Set Up & Administer Your Firebox > Certificates > Use Certificates for Authentication > Certificates for Mobile VPN with IPSec Tunnel Authentication (WSM)

Certificates for Mobile VPN with IPSec Tunnel Authentication

When a Mobile VPN tunnel is created, the identity of each endpoint must be verified. This key can be a passphrase or pre-shared key (PSK) known by both endpoints, or a certificate from the Management Server. Your Firebox must be a managed device to use a certificate for Mobile VPN authentication.

From Policy Manager, you can configure a new Mobile VPN with IPSec tunnel to use certificates.

  1. Select VPN > Mobile VPN > IPSec.
    The Mobile VPN with IPSec Configuration dialog box appears.
  2. Click Add.
    The Mobile VPN with IPSec Wizard appears.
  3. Click Next.
  4. Complete the Select a user authentication server page. Click Next.
  5. Select Use an RSA certificate issued by your WatchGuard Management Server.
  6. Type the IP address and administration passphrase of your Management Server.
  7. Finish the wizard.

From Policy Manager, you can configure an existing Mobile VPN tunnel to use certificates for authentication.

  1. Select VPN > Mobile VPN > IPSec.
  2. Select the Mobile VPN tunnel you want to change. Click Edit.
  3. Select the IPSec Tunnel tab.
  4. Select Use a certificate.
  5. Type the IP address of the Management Server or certificate authority (CA). If necessary, adjust the connection timeout.
  6. Click OK.

When you use certificates, you must give each Mobile VPN user three files:

  • The end-user profile (.wgx)
  • The client certificate (.p12)
  • The CA root certificate (.pem)

When a Mobile VPN user opens the .wgx file, the root and client certificates in the cacert.pem and the .p12 files are automatically loaded.

For more information on Mobile VPN with IPSec, see Mobile VPN with IPSec.

For instructions to generate the  end-user profile which also exports the certificate files to distribute to Mobile VPN users, see Generate Mobile VPN with IPSec Configuration Files.

Verify VPN Certificates with an LDAP Server 

You can use an LDAP server to automatically verify certificates used for VPN authentication if you have access to the server. You must have LDAP account information provided by a third-party CA service to use this feature.

  1. From Policy Manager, select VPN > VPN Settings.
    The VPN Settings dialog box appears.

Screen shot of the VPN Settings dialog box

  1. Select the Enable LDAP server for certificate verification check box.
  2. In the Server text box, type the name or IP address of the LDAP server.
  3. (Optional) Type or select the Port number.
  4. Click OK.
    Your Firebox checks the CRL stored on the LDAP server when tunnel authentication is requested.

See Also

About Certificates

Configure the Certificate Authority on the Management Server

Give Us Feedback     Get Support     All Product Documentation     Technical Search