Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1334
Views
0
Helpful
8
Replies

Basic Questions on IpSec Set up

Go to solution
simonkbaby123
Level 1
Level 1

‎04-10-2020 03:48 PM

Hi,

I have the below basic questions regarding IpSec VPN on PKI env.

My requirement is to Securely communicate my application running on Linux  with several other Servers. Each servers are running with specific security configurations. I am using digital certificate for the authentication.

1. Do I need a separate certificate for creating IpSec vpn tunnels with all the servers?

2. In the case of a single certificate to create IpSec tunnels with all other servers, when one of the servers certificate is revoked, do I have to do anything from my end from authentication point of view?

3. In the case if a single certificate, if the certificate issuer is different from any of the servers certificate issuer, how will the validation takes place in IpSec mutual authentication phase?

4. Will single vs multiple certificate is better from security point of view. Multiple means More than one certificate with each certificate created specifically for a server. 

 

Rgds

Simon

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎04-11-2020 04:13 AM

There is no single correct answer but many things to consider:

  • Having individual certificates for every system is typically most secure but could put a burden on administration which is not feasible.
  • At least systems of different security-domains should have individual certificates. That means that you should not use the same certificate for the VPN-gateway and application-servers.
  • If you use shared certificates and you revoke it, all systems using this certificate need to reenrol a new certificate.
  • For the linux-servers, it's likely that it is very easy to have individual certificates for each server with Let's encrypt. If setup properly the certificates renew automatically and you don't have any more work with that.
  • For the VPN-gateways, if there is no Let's Encrypt automatism available I would buy a dedicated certificate for this device.
  • If you want to authenticate your users with certificates (I think you want to), then the users will most likely use private certificates from your own CA. Each server that validates the user must have the root-certificate of the CA issuing the user-certificates.

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to simonkbaby123

‎04-12-2020 12:20 AM

If you have three systems using this certificate and you revoke it, you need to renew this certificate on all three systems.

You will not directly lose traffic, but on the next authentication the connection will likely not come up. It will only have an effect if you enable the revocation-check on your system.

 

You can easily have certificates from different vendors. Just make sure that you import the proper root-certificate. Example:

A has a cert from CA-1, B has a cert from CA-2

A needs to import the root-cert CA-2 and B needs to import the root-cert CA1.

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to simonkbaby123

‎04-14-2020 12:44 AM

A CSR can also be generated offline with a tool like openssl. But yes, most often the CSR is generated on the system using the certificate.

When a system has the new certificate from the CA, it can authenticate itself to any system that has the corresponding root-certificate. The certificate is sent to the peer as part of the authentication-process.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Karsten Iwen
VIP
VIP

‎04-11-2020 04:13 AM

There is no single correct answer but many things to consider:

  • Having individual certificates for every system is typically most secure but could put a burden on administration which is not feasible.
  • At least systems of different security-domains should have individual certificates. That means that you should not use the same certificate for the VPN-gateway and application-servers.
  • If you use shared certificates and you revoke it, all systems using this certificate need to reenrol a new certificate.
  • For the linux-servers, it's likely that it is very easy to have individual certificates for each server with Let's encrypt. If setup properly the certificates renew automatically and you don't have any more work with that.
  • For the VPN-gateways, if there is no Let's Encrypt automatism available I would buy a dedicated certificate for this device.
  • If you want to authenticate your users with certificates (I think you want to), then the users will most likely use private certificates from your own CA. Each server that validates the user must have the root-certificate of the CA issuing the user-certificates.
0 Helpful

Go to solution
simonkbaby123
Level 1
Level 1
In response to Karsten Iwen

‎04-11-2020 09:32 PM

Hi Karsten,

Thank you so much for the quick reply. 

I agree that having individual certificates is the most secure but difficult administrate.

 

You mentioned- If you use shared certificates and you revoke it, all systems using this certificate need to reenrol a new certificate.

 

Are you saying that if I have only one certificate and used for connecting 3 different peers, and if my certificate revoke, all the other peers also needs to get a new certificate? So during the certificate renewal I will lose connection and it affect my data traffic?

 

Will there any issue if my peers use a different CA certificate issuer?

 

Rgds

Simon

 

 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to simonkbaby123

‎04-12-2020 12:20 AM

If you have three systems using this certificate and you revoke it, you need to renew this certificate on all three systems.

You will not directly lose traffic, but on the next authentication the connection will likely not come up. It will only have an effect if you enable the revocation-check on your system.

 

You can easily have certificates from different vendors. Just make sure that you import the proper root-certificate. Example:

A has a cert from CA-1, B has a cert from CA-2

A needs to import the root-cert CA-2 and B needs to import the root-cert CA1.

0 Helpful

Go to solution
simonkbaby123
Level 1
Level 1
In response to Karsten Iwen

‎04-12-2020 09:08 PM

Thank you so much for your answers.

 I have one more last query. 

you mentioned if the shared certificate is revoked, you need to renew this certificate on all three systems.

Are you saying that the renewal on the peers occur as part of the authentication procedure or do we need any CSR and manual certificate upload?

 

Thank for your time

 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to simonkbaby123

‎04-13-2020 03:31 AM

Not sure if I get your question right ...

When the cert of an entity gets revoked, all future authentications of this entity will fail and you need to get a new certificate. Given that there is a reason that you have revoked the certificate (like key-compromise) you have to make sure that the new certificate uses different keys than the revoked certificate. You need to generate a new key-air, generate a new CSR based on these keys and apply for a new certificate with this CSR.

0 Helpful

Go to solution
simonkbaby123
Level 1
Level 1
In response to Karsten Iwen

‎04-13-2020 12:42 PM

Hello Karsten,

Sorry for the confusion on my question.

 

My Query is about the new certificate creation. I believe the CSR is generated only in the system where it is revoked (or the key is compromised)  and when it gets the new certificate all of its peers gets this during the authentication process?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to simonkbaby123

‎04-14-2020 12:44 AM

A CSR can also be generated offline with a tool like openssl. But yes, most often the CSR is generated on the system using the certificate.

When a system has the new certificate from the CA, it can authenticate itself to any system that has the corresponding root-certificate. The certificate is sent to the peer as part of the authentication-process.

0 Helpful

Go to solution
simonkbaby123
Level 1
Level 1
In response to Karsten Iwen

‎04-20-2020 11:43 AM

Hello Karsten,

1. If my system needs to connect to three other security gateways, and 1 radius server, Can I have only one certificate for all these gateways and radius server?

 

2. Since I am not using OCSP, do I need to get the CRLs for root CA, SCA crl etc ?

 

Rgds

Simon

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents