Siemens SINAUT MD741-1 System Manual page 78

VPN connection
Local network
Admin PC
MD741-1
Local
application
Local
application
Figure 7-8
X.509 certificate, CA certificate
In the authentication methods X.509 certificate and CA certificate, the keys used
for authentication have first been signed by a Certification Authority (CA). This
method is considered especially secure. A CA can be a service provider, but also,
for example, the system administrator for your project, provided that he has the
necessary software tools. The CA creates a certificate file (PKCS12) with the file
extension *p12 for each of the two remote stations. This certificate file contains the
public and private keys for the own station, the signed certificate from the CA, and
the public key of the CA. For the authentication method X.509 there is additionally
a key file (*.pem, *cer or *.crt) for each of the two remote stations with the public
key of the own station.
X.509 certificate
The public keys (files with extension *.pem, *cer or *.crt) are exchanged between
the SINAUT MD741-1 and the remote station's VPN gateway takes place
manually, for example on a CD-ROM or vie e-mail. To load the certificate, proceed
as described in Chapter 7.3.
CA certificate
The public keys are exchanged between the SINAUT MD741-1 and the remote
station's VPN gateway via the data connection when the VPN connection is
established. Manual exchange of the key files is not necessary.
Pre-shared secret key (PSK)
This method is primarily supported by older IPsec implementations. Here
authentication is performed with a character string agreed on beforehand. In order
to obtain high security, the character string should consist of about randomly-
selected 30 lower-case and upper-case letters and numerals.
78
Address of
the remote
network
INTERNET
(E-)GPRS
APN
VPN tunnel
Address of the remote host
Remote network
Admin PC
VPN gateway
External
remote
stations
SINAUT MD741-1
C79000- G8976-C212