Set Up & Administer Your Firebox > Certificates > Use Certificates for Authentication > Certificates for Mobile VPN with L2TP Tunnel Authentication

Certificates for Mobile VPN with L2TP Tunnel Authentication

When a Mobile VPN with L2TP tunnel is created, the identity of each endpoint must be verified with a key. This key can be a passphrase or pre-shared key (PSK) known by both endpoints, a third-party or self-signed certificate, or a certificate from the Management Server.

To use a certificate for Mobile VPN with L2TP authentication:

  • You must first import the certificate.
  • The certificate must be recognized as an IPSec-type certificate.
  • The server certificate must have the server host name (DNS=<server FQDN>) or server IP address (IP=<server IP address>) as part of the subjectAltName.
  • Make sure certificates for the devices at each gateway endpoint use the same algorithm. Both endpoints must use either DSS or RSA.
  • If you do not have a third-party or self-signed certificate, you must use the Certificate Authority on your WSM Management Server. Your Firebox must be managed by your Management Server to use the Management Server CA certificate for Mobile VPN authentication. For more information, see Configure the Certificate Authority on the Management Server.

If the Management Server CA certificate you import does not include the correct host name or IP address, your Firebox might not be able to connect to some L2TP IPSec clients (for example, Mac OS X clients). WatchGuard recommends that you create a new certificate with the correct host name or IP address to use for L2TP IPSec connections.

To configure a new Mobile VPN with L2TP tunnel to use certificates, from Policy Manager:

  1. Select VPN > Mobile VPN > L2TP > Activate.
    The Mobile VPN with L2TP Setup Wizard appears.
  2. For instructions to complete the wizard, see Use the WatchGuard L2TP Setup Wizard.
  3. On the Select the tunnel authentication method page, select Use IPSec Certificate and select an RSA certificate from the list.
  4. Finish the wizard.

To configure an existing Mobile VPN with L2TP tunnel to use certificates for authentication, from Policy Manager:

  1. Select VPN > Mobile VPN > L2TP > Configure.
    The Mobile VPN with L2TP Configuration dialog box appears.
  2. Select the IPSec tab.
  3. Select Use IPSec certificate and select an RSA certificate from the list.
  4. Click OK.

To use a certificate for a new Mobile VPN with IPSec tunnel, from Fireware Web UI:

  1. Select VPN > Mobile VPN with L2TP.
    The Mobile VPN with L2TP page appears.
  2. Click Run Wizard.
    The WatchGuard L2TP Setup Wizard appears.
  3. For instructions to complete the wizard, see Use the WatchGuard L2TP Setup Wizard.
  4. On the Select the tunnel authentication method page, select Use IPSec Firebox Certificate and select an RSA certificate from the list.
  5. Finish the wizard.

To change an existing Mobile VPN tunnel to use certificates for authentication, from Fireware Web UI:

  1. Select VPN > Mobile VPN with L2TP.
  2. Click Configure.
  3. Select the IPSec tab.
  4. Select Use IPSec Firebox Certificate and select an RSA certificate from the list.
  5. Click Save.

For more information on Mobile VPN with L2TP, see Mobile VPN with L2TP.

Verify VPN Certificates with an LDAP Server 

You can use an LDAP server to automatically verify certificates used for VPN authentication if you have access to the server. You must have LDAP account information provided by a third-party CA service to use this feature.

To verify VPN certificates with an LDAP server, from Fireware Web UI:

  1. Select VPN > Global Settings.
    The Global VPN Settings page appears.

Screen shot of the Global VPN Settings dialog box

  1. Select the Enable LDAP Server for certificate verification check box.
  2. In the Server text box, type the name or IP address of the LDAP server.
  3. (Optional) Type or select the Port number.
  4. Click OK.
    Your Firebox checks the CRL stored on the LDAP server when tunnel authentication is requested.

To verify VPN certificates with an LDAP server, from Policy Manager:

  1. From Policy Manager, select VPN > VPN Settings.
    The VPN Settings dialog box appears.

Screen shot of the VPN Settings dialog box

  1. Select the Enable LDAP Server for certificate verification check box.
  2. In the Server text box, type the name or IP address of the LDAP server.
  3. (Optional) Type or select the Port number.
  4. Click OK.
    Your Firebox checks the CRL stored on the LDAP server when tunnel authentication is requested.

See Also

About Certificates

Use the WatchGuard L2TP Setup Wizard

Configure the Certificate Authority on the Management Server

Give Us Feedback     Get Support     All Product Documentation     Technical Search