INSTALLATION GUIDEUPDATE 01 FOR IPBRICK V6.3

Ref.: , 2018-07-05 , Diana Babo , rev. 0

0 Index1 Introduction................................................................................................................................................32 Procedure...................................................................................................................................................43 Important notes..........................................................................................................................................8

Update 01 for IPBrick v6.3: : Installation Guide , rev. 0 [Pág. 2 de 9]

1 Introduction

If you have SSL VPN certificates created in your IPBrick, you must pay close attention to theinstructions presented in this guide. If you don’t have SSL VPN certificates, you can ignore it.

Due to security weaknesses found in some types of encryption (https://sweet32.info/), a new type ofencryption (AES-256-CBC) was added for SSL VPN. Update 01 of IPBrick v6.3 provides itsconfiguration.

The installation of this update, by itself, won't switch the SSL VPN certificates to this new type ofencryption, as well as it won’t stop SSL VPN from operating neither will stop users from connecting bySSL VPN.

Since the latest versions of OpenVPN clients no longer accept the old BF-CBC type of encryption, it’shighly recommended to switch all SSL VPN certificates to this new type of encryption. Please note thatthis implies that all SSL VPN certificates must be generated once again. This operation must beperformed by the System Administrator and, due to the impact that it may have in the organization, weadvise you to schedule it. Remember that all VPN certificates will be deleted and the Users of theCompany will lose VPN access until the System Administrator gives them a new SSL VPN certificate.

Update 01 for IPBrick v6.3: : Installation Guide , rev. 0 [Pág. 3 de 9]

2 Procedure

In order to perform the above-mentioned changes, it’s necessary to follow the procedure describedbelow.

1. Delete all certificates

• On the web interface of IPBrick go to VPN » SSL » VPN SSL;

• On the top right corner of the table entitled as “Certificates”, you must click on the option “Deleteall”;

• You will be asked to confirm this action and, to do so, you just need to click on “Delete”.

Update 01 for IPBrick v6.3: : Installation Guide , rev. 0 [Pág. 4 de 9]

2. Change the encryption type from BF-CBC to AES-256-CBC

• Also in the page VPN SSL, on the top right corner of the table entitled as “Definitions”, you mustclick on the option “Modify”;

• Change the encryption type to AES-256-CBC;

• Click on “Modify” to save your changes.

Update 01 for IPBrick v6.3: : Installation Guide , rev. 0 [Pág. 5 de 9]

NOTE: If you try to change the encryption type before deleting the certificates, the following messagewill appear.

3. Apply Configurations

Update 01 for IPBrick v6.3: : Installation Guide , rev. 0 [Pág. 6 de 9]

4. Insert new certificates for Server and Client

• After changing the encryption type and applying configurations, you must insert new certificatesfor Server and Client. To do so, you must go to VPN » SSL » VPN SSL and, on the top right cornerof the table entitled as “Certificates”, click on “Insert”.

NOTE: If you try to insert new certificates, after changing the encryption type and before applyingconfigurations, the following message will appear.

Update 01 for IPBrick v6.3: : Installation Guide , rev. 0 [Pág. 7 de 9]

3 Important notes

• Encryption options:

◦ BF-CBC: This is the default encryption type for installations that already have certificatescreated.

◦ AES-256-CBC: This is the default encryption type for new installations that don’t havecertificates created yet.

• The encryption type BF-CBC will be discontinued in the upcoming update 01 of IPBrick v6.4, soit’s important to perform this change as soon as possible. From this update on, AES-256-CBC willbe the default encryption type.

Update 01 for IPBrick v6.3: : Installation Guide , rev. 0 [Pág. 8 de 9]

2018 IPBRICK, S.A.www.ipbrick.com | info @ipbrick.com

Avenida da República, nº 755 | 4430-201 Vila Nova de Gaia | PORTUGALTEL. +351 221 207 100 | FAX +351 225 189 722

Update 01 for IPBrick v6.3: : Installation Guide , rev. 0 [Pág. 9 de 9]

mailto:mail@ipbrick.commailto:mail@ipbrick.comhttp://www.ipbrick.com/

0 Index1 Introduction2 Procedure3 Important notes