Certificates for Branch Office VPN (BOVPN) Tunnel Authentication

When a BOVPN tunnel is created, the IPSec protocol checks the identity of each endpoint with either a pre-shared key (PSK) or a certificate imported and stored on the Firebox.

When you add a new BOVPN gateway and select the certificate credential method, you see a list of certificates that include the Extended Key Usage (EKU) identifier known as "IP security IKE intermediate" (OID 1.3.6.1.5.5.8.2.2). An EKU identifier specifies the purpose of the certificate. To see a list of available certificates that do not include an EKU identifier, select Show All Certificates. For more information about the EKU identifier, go to RFC 4945.

The Firebox supports the X.509 Certificate - Signature type. The Firebox does not support the X.509 Certificate - Hash and URL type, which sends a hash and URL of the X.509 certificate rather than the certificate itself. If a third-party VPN peer sends a X.509 hash and URL certificate request to the Firebox to start security association (SA) negotiations, the Firebox drops those packets. For more information about X.509 certificates, go to RFC 4945.

In Fireware v12.5 or higher, you can specify an ECDSA certificate in the BOVPN configuration. ECDSA certificates are also known as EC certificates. For more information about EC certificates, go to About Elliptic Curve Digital Signature Algorithm (ECDSA) certificates.

In Fireware v12.6.2 or higher, when you select a certificate for authentication, you can specify a root or intermediate CA certificate for VPN peer verification. The Firebox uses the CA certificate to verify the certificate received from VPN peer. The certificate from the VPN peer must be part of the certificate chain that includes the specified root or intermediate CA certificate. If the peer certificate is not part of the chain, the Firebox rejects Phase 1 tunnel negotiations.

If you use a certificate for authentication, it is important to track when the certificates expire. This helps to avoid disruptions in critical services such as VPN.

Use a Certificate for a BOVPN Tunnel

To use a certificate for BOVPN tunnel authentication, from Fireware Web UI:

  1. Select VPN > Branch Office VPN.
  2. In the Gateways section, click Add to create a new gateway.
    Or, select an existing gateway and click Edit.
  3. Select Use IPSec Firebox Certificate.
    Any certificates on the device that include the Extended Key Usage (EKU) identifier "IP security IKE intermediate" (OID 1.3.6.1.5.5.8.2.2) appear.
  4. To see other available certificates, select Show All Certificates.
    All available certificates appear. This includes certificates that do not have an EKU.
  5. Select the certificate you want to use.
  6. Configure other settings as necessary.
  7. (Fireware v12.6.2 or higher) To specify a root or intermediate CA certificate for peer verification:
    1. Select Add > Advanced. Or, select an existing gateway and select Edit > Advanced.
    2. Select Specify a CA certificate for remote endpoint verification.
    3. From the CA Certificate drop-down list, select a certificate and click OK.
  8. Click Save.

If you use a certificate for BOVPN authentication, from Fireware Web UI:

  • For more information, go to Manage Device Certificates (Web UI).
  • The certificate must be recognized as an IPSec-type certificate.
  • Make sure certificates for the devices at each gateway endpoint use the same algorithm. Both endpoints must use DSS, RSA or EC. The algorithm for certificates appears on the Branch Office VPN page in the Gateway list.
  • If you do not have a third-party or self-signed certificate, you must use the certificate authority on a WatchGuard Management Server.

To use a certificate for BOVPN tunnel authentication, from Policy Manager:

  1. Select VPN > Branch Office Gateways.
  2. Click Add to create a new gateway.
    Or, select an existing gateway and click Edit.
  3. Select Use IPSec Firebox Certificate.
    Any certificates on the device that include the Extended Key Usage (EKU) identifier "IP security IKE intermediate" (OID 1.3.6.1.5.5.8.2.2) appear.
  4. To see other available certificates, select Show All Certificates.
    All available certificates appear. This includes certificates that do not have an EKU.
  5. Select the certificate you want to use.
  6. Configure other settings as necessary.
  7. (Fireware v12.6.2 or higher) To specify a root or intermediate CA certificate for peer verification:
    1. Select Add > Advanced. Or, select an existing gateway and select Edit > Advanced.
    2. Select Specify a CA certificate for remote endpoint verification.
    3. From the CA Certificate drop-down list, select a certificate.
    4. Click OK.
  8. Click OK.

If you use a certificate for BOVPN authentication, from Policy Manager:

  • You must first import the certificate.
    For more information, go to Manage Device Certificates (WSM).
  • The certificate must be recognized as an IPSec-type certificate.
  • Make sure certificates for the devices at each gateway endpoint use the same algorithm. Both endpoints must use DSS, RSA, or EC. The algorithm for certificates appears in the table in the New Gateway dialog box in WatchGuard System Manager, and in the Certificates dialog box in Firebox System Manager.
  • If you do not have a third-party or self-signed certificate, you must use the certificate authority on a WatchGuard Management Server.
    For more information, go to Configure the Certificate Authority on the Management Server.

Verify the Certificate

To verify a certificate, from Fireware Web UI:

  1. Select System > Certificates.
    The Certificates page appears.
  2. In the Type column, verify IPSec or IPSec/Web appears.

To verify a certificate, from Fireware System Manager:

  1. Select View > Certificates.
    The Certificates dialog box appears.
  2. In the Type column, verify IPSec or IPSec/Web appears.

Verify VPN Certificates with an LDAP Server

You can use an LDAP server to automatically verify certificates used for VPN authentication if you have access to the server. You must have LDAP account information provided by a third-party CA service to use this feature.

To verify a certificate, from Fireware Web UI:

  1. Select VPN > Global Settings.
    The Global VPN Settings page appears.

Screen shot of the VPN Global Settings page

  1. Select the Enable LDAP server for certificate verification check box.
  2. In the Server text box, type the name or address of the LDAP server.
  3. (Optional) Type the Port number.
  4. Save the configuration.
    Your Firebox checks the CRL stored on the LDAP server when tunnel authentication is requested.

To verify a certificate, from Policy Manager:

  1. Select VPN > VPN Settings.
    The VPN Settings dialog box opens.

Screen shot of the VPN Settings dialog box

  1. Select the Enable LDAP server for certificate verification check box.
  2. In the Server text box, type the name or address of the LDAP server.
  3. (Optional) Type the Port number.
  4. Save the configuration.
    Your Firebox checks the CRL stored on the LDAP server when tunnel authentication is requested.

Related Topics

About Certificates

Configure Manual BOVPN Gateways