Certificates for Mobile VPN With IPSec Tunnel Authentication (Web UI)
When a Mobile VPN tunnel is created, the identity of each endpoint must be verified with a key. This key can be a passphrase or pre-shared key (PSK) known by both endpoints, or a certificate from the Management Server. Your Firebox must be a managed device to use a certificate for Mobile VPN authentication. You must use WatchGuard System Manager to configure your Firebox as a managed device.
If you use a certificate for authentication, it is important to track when the certificates expire. This helps to avoid disruptions in critical services such as VPN.
For more information about WatchGuard System Manager, see About WatchGuard System Manager.
To configure a new Mobile VPN with IPSec tunnel to use certificates, from the Web UI:
- Select VPN > Mobile VPN.
In Fireware v12.2.1 or lower, select VPN > Mobile VPN with IPSec and skip Step 2. - In the IPSec section, click Configure.
- Click Add.
- Select the IPSec Tunnel tab.
- In the IPSec Tunnel section, select Use a certificate.
- In the CA IP Address text box, type the IP address of your Management Server.
- In the Timeout text box, type or select the time in seconds the Mobile VPN with IPSec client waits for a response from the certificate authority before it stops connection attempts. We recommend you keep the default value, which is 25 seconds.
- Complete the Mobile VPN group configuration.
For configuration instructions for Mobile VPN with IPSec, see Configure the Firebox for Mobile VPN with IPSec.
To configure an existing Mobile VPN with IPSec tunnel to use certificates, from the Web UI:
- Select VPN > Mobile VPN with IPSec.
In Fireware v12.2.1 or lower, select VPN > Mobile VPN with IPSec and skip Step 2. - Click Configure.
- Select the Mobile VPN group you want to change. Click Edit.
- Select the IPSec Tunnel tab.
- In the IPSec Tunnel section, select Use a certificate.
- In the CA IP Address text box, type the IP address of your Management Server.
- In the Timeout text box, type or select the time in seconds the Mobile VPN with IPSec client waits for a response from the certificate authority before it stops connection attempts. We recommend you keep the default value, which is 25 seconds.
- Click Save.
When you use certificates, you must give each Mobile VPN user three files:
- The end-user profile (.wgx)
- The client certificate (.p12)
- The CA root certificate (.pem)
Copy all the files to the same directory. For more information about how to add and configure the .p12 file, see Select a Certificate and Enter the PIN.
For general information about Mobile VPN with IPSec, see Mobile VPN with IPSec.
Verify VPN Certificates with an LDAP Server
You can use an LDAP server to automatically verify certificates used for VPN authentication if you have access to the server. You must have LDAP account information provided by a third-party CA service to use this feature.
- Select VPN > Global Settings.
The Global VPN Settings page opens.
- Select the Enable LDAP Server for certificate verification check box.
- In the Server text box, type the name or IP address of the LDAP server.
- (Optional) Type or select the Port number.
- Click OK.
Your Firebox checks the certificate revocation list (CRL) stored on the LDAP server when tunnel authentication is requested.