Digi Quick Note 054 User Manual

Quick Note 054

Digi TransPort to Cisco VPN Tunnel using

OpenSSL certificates.

February 2021

Contents

1 Introduction ............................................................................................................................................... 3

1.1 Outline ............................................................................................................................................... 3

1.2 Assumptions ...................................................................................................................................... 3

1.3 Corrections ........................................................................................................................................ 3

2 Version ....................................................................................................................................................... 3

3 certificates creation ................................................................................................................................... 4

If you already have certificates available, you can skip to section 3.2 .......................................................... 4

3.1 Generate Test certificates using OpenSSL and XCA .......................................................................... 4

3.1.1 Create a Root CA Certificate ...................................................................................................... 4

3.1.2 Create a CA-Signed Host Certificate (Cisco Router, Responder) ............................................... 7

3.1.3 Create a CA-Signed Client Certificate (Digi TransPort WR, initiator) ......................................... 9

3.1.4 Export the certificates and keys in .PEM format ..................................................................... 11

4 Digi transport configuration .................................................................................................................... 14

4.1 Upload SSL certificates to the Digi TransPort WR (initiator) ........................................................... 14

4.1.1 Upload the certificates via FTP ................................................................................................ 14

4.1.2 Upload the certificates via the Web GUI ................................................................................. 15

4.2 Configure the VPN Tunnel settings on the Digi TransPort WR (Initiator). ...................................... 16

5 Cisco configuration .................................................................................................................................. 19

5.1 Import the certificates and private key ........................................................................................... 19

5.1.1 Create a trustpoint for the CA root certificate ........................................................................ 19

5.1.2 Import the CA root certificate in the previously created trustpoint with copy and paste ...... 19

5.1.3 Create a trustpoint for the public certificate and the private key .......................................... 20

5.1.4 Import the public certificate in the previously created trustpoint with copy and paste ........ 20

5.2 Configure the tunnel........................................................................................................................ 21

6 Testing ..................................................................................................................................................... 22

6.1 Confirm Traffic Traverses the IPSec Tunnels ................................................................................... 23

7 Configuration files ................................................................................................................................... 24

1 INTRODUCTION

1.1 Outline

Internet

Server

Client

Digi

Transport

Cisco router

This document describes how to create, upload SSL certificates and configure Digi TransPort WR and Cisco routers to build an IPsec VPN tunnel.

1.2 Assumptions

This guide has been written for use by technically competent personnel with a good understanding of the communications technologies used in the product and of the requirements for their specific application. It also assumes a basic ability to access and navigate a Digi TransPort router.

This application note applies only to:

Model: DIGI TransPort WR41/44/21

Digi TransPort WR41 routers must have the “Encryption” option Digi TransPort WR21 routers must run Enterprise firmware

Firmware versions: 5169 and later

Model: Cisco router running Advanced Enterprise Image.

Firmware versions: 15.9

Please note: This application note has been specifically rewritten for firmware release 5169 and later and will not

work on earlier versions of firmware. Please contact tech.support@digi.com if your require assistance in upgrading the firmware of the TransPort router.

1.3 Corrections

Requests for corrections or amendments to this application note are welcome and should be addressed to: tech.support@digi.com Requests for new application notes can be sent to the same address.

2 VERSION

Version Number

Status

1.0

Published

1.1

Updated for new SarOS and Cisco firmware

3 CERTIFICATES CREATION

If you already have certificates available, you can skip to section 3.2

3.1 Generate Test certificates using OpenSSL and XCA

Download and install the latest release of XCA which can be found at: http://sourceforge.net/projects/xca/

3.1.1 Create a Root CA Certificate

Open the XCA application

1. Click the File menu and select New Database, chose a name and click Save.

2. Chose a password and click OK

3. Click the Certificates tab

4. Click the New Certificate button

5. Under “Template for the new certificate”, select default CA and click Apply all

6. Go to the Subject tab, fill in all the information then click the Generate a new key button and

click OK

Parameter

Setting

Internal name

This is for display purposes in the tool, only

Country Name

The two-letter ISO 3166 abbreviation for your country.

State or Province Name

The state or province where your organization is legally located. Do not abbreviate.

In this example: Some-State

Locality Name

The city where your organization is legally located. Do not abbreviate.

In this example: Paris

Organization Name

The exact legal name of your organization. Do not abbreviate your organization name.

In this example: Digi

Organizational Unit Name

Section of the organization.

Examples of sections are Marketing, Research and Development, Human Resources or Sales.

Common Name

In this example DigiCA will be used.

Email Address

Enter your organization general email address.

In this example

certteam@digi.com

7. The certificate should now appear in the window with the CA : YES confirmation. If it does not

say CA: YES, verify that you selected CA in the template and clicked Apply All.

3.1.2 Create a CA-Signed Host Certificate (Cisco Router, Responder)

1. Click the Certificates tab

2. Click the New Certificate button

3. Under Signing, make sure to select “Use this Certificate for signing” and chose the previously

created CA.

4. Under “Template for the new certificate”, select default HTTPS_server and click Apply all

5. Go to the Subject tab, fill in all the information then click the Generate a new key button and