SSL-certificates for IPSec: example of real-life use

Not so long ago we were faced with one problem: a customer was required to create a secure VPN-tunnel between Palo Alto Networks and VPN-client Global Protect. The customer previously used a self-signed certificate, which did not allow protection of the channel and led to the appearance of the notification indicating the nature of the certificate (self-signed certificates do not have a trust level).

Self-signed certificates for VPN at first glance seem to be financially beneficial, but, as you know, this may be false economy. Hackers can easily break into the data transmission process in the VPN, issuing their own certificate - so they will have access to read the traffic. Any valuable information will get into the wrong hands, nullifying the point of using the VPN-channel.

If the certificate is issued by a public CA, then hacking the VPN-channel will be not possible.

The client needed to protect their VPN-tunnel with the help of a reliable SSL-certificate from a trusted certification authority. When issuing the certificate we were faced with the fact that they had not worked in the SSL-tunnel between Palo Alto Networks and VPN-client Global Protect.

Enabling OID 1.3.6.1.5.5.7.3.5 in the certificate helped to solve this problem. The client installed the certificate and was able to defend the SSL-Tunnel with it.

Parameter OID 1.3.6.1.5.5.7.3.5 is used for the IPSec End System and is set separately.

LeaderSSL will issue SSL-certificate for IPSec

The use of certificates for VPN-tunnel protection helps to prevent unauthorised access to the VPN-networks, which is one of the most convenient and flexible solutions for the authentication of all parties.

If you need a certificate with OID 1.3.6.1.5.5.7.3.5, designed to protect VPN-tunnels for IPSec, please contact our managers. We will help you to get an SSL-certificate, which is crucial for VPN protection.