Mobile VPN and Certificates
Applies To: Cloud-managed Fireboxes
In the Mobile VPN with IKEv2 configuration, you must select a certificate. You can select the default certificate signed by the Firebox or a third-party certificate. To use a third-party certificate, you must first add it to the device or to your WatchGuard account.
VPN clients use the certificate to authenticate the VPN server, which is the Firebox. The certificate must include a domain name and IP address identical to the domain name and IP address that VPN clients connect to. If you select a third-party certificate, the domain and IP address information in the certificate controls which domain names and addresses clients can connect to.
The certificate must not be expired. If the certificate is expired, the VPN client will not trust the certificate. Firebox-generated certificates are valid for ten years. If you select a third-party certificate, make sure to keep track of the certificate expiration date to avoid a disruption to VPN connectivity.
Mobile VPN with IKEv2 certificates must include:
- The server host name (DNS=<server FQDN>) or server IP address (IP=<server IP address>) as part of the subjectAltName
- The "serverAuth" Extended Key Usage (EKU) flag
The Firebox supports Elliptic Curve Digital Signature Algorithm certificates for Mobile VPN with IKEv2, which are also known as ECDSA or EC certificates. IKEv2 VPN clients must also support EC certificates. Support varies by operating system:
- Windows 10 — Partial support (ECDSA-256 and ECDSA-384 only)
- Android — Support with strongSwan, which is an open-source client
- macOS and iOS — No support
The Firebox supports only these elliptic curves for Mobile VPN with IKEv2:
- Prime256v1
- Secp384r1
- Secp521r1