Netgear FVX538v2 – ProSafe VPN Firewall Dual WAN with 8-Port 10/100 and 1 Gigabit LAN Port Switch 사용자 설명서
VPN Client Software Setup and Network Deployment
106
NETGEAR ProSAFE VPN Client
PKICheck Option Concepts
For the PKICheck option to function correctly, make sure that the root certificate,
intermediate certificates, and the server certificate are imported into the Windows Certificate
Store. Similarly, the Certificate Revocation List (CRL) for the certificate of the VPN gateway
must be in the Windows Certificate Store or downloadable. If the CRL is absent from the
Windows Certificate Store or not downloadable while a VPN tunnel is being opened, the VPN
Client cannot validate the certificate of the VPN gateway.
intermediate certificates, and the server certificate are imported into the Windows Certificate
Store. Similarly, the Certificate Revocation List (CRL) for the certificate of the VPN gateway
must be in the Windows Certificate Store or downloadable. If the CRL is absent from the
Windows Certificate Store or not downloadable while a VPN tunnel is being opened, the VPN
Client cannot validate the certificate of the VPN gateway.
Certificate validation includes validation of the following items:
•
The expiration date of the certificate
•
Signatures of all certificates in the certificate chain, including the root certificate,
intermediate certificates, and the server certificate
intermediate certificates, and the server certificate
•
The absence of certificate revocation in the CRLs
In addition, the CRLs of all certificate issuers in the certificate chain are downloaded and
validated:
validated:
•
All CRL distribution points (CDPs) are validated.
•
The CRLs are downloaded from the CDPs.
•
The expiration dates of the CRLs are validated.
•
The signatures of the CRLs are validated and compared with the public keys of the
certificate issuers.
certificate issuers.
•
The CRLs are imported into the Windows Certificate Store.
Customize the vpnconf.ini File
The VPN Client automatically recognizes smart cards and tokens of the leading
manufacturers. The cards are recognized based on their Answer to Reset (ATR) code, which
enables the VPN Client to use the associated cryptographic service provider (CSP) or
PKCS#11 middleware.
manufacturers. The cards are recognized based on their Answer to Reset (ATR) code, which
enables the VPN Client to use the associated cryptographic service provider (CSP) or
PKCS#11 middleware.
By adding a vpnconf.ini file, you can specify a specific smart card reader or token reader
and the path to its associated middleware, and you can add custom smart cards and tokens
that are not automatically recognized by the VPN Client.
and the path to its associated middleware, and you can add custom smart cards and tokens
that are not automatically recognized by the VPN Client.
The vpnconf.ini file is an editable initialization file that is used to configure the VPN Client
during the startup process. You can use any text editor to configure the vpnconf.ini file.
during the startup process. You can use any text editor to configure the vpnconf.ini file.
SmartCardRoaming
(continued)
04
or 05 specifies the first smart card
reader or token reader that is inserted
and that contains a smart card or
token.
and that contains a smart card or
token.
•
04. The VPN Client uses the certificate
with the subject that is specified in the
VPN configuration.
with the subject that is specified in the
VPN configuration.
•
05. The VPN Client can use any
certificate.
certificate.
Table 8. PKI options parameters for the vpnsetup.ini file in alphabetical order (continued)
Option
Description
Settings