Using Self-signed Certificates

Using Self-signed Certificates

This example displays how to use PKI feature in VPN function of ZyXEL appliance. Through PKI function, users can achieve party identification when doing VPN/IPSec negotiation. For customers who don't have CA service support in their environment but would like to use PKI feature, ZyWALL provides self-signed certificates to achieve this. As the name indicates, a self-signed certificate is a certificate signed by the device (ZyWALL) its self. Each ZyWALL device has it's own self-signed certificate by factory default. When you reset to default configuration file, the original self-signed certificate is earsed, and a new self-signed certificate will be created at the first boot up time.

To utilize self-signed certificates in VPN negotiation, the procedures are as following,

Step 1. Export Self-signed certificate from ZyWALL A & Import it to ZyWALL B
Step 2. Export Self-signed certificate from ZyWALL B & Import it to ZyWALL A
Step 3. Using Certificate in VPN on ZyWALL A
Step 4. Using Certificate in VPN on ZyWALL B

LAN 1	ZyWALL A	ZyWALL B	LAN 2
10.1.133.0/24	LAN: 10.1.133.1 WAN: 192.168.1.35	LAN: 192.168.2.1 WAN: 192.168.1.36	192.168.2.0/24

Step 1. Export Self-signed certificate from ZyWALL A & Import it to ZyWALL B

1. ZyWALL keeps it's own Self-signed certificate by default. But the factory default Self-signed certificates are the same on all ZyWALL models. To make the self-signed certificate unique for this device, you should replace the factory default certificate by pressing the Apply button in the following page at the first time you login to ZyWALL.

2. Go to ZyWALL Ａ, SECURITY->CERTIFICATES->My Certificates.

3. Click Export button.

4. A File Download window will be popped out. Click Save button. And Specify the location to save the exported certificate.

5. Go to ZyWALL B, SECURITY->CERTIFICATES->Trusted Remote Hosts -> click Import button.

6. Specify file path where ZyWALL A's self-signed certificate exported. The click Apply button.

7. After the file is transferred to ZyWALL B. You can see ZyWALL A's self-signed certificate in Trusted Remote Hosts tab.

Step 2. Export Self-signed certificate from ZyWALL B & Import it to ZyWALL A

1. Go to ZyWALL B, SECURITY->CERTIFICATES->My Certificates.

2. Click Export button.

3. A File Download window will be popped out. Click Save button. And Specify the location to save the exported certificate.

4. Go to ZyWALL B, VPN -> Trusted Remote Hosts -> click Import button.

5. Specify file path where ZyWALL A's self-signed certificate exported. The click Apply button.

6. After the file is transferred to ZyWALL A. You can see ZyWALL B's self-signed certificate in Trusted Remote Hosts tab.

Step 3. Using Certificate in VPN on ZyWALL A

1. Check Active to activate the VPN rule.
2 Input this VPN rule a Name, such as to_ZyWALLB.
3 Specify Local network IP address. Address Type=Subnet Address, Starting IP Address=10.1.133.0, Ending IP Address/Subnet Mask=255.255.255.0.
4 Specify Remote network IP address. Address Type=Subnet Address, Starting IP Address=192.168.2.0, Ending IP Address/Subnet Mask=255.255.255.0.
5 In Authentication Key, select Certificate, and choose auto_generated_self_signed_cert.

6. You can further check phase 1 and phase 2 settings by clicking Advanced button.

Step 4. Using Certificate in VPN on ZyWALL B

1. Check Active to activate the VPN rule.
2 Input this VPN rule a Name, such as to_ZyWALLA.
3 Specify Local network IP address. Address Type=Subnet Address, Starting IP Address=192.168.2.0, Ending IP Address/Subnet Mask=255.255.255.0.
4 Specify Remote network IP address. Address Type=Subnet Address, Starting IP Address=10.1.133.0, Ending IP Address/Subnet Mask=255.255.255.0.
5 In Authentication Key, select Certificate, and choose auto_generated_self_signed_cert.

6. You can further check phase 1 and phase 2 settings by clicking Advanced button.