on Next.
  7. Enter the password of the CA that signs this identity.
  8. Click on Next.
  9. Select a validity duration in days (365 days suggested by default).
  10. Select the Key type: BRAINPOOL or SECP key types are recommended.
  11. Select a Key size.
  12. Click on Next.
    A summary of the identity will appear.
  13. Click on Finish to confirm the creation of the user identity.

Repeat this process for each mobile peer.

Exporting the identity of each peer

  1. Go to Configuration > Objects > Certificates and PKI.
  2. Select the user identity to export.
  3. Click on Download: select Identity then In P12 format.
  4. In the Enter password field: create a password that will be used to protect the P12 file.
  5. Confirm the password.
  6. Click on Download certificate (P12).
  7. Save this file in P12 format on your workstation.
    This file will need to be imported on the user's workstation when the user's tunnel is being configured in SN VPN Client Exclusive.

Repeat this process to export the identity of each mobile peer.

Deleting the private keys of peer identities on the firewall (recommended)

Once the P12 file has been to imported on the peer's workstation, you are strongly advised to delete the private key of this peer's identity.

  1. Go to Configuration > Objects > Certificates and PKI.
  2. Select the identity of the peer whose private key you wish to delete.
  3. Click on Action: select Remove private key.
    The private key will then be immediately deleted.

Repeat this process for each affected peer.