Certificates for Mobile VPN with IPSec Tunnel Authentication (WSM)

When a Mobile VPN tunnel is created, the identity of each endpoint must be verified. This key can be a passphrase or pre-shared key (PSK) known by both endpoints, or a certificate from the Management Server. Your Firebox must be a managed device to use a certificate for Mobile VPN authentication.

If you use a certificate for authentication, it is important to track when the certificates expire. This helps to avoid disruptions in critical services such as VPN.

To configure a new Mobile VPN with IPSec tunnel to use certificates, from Policy Manager:

  1. Select VPN > Mobile VPN > IPSec.
    The Mobile VPN with IPSec Configuration dialog box appears
  2. Click Add.
    The Mobile VPN with IPSec Wizard appears.
  3. Click Next.
  4. Complete the Select a user authentication server page. Click Next.
  5. Select Use an RSA certificate issued by your WatchGuard Management Server.
  6. Type the IP address and administration passphrase of your Management Server.
  7. Finish the wizard.

To configure an existing Mobile VPN with IPSec tunnel to use certificates, from Policy Manager:

  1. Select VPN > Mobile VPN > IPSec.
  2. Select the Mobile VPN tunnel you want to change. Click Edit.
  3. Select the IPSec Tunnel tab.
  4. Select Use a certificate.
  5. Type the IP address of the Management Server or certificate authority (CA). If necessary, adjust the connection timeout.
  6. Click OK.

When you use certificates, you must give each Mobile VPN user three files:

  • The end-user profile (.wgx)
  • The client certificate (.p12)
  • The CA root certificate (.pem)

For more information about how to add and configure the .p12 file, go to Select a Certificate and Enter the PIN.

For more information on Mobile VPN with IPSec, go to Mobile VPN with IPSec.

For instructions to generate the end-user profile which also exports the certificate files to distribute to Mobile VPN users, see Generate Mobile VPN with IPSec Configuration Files.

Verify VPN Certificates with an LDAP Server 

You can use an LDAP server to automatically verify certificates used for VPN authentication if you have access to the server. You must have LDAP account information provided by a third-party CA service to use this feature.

  1. From Policy Manager, select VPN > VPN Settings.
    The VPN Settings dialog box opens.

Screen shot of the VPN Settings dialog box

  1. Select the Enable LDAP server for certificate verification check box.
  2. In the Server text box, type the name or IP address of the LDAP server.
  3. (Optional) Type or select the Port number.
  4. Click OK.
    Your Firebox checks the CRL stored on the LDAP server when tunnel authentication is requested.

Related Topics

About Certificates

Configure the Certificate Authority on the Management Server