Identifying authentication requirements
2-4
Planning Your VPN Configuration
If not already done, decide if you will use self-signed certificates
generated by Sidewinder or a public/private CA server.
Table 2-1. Sidewinder self-signed certificates versus CA-based certificates
A closer look at self-signed
certificates
A VPN implemented using Sidewinder self-signed certificates does not
require an external certificate authority and is relatively easy to
configure for a small number of (less than 10) clients. However, one
VPN association must be configured on Sidewinder for each client. As
the number of configured clients grows, so does the administrative
time. Figure 2-2 shows the certificates involved in a VPN using
Sidewinder self-signed certificates.
Figure 2-2. Sidewinder
self-signed certificate
summary
Scenario
Profile
Using self-signed certificates
(for a small number of VPN
clients)
No CA needed
Requires one VPN association for each client
Using CA-based certificates
(for a medium to large
number of VPN clients)
Uses a private or public CA
Single VPN association for all clients
Can make VPN deployment and management
more efficient
Soft-PK
Internet
Protected Network
Sidewinder
Client
Cert.
Firewall
Cert.
Client
Cert.
*.pem
PK12 object for
importing to
Soft-PK
*.pem
1
2
3
4
5
3
2
1
*.pk1
Admin converts client private key &
exports certificate files to PK12 object
Admin creates firewall private key and
certificate
Firewall
Cert.
Admin creates client private key/
certificate pair(s)
Client private key and certificate file
(PKCS12) imported into Soft-PK
4
5
Firewall certificate imported to Soft-PK,
(private key remains on Sidewinder)
Note: A self-signed certificate created
on Sidewinder remains valid for one
year beginning from the date it is
created.