Contents

Certificates for Branch Office VPN (BOVPN) Tunnel Authentication

When a BOVPN tunnel is created, the IPSec protocol checks the identity of each endpoint with either a pre-shared key (PSK) or a certificate imported and stored on the Firebox.

When you add a new BOVPN gateway and select the certificate credential method, you see a list of certificates that include the Extended Key Usage (EKU) identifier known as "IP security IKE intermediate" (OID 1.3.6.1.5.5.8.2.2). An EKU identifier specifies the purpose of the certificate.

To see a list of available certificates that do not include an EKU identifier, select Show All Certificates. For more information about VPN certificates, see RFC 4945.

In Fireware v12.5 or higher, you can specify an ECDSA certificate in the BOVPN configuration. ECDSA certificates are also known as EC certificates. For more information about EC certificates, see About Elliptic Curve Digital Signature Algorithm (ECDSA) certificates.

Use a Certificate for a BOVPN Tunnel

To use a certificate for BOVPN tunnel authentication, from Fireware Web UI:

  1. Select VPN > Branch Office VPN.
  2. In the Gateways section, click Add to create a new gateway.
    Or, select an existing gateway and click Edit.
  3. Select Use IPSec Firebox Certificate.
    Any certificates on the device that include the Extended Key Usage (EKU) identifier "IP security IKE intermediate" (OID 1.3.6.1.5.5.8.2.2) appear.
  4. To see other available certificates, select Show All Certificates.
    All available certificates appear. This includes certificates that do not have an EKU.
  5. Select the certificate you want to use.
  6. Set other parameters as necessary.
  7. Click Save.

If you use a certificate for BOVPN authentication, from Fireware Web UI:

  • For more information, see Manage Device Certificates (Web UI).
  • The certificate must be recognized as an IPSec-type certificate.
  • Make sure certificates for the devices at each gateway endpoint use the same algorithm. Both endpoints must use DSS, RSA or EC. The algorithm for certificates appears on the Branch Office VPN page in the Gateway list .
  • If you do not have a third-party or self-signed certificate, you must use the certificate authority on a WatchGuard Management Server.

To use a certificate for BOVPN tunnel authentication, from Policy Manager:

  1. Select VPN > Branch Office Gateways.
  2. Click Add to create a new gateway.
    Or, select an existing gateway and click Edit.
  3. Select Use IPSec Firebox Certificate.
    Any certificates on the device that include the Extended Key Usage (EKU) identifier "IP security IKE intermediate" (OID 1.3.6.1.5.5.8.2.2) appear.
  4. To see other available certificates, select Show All Certificates.
    All available certificates appear. This includes certificates that do not have an EKU.
  5. Select the certificate you want to use.
  6. Set other parameters as necessary.
  7. Click OK.

If you use a certificate for BOVPN authentication, from Policy Manager:

  • You must first import the certificate.
    For more information, see Manage Device Certificates (WSM).
  • The certificate must be recognized as an IPSec-type certificate.
  • Make sure certificates for the devices at each gateway endpoint use the same algorithm. Both endpoints must use DSS, RSA, or EC. The algorithm for certificates appears in the table in the New Gateway dialog box in WatchGuard System Manager, and in the Certificates dialog box in Firebox System Manager.
  • If you do not have a third-party or self-signed certificate, you must use the certificate authority on a WatchGuard Management Server.
    For more information, see Configure the Certificate Authority on the Management Server.

Verify the Certificate

To verify a certificate, from Fireware Web UI:

  1. Select System > Certificates.
    The Certificates page appears.
  2. In the Type column, verify IPSec or IPSec/Web appears.

To verify a certificate, from Fireware System Manager:

  1. Select View > Certificates.
    The Certificates dialog box appears.
  2. In the Type column, verify IPSec or IPSec/Web appears.

Verify VPN Certificates with an LDAP Server

You can use an LDAP server to automatically verify certificates used for VPN authentication if you have access to the server. You must have LDAP account information provided by a third-party CA service to use this feature.

To verify a certificate, from Fireware Web UI:

  1. Select VPN > Global Settings.
    The Global VPN Settings page appears.

Screen shot of the VPN Global Settings page

  1. Select the Enable LDAP server for certificate verification check box.
  2. In the Server text box, type the name or address of the LDAP server.
  3. (Optional) Type the Port number.
  4. Save the configuration.
    Your Firebox checks the CRL stored on the LDAP server when tunnel authentication is requested.

To verify a certificate, from Policy Manager:

  1. Select VPN > VPN Settings.
    The VPN Settings dialog box appears.

Screen shot of the VPN Settings dialog box

  1. Select the Enable LDAP server for certificate verification check box.
  2. In the Server text box, type the name or address of the LDAP server.
  3. (Optional) Type the Port number.
  4. Save the configuration.
    Your Firebox checks the CRL stored on the LDAP server when tunnel authentication is requested.

See Also

About Certificates

Configure Manual BOVPN Gateways

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search