When a Mobile VPN with IKEv2 tunnel is created, the identity of each endpoint must be verified with a certificate. Firebox certificates and third-party certificates are supported.
If you use a certificate for authentication, it is important to track when the certificates expire. This helps to avoid disruptions in critical services such as VPN.
Certificates for Mobile VPN with IKEv2 authentication must have the server host name (DNS=<server FQDN>) or server IP address (IP=<server IP address>) as part of the subjectAltName.
The certificate can include the Extended Key Usage (EKU) flags "serverAuth" and "IP Security IKE Intermediate” (OID 220.127.116.11.18.104.22.168.2). This is optional.
In Fireware v12.5 or higher, the Firebox supports EC certificates for Mobile VPN with IKEv2. Your IKEv2 client must also support EC certificates. Support varies by operating system. For more information about EC certificates, see About Elliptic Curve Digital Signature Algorithm (ECDSA) certificates.
If you run the setup wizard for Mobile VPN with IKEv2, the Firebox certificate type is automatically specified for your Mobile VPN with IKEv2 configuration.
To edit the Mobile VPN with IKEv2 certificate, see Edit the Mobile VPN with IKEv2 Configuration.