Use Certificates for Mobile VPN with IPSec Tunnel Authentication

When you configure Mobile VPN with IPSec, you can configure the tunnel to use a certificate for tunnel authentication instead of a pre-shared key. The certificate, generated by a WatchGuard Management Server, is used to authenticate the tunnel before the client sends the user name and password for user authentication.

The IPSec certificate generated by the WatchGuard Management Server is valid for one year. When the Firebox requires a new IPSec certificate, it will automatically notify the Management Server to renew the certificate. You do not need to manually renew the certificate when you see expiry warnings. If you still want to manually renew the certificate, you can generate a new certificate from the CA manager on the Management Server. For more information, see Manage Certificates on the Management Server.

To use a certificate for Mobile VPN with IPSec tunnel authentication:

  • The Firebox must be managed by a WatchGuard Management Server.
  • You must use Policy Manager to generate the configuration profile and certificate files to distribute to users
  • Your mobile users must use the WatchGuard IPSec Mobile VPN client for Windows or macOS

Configure Mobile VPN with IPSec on the Firebox to use a Certificate

Before you enable Mobile VPN with IPSec to use a certificate for tunnel authentication, you must connect to the Management Server with WatchGuard System Manager at least once to automatically install the Management Server root certificate on your management computer.

In Policy Manager, you can configure a new Mobile VPN with IPSec group to use a certificate, or you can edit an existing tunnel to enable it.

You can also use Fireware Web UI to configure a mobile VPN configuration profile to use certificates, but you must use Policy Manager to generate the files to send to the mobile users.

If you change the tunnel authentication for existing users, you must generate and distribute the new profile and certificate to the mobile users.

Generate the Certificate and End-User Profile

After you configure a mobile VPN with IPSec profile to use a certificate for tunnel authentication, you must use Policy Manager to generate the .wgx configuration profile and certificate file to send to the mobile users.

To generate an end user profile file for a group, from Policy Manager:

  1. Select VPN > Mobile VPN > IPSec.
  2. Select the Mobile VPN group.
  3. Click Generate.
    The Management Server Configuration dialog box appears.

Screen shot of the Management Server Configuration dialog box

  1. In the IP Address text box, type the IP address to connect to your Management Server. The IP address you specify here must be an address that your management computer can use to connect to the Management Server. It might be different from the address in the configuration that the Firebox uses to connect to the Management Server.
  2. In the Passphrase text box, type the passphrase for the admin user account on your Management Server.
  3. Click OK. Tip!
    Policy Manager generates the configuration files and certificate file and shows the location where you can find the generated files..

Use a secure method to distribute the encrypted end-user profile (.wgx file) and the PKCS12 certificate (.p12 file) to mobile users who use the WatchGuard IPSec Mobile VPN client.

Configure the VPN Client

Each user must import the profile and certificate to the IPSec Mobile VPN client. For more information about how to do this, see:

Manage Certificates on the Management Server

You can use the WatchGuard WebCenter tool, CA Manager to see and manage certificates on the management server. The common name of the certificate is the name of the Mobile VPN with IPSec profile.

For more information, see Manage Certificates on the Management Server.

See Also

About Certificates