Contents

Related Topics

Use Certificates for Mobile VPN with IPSec Tunnel Authentication

When you configure Mobile VPN with IPSec, you can configure the tunnel to use a certificate for tunnel authentication instead of a pre-shared key. The certificate, generated by a WatchGuard Management Server, is used to authenticate the tunnel before the client sends the user name and password for user authentication.

To use a certificate for Mobile VPN with IPSec tunnel authentication:

  • The Firebox must be managed by a WatchGuard Management Server.
  • You must use Policy Manager to generate the configuration profile and certificate files to distribute to users
  • Your mobile users must use the WatchGuard IPSec Mobile VPN client for Windows or OS X

You cannot use certificates for authentication with the Shrew Soft VPN client or the WatchGuard Mobile VPN apps for Android or iOS.

Configure Mobile VPN with IPSec on the Firebox to use a Certificate

Before you enable Mobile VPN with IPSec to use a certificate for tunnel authentication, you must connect to the Management Server with WatchGuard System Manager at least once to automatically install the Management Server root certificate on your management computer.

In Policy Manager, you can configure a new Mobile VPN with IPSec group to use a certificate, or you can edit an existing tunnel to enable it.

You can also use Fireware Web UI to configure a mobile VPN configuration profile to use certificates, but you must use Policy Manager to generate the files to send to the mobile users.

If you change the tunnel authentication for existing users, you must generate and distribute the new profile and certificate to the mobile users.

Generate the Certificate and End-User Profile

After you configure a mobile VPN with IPSec profile to use a certificate for tunnel authentication, you must use Policy Manager to generate the .wgx configuration profile and certificate file to send to the mobile users.

To generate an end user profile file for a group, from Policy Manager:

  1. Select VPN > Mobile VPN > IPSec.
  2. Select the Mobile VPN group.
  3. Click Generate.
    The Management Server Configuration dialog box appears.

Screen shot of the Management Server Configuration dialog box

  1. In the IP Address text box, type the IP address to connect to your Management Server. The IP address you specify here must be an address that your management computer can use to connect to the Management Server. It might be different from the address in the configuration that the Firebox uses to connect to the Management Server.
  2. In the Passphrase text box, type the passphrase for the admin user account on your Management Server.
  3. Click OK. Tip!If you see the error "Could not find your Management Server root certificate." make sure you have connected to the Management Server at least once from WatchGuard System Manager on this computer. This installs the root certificate. This error can also appear if you type the wrong IP address for your Management Server.
    Policy Manager generates the configuration files and certificate file and shows the location where you can find the generated files..

Use a secure method to distribute the encrypted end-user profile (.wgx file) and the PKCS12 certificate (.p12 file) to mobile users who use the WatchGuard IPSec Mobile VPN client.

Configure the VPN Client

Each user must import the profile and certificate to the IPSec Mobile VPN client. For more information about how to do this, see:

Manage Certificates on the Management Server

You can use the WatchGuard WebCenter tool, CA Manager to see and manage certificates on the management server. The common name of the certificate is the name of the Mobile VPN with IPSec profile.

For more information, see Manage Certificates on the Management Server.

See Also

About Certificates

Give Us Feedback     Get Support     All Product Documentation     Technical Search