An IPSec VPN using pre-shared secret for authentication will fail PCI DSS security scans. Here's how to switch to using certificates on the router and the VPN client to pass the scan.
In part one of this series, I explained why I needed to change an IPSec VPN from using pre-shared secret to SSL certificates for authentication. I then described how we imported a suitable certificate into a SonicWALL router. This was the first step of the three steps required to make the VPN work and pass the Payment Card Industry Data Security Standard (PCI DSS) scan.
The second step, also on the SonicWALL router, was to change the VPN setting to use the newly installed certificate for authentication.
1. Log in to the SonicWALL and navigate to VPN | Settings.2. Under VPN Policies locate WAN GroupVPN and click the pencil icon to configure it (Figure A). Figure A
Locating the VPN policy
3. On the General tab under Security Policy, change Authentication Method from IKE Using Preshared Secret to IKE using 3rd Party Certificates.
4. This will enable the Gateway Certificate field. Pick the name of your previously installed certificate.
5. Under Peer Certificates, we found the settings that worked were to set Peer ID Type to Domain name and the Peer ID Filter to the domain covered by the certificate, e.g., vpn.company.com. (For our wildcard SSL certificate, we used *.company.com, replacing company.com with our domain name.)6. After updating these settings on the General tab (Figure B), click OK. Caution: As soon as you make this change, users will be unable to connect to the VPN until they update their client settings. Figure B
Updated settings on the General tab
I'm assuming that the user already has the SonicWALL Global VPN Client (GVC) installed on their PC, with a connection policy defined for your VPN. They will also need a copy of the same certificate that was installed on the SonicWALL router, and the password used to encrypt it.
1. Start the GVC and on the menu select View | Certificates.2. Unless a certificate has been previously imported, the list will be empty. Click the Import... button (Figure C). Figure C
3. Browse to the folder containing the SSL certificate and click Open.4. Enter the password for the certificate and click OK (Figure D). Figure D
5. You should receive notification of a successful import, and the certificate will show in the list. Click OK and then click Close.6. In the main GVC window, select the connection and click Enable. In the Select Certificate dialog, verify that it shows the correct certificate and click OK (Figure E). The GVC should now connect to the VPN as normal. Figure E
Newly imported certificate available for selection.
Since making these changes, our SonicWALL router passes the PCI DSS scan, and the VPN operates as normal.
The only failure we've had with this client update process is on a couple of 64-bit Windows 8 Professional PCs. On these, as soon as you select View | Certificates from the GVC menu, the software crashes. We logged this with SonicWALL and followed typical troubleshooting procedures, which included performing a complete uninstall, checking to make sure we had the latest version, and sending them the error logs.
SonicWALL say it did have some problems on 64-bit Windows 8 but on an earlier version of the GVC. To confuse matters, we later tried the process on a Microsoft Surface Pro tablet running 64-bit Windows 8 Pro, and it worked fine. This indicates the crash is machine specific, and so far we've been unable to trace the cause.
An IPSec VPN using pre-shared secret for authentication will fail PCI DSS security scans. The fix is to use certificates on the router and the VPN client. In these posts, I described how to do this for a SonicWALL router using the SonicWALL Global VPN Client. The process is not straightforward, but it does work for most client PCs.