Contents

Related Topics

Use Certificates for Mobile VPN with IPSec Tunnel Authentication

When you configure Mobile VPN with IPSec, you can configure the tunnel to use a certificate for tunnel authentication instead of a pre-shared key. The certificate, generated by a WatchGuard Management Server, is used to authenticate the tunnel before the client sends the user name and password for user authentication.

To use a certificate for Mobile VPN with IPSec tunnel authentication:

  • The Firebox must be managed by a WatchGuard Management Server.
  • You must use Policy Manager to generate the configuration profile and certificate files to distribute to users
  • Your mobile users must use the WatchGuard IPSec Mobile VPN client for Windows or OS X

You cannot use certificates for authentication with the Shrew Soft VPN client.

Configure Mobile VPN with IPSec on the Firebox to use a Certificate

Before you enable Mobile VPN with IPSec to use a certificate for tunnel authentication, you must connect to the Management Server with WatchGuard System Manager at least once to automatically install the Management Server root certificate on your management computer.

In Policy Manager, you can configure a new Mobile VPN with IPSec group to use a certificate, or you can edit an existing tunnel to enable it.

To use a certificate for tunnel authentication, in a new Mobile VPN with IPSec configuration, from Policy Manager:Closed
  1. Select VPN > Mobile VPN > IPSec.
  2. Click Add to start the Add Mobile VPN with IPSec Wizard.
  3. Configure the authentication server and group as described in Configure the Firebox for Mobile VPN with IPSec.
  4. On the Select a tunnel authentication method step, select Use an RSA certificate issued by your WatchGuard Management Server.

Screen shot of the Add Mobile VPN with IPSec Wizard, Select a tunnel authentication method step

  1. In the IP Address text box, type the IP address of your WatchGuard Management Server.
  2. In the Passphrase text box, type the passphrase for the admin user on your Management Server.
  3. Click Next. Tip!If you see the error "Could not find your Management Server root certificate." make sure you have connected to the Management Server at least once from WatchGuard System Manager on this computer. This installs the root certificate. This error can also appear if you type the wrong IP address for your Management Server.
    The wizard connects to the management server to generate the certificate for the mobile user configuration.
  4. Complete the rest of the wizard settings as described in Configure the Firebox for Mobile VPN with IPSec.
To change an existing mobile VPN with IPSec profile to use a certificate for tunnel authentication, from Policy Manager:Closed
  1. Select VPN > Mobile VPN > IPSec.
  2. Select an existing Mobile VPN configuration and click Edit.
  3. Select the IPSec Tunnel tab.
  4. Select Use a Certificate.
  5. In the CA IP Address text box, type the IP address of your Management Server.
  6. In the Passphrase text box, type the passphrase for the Admin user on your Management Server.
  7. In the Timeout text box type the time in seconds before the Firebox stops an attempt to authenticate a Mobile VPN with IPSec tunnel if there is no response from the certificate authority. We recommend you keep the default value.
  8. Click OK.
    The Management Server Configuration dialog box appears.

Screen shot of the Management Server Configuration dialog box

  1. In the IP Address text box, type the IP address to connect to your Management Server.
  2. In the Passphrase text box, type the passphrase for the admin user account on your Management Server.
  3. Click OK. Tip!If you see the error "Could not find your Management Server root certificate." make sure you have connected to the Management Server at least once from WatchGuard System Manager on this computer. This installs the root certificate. This error can also appear if you type the wrong IP address for your Management Server.
    Policy Manager connects to the Management Server to generate the certificate for the mobile user configuration.

You can also use Fireware Web UI to configure a mobile VPN configuration profile to use certificates, but you must use Policy Manager to generate the files to send to the mobile users.

To configure a Mobile VPN with IPSec profile to use a Certificate, from Fireware Web UI:Closed
  1. Select VPN > Mobile VPN with IPSec.
  2. Click Add to add a new VPN group configuration select an existing group and click Edit.
  3. Select the IPSec Tunnel tab.
  4. Select Use a certificate.
  5. In the CA IP address text box, type the IP address of your Management Server.
  6. In the Timeout text box type the time in seconds before the Firebox stops an attempt to authenticate a Mobile VPN with IPSec tunnel if there is no response from the certificate authority. We recommend you keep the default value.
  7. Configure the settings on the General and Resource tabs as described in Configure the Firebox for Mobile VPN with IPSec.

If you change the tunnel authentication for existing users, you must generate and distribute the new profile and certificate to the mobile users.

Generate the Certificate and End-User Profile

After you configure a mobile VPN with IPSec profile to use a certificate for tunnel authentication, you must use Policy Manager to generate the .wgx configuration profile and certificate file to send to the mobile users.

To generate an end user profile file for a group, from Policy Manager:

  1. Select VPN > Mobile VPN > IPSec.
  2. Select the Mobile VPN group.
  3. Click Generate.
    The Management Server Configuration dialog box appears.

Screen shot of the Management Server Configuration dialog box

  1. In the IP Address text box, type the IP address to connect to your Management Server. The IP address you specify here must be an address that your management computer can use to connect to the Management Server. It might be different from the address in the configuration that the Firebox uses to connect to the Management Server.
  2. In the Passphrase text box, type the passphrase for the admin user account on your Management Server.
  3. Click OK. Tip!If you see the error "Could not find your Management Server root certificate." make sure you have connected to the Management Server at least once from WatchGuard System Manager on this computer. This installs the root certificate. This error can also appear if you type the wrong IP address for your Management Server.
    Policy Manager generates the configuration files and certificate file and shows the location where you can find the generated files..

Use a secure method to distribute the encrypted end-user profile (.wgx file) and the PKCS12 certificate (.p12 file) to mobile users who use the WatchGuard IPSec Mobile VPN client.

Configure the VPN Client

Each user must import the profile and certificate to the IPSec Mobile VPN client. For more information about how to do this, see:

Manage Certificates on the Management Server

You can use the WatchGuard WebCenter tool, CA Manager to see and manage certificates on the management server. The common name of the certificate is the name of the Mobile VPN with IPSec profile.

For more information, see Manage Certificates on the Management Server.

See Also

About Certificates

Give Us Feedback     Get Support     All Product Documentation     Technical Search

© 2018 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.