Clavister OneConnect server using cOS Core as CA Server

Last modified on 14 Sep, 2022. Revision 13


Brief information on certificates and why they matter for the OneConnect server and client

Certification validation in the OneConnect client is done in several steps.

How to generate CA certificate using NetWall WebUI (root)

To generate the CA certificate from cOS Core WebUI, go to “Objects -> Key Ring -> Add -> Certificate -> Generate Certificate -> Configure”:

  1. To configure the CA certificate.
    1. Warning: Generating certificates is very CPU intensive, generating the certificates below causes a smaller desktop appliance to potentially stall for several seconds.
  2. Input the certificate type as CA certificate.
  3. Replace the subject name with something suitable for the organization.
    1. CN= common name, OU=organizational unit, O=company name, L=province, C=country
  4. Choose the public key type, in this example we will be using RSA with key size of 2048 bits.
  5. Choose the suitable signature algorithm for configuration, in this example we will be using SHA-512.
  6. Generate the CA certificate.

  7. Disable CRL checks as we cannot act as a CRL repository.
    1. CRL = Certificate-Revocation-List.
  8. Please Download and save the certificate for later, this needs to be installed in the correct Windows clients certificate store later.
    1. Important: Only export the certificate, not the key. The key is secret and should never leave the firewall as it can be used to generate additional certificates using this as the base.
    2. This would then be referred to as the "root" certificate.

How to generate CA signed certificate using NetWall WebUI (end-entity)

This certificate will be the one used in the firewall’s remote management section and will be the information the firewall presents to the client when it connects.

To generate the CA signed gateway certificate, go to “Objects -> Key Ring -> Add -> Certificate -> Generate Certificate -> Configure”:

  1. Configure the certificate object in the cOS Core key-ring.
  2. Select the certificate type as End-Entity certificate.
  3. Replace subject name with something suitable for the organization.
    1. Important: Please note that the Subject Alternative Name needs to resolve to the public IP where the OneConnect Server is located (the firewall).
  4. Generate the gateway certificate

    1. This certificate is then referred to as "end-entity".
  5. Disable CRL checks as we cannot act as a CRL repository.
    1. CRL = Certificate-Revocation-List.

How to apply use your newly generated certificates in the configuration

  1. Select the certificate as HTTPS certificate under System -> Device -> Device Settings -> Remote Management -> Advanced Settings. And add your created End-entity as as “HTTPS Certificate”

    1. Note: In this particular scenario the root certificate does not need to be used/added to the root certificate list. But if e.g. certificate chains are used it would be needed.

How to set up the Clavister OneConnect Server in the NetWall WebUI

Regarding user storage

The OneConnect VPN requires that we define a user storage, this can be either a Local User Database, a LDAP, or a Radius Server. How to setup these different options can be found in the admin guide, here we focus on the Local user Database.
The first step is to create a new Local User Database. To accomplish this, we go to System->Device->Local User Databases and create a new database. Once the database is created, we call the database “Roaming_Users” then we can start adding users to the database. The General tab contains the name of the database and a comment field while the second tab, contains the ability to add/remove and edit users in the database.

Server configuration

This step Is described in detail in our Knowledge base:
https://kb.clavister.com/329098813/how-do-i-set-up-a-oneconnect-vpn-tunnel-in-cos-core

A Detailed Step-By-step Guide of this can also be found in the cOS Core Administration Guide. This can be downloaded from MyClavister as a PDF or read online. See chapter: Example 10.27. Setting Up a OneConnect VPN Interface:
https://docs.clavister.com/repo/cos-core-administration-guide/

To create a OneConnect VPN we need to go to Network -> Interface and VPN -> OneConnect and then press the add button and select OneConnect Interface.
Once the interface window opens then you need to fill in information on the tunnel.

Once this setting is set-up, we can press OK and save the configuration. We can now configure the OneConnect client version 3 or higher or a 3rd party client such as OpenConnect.

Needed IP Policies

Regarding the required IP policies, it is up to the network administrator to define/decide what traffic that should be allowed into their networks through the VPN tunnel. This is done by defining IP Policies in the IP Rule Set. Please make sure that the relevant Policies are configured to allow the desired traffic to/from the OneConnect clients.

OneConnect Client installation

The following client setups are covered by articles in the knowledge base:

Setting up the Clavister OneConnect client (version 3 or later) for Microsoft Windows is described in: https://kb.clavister.com/336136165

Setting up the Clavister OneConnect client (version 3 or later) for Apple (MacOS, iOS, iPadOS) is described in: https://kb.clavister.com/336136145
Setting up the Clavister OneConnect client (version 3 or later) for Android is described in : https://kb.clavister.com/346366860
Setting up the OpenConnect client for Android is described in: https://kb.clavister.com/329095020
Setting up the OpenConnect-GUI client for MacOS is described in: https://kb.clavister.com/329092217
Setting up the OpenConnect client for Linux is described in: https://kb.clavister.com/329092224

Importing the Certificate to the client

These steps vary depending on the Operating system.

As mentioned earlier, the client also needs to trust the certificate used by the firewall to establish the tunnel. Below steps are only necessary if you are using a Self-Signed certificate.
For Windows - Add the Self-Signed ROOT (not end-entity) certificate which downloaded before in to the local client computer using Microsoft managements as following: https://support.securly.com/hc/en-us/articles/360026808753-How-to-manually-install-the-Securly-SSL-certificate-on-Windows
For MAC, it is often enough to browse to the FQDN/IP with Safari and then be prompted to trust the certificate or not.


Related articles

Configure Clavister OneConnect using deep links
13 Jun, 2022 oneconnect macos ios windows android
Configure Clavister OneConnect for macOS, iOS and iPadOS towards NetWall
29 Oct, 2021 sslvpn openconnect oneconnect macos ios netwall
Configuring public certificates in NetWall firewalls
23 Aug, 2022 core certificate oneconnect ipsec vpn
Configure the Android OpenConnect client towards Clavister NetWall
23 Aug, 2022 sslvpn openconnect oneconnect android core
Configure Clavister OneConnect for Windows towards Clavister NetWall
29 Oct, 2021 sslvpn openconnect oneconnect windows
Lets Encrypt - error 9814 - chain had an expired certs
13 Oct, 2021 oneconnect macos openconnect ios
Configure Linux OpenConnect towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect linux core
Configuring SSL-VPN / OneConnect server on secondary Firewall IP address
8 Apr, 2021 core sslvpn oneconnect interfaces arp
OneConnect VPN certificate not trusted
22 Aug, 2022 onetouch sslvpn oneconnect
Install OneConnect without Microsoft store
25 Feb, 2022 oneconnect windows howto
Configure the OpenConnect-GUI client towards Clavister NetWall
23 Aug, 2022 sslvpn openconnect oneconnect macos windows linux core