Certificates for Mobile VPN with L2TP Tunnel Authentication

When a Mobile VPN with L2TP tunnel is created, the identity of each endpoint must be verified with a key. This key can be a passphrase or pre-shared key (PSK) known by both endpoints, a third-party certificate or self-signed certificate, or a certificate from the Management Server.

To use a certificate for Mobile VPN with L2TP authentication:

  • You must first import the certificate.
  • The server certificate must have the server host name (DNS=<server FQDN>) or server IP address (IP=<server IP address>) as part of the subjectAltName.
  • Make sure certificates for the devices at each gateway endpoint use the same algorithm. Both endpoints must use either DSS or RSA.
  • If you do not have a third-party or self-signed certificate, you must use the Certificate Authority on your WSM Management Server. Your Firebox must be managed by your Management Server to use the Management Server CA certificate for Mobile VPN authentication. For more information, go to Configure the Certificate Authority on the Management Server.

If you use a certificate for authentication, it is important to track when the certificates expire. This helps to avoid disruptions in critical services such as VPN.

You can select a certificate with or without an Extended Key Usage (EKU) identifier for IPSec. An EKU identifier specifies the purpose of the certificate. When you select Use IPSec Firebox Certificate, you see a list of certificates that have an IPSec EKU. To see a list of available certificates that do not have an EKU identifier, select Show All Certificates.

If the Management Server CA certificate you import does not include the correct host name or IP address, your Firebox might not be able to connect to some L2TP IPSec clients (for example, macOS clients). We recommend that you create a new certificate with the correct host name or IP address to use for L2TP IPSec connections.

To use a certificate for a new Mobile VPN with IPSec tunnel, from Fireware Web UI:

  1. Select VPN > Mobile VPN.
    The Mobile VPN page opens.
  2. Click Launch Wizard.
    The WatchGuard L2TP Setup Wizard opens.
  3. For instructions to complete the wizard, go to Use the WatchGuard L2TP Setup Wizard.
  4. On the Select the tunnel authentication method page, select Use IPSec Firebox Certificate and select an RSA certificate from the list. If you do not see your certificate, select the Show All Certificates check box.
  5. Finish the wizard.

To change an existing Mobile VPN tunnel to use certificates for authentication, from Fireware Web UI:

  1. Select VPN > Mobile VPN.
    The Mobile VPN page opens.
  2. In the L2TP section, click Configure.
  3. Select the IPSec tab.
  4. Select Use IPSec Firebox Certificate and select an RSA certificate from the list. If you do not see your certificate, select the Show All Certificates check box.
  5. Click Save.

To configure a new Mobile VPN with L2TP tunnel to use certificates, from Policy Manager:

  1. Select VPN > Mobile VPN > L2TP > Activate.
    The Mobile VPN with L2TP Setup Wizard opens.
  2. For instructions to complete the wizard, go to Use the WatchGuard L2TP Setup Wizard.
  3. On the Select the tunnel authentication method page, select Use IPSec Certificate and select an RSA certificate from the list. If you do not see your certificate, select the Show All Certificates check box.
  4. Finish the wizard.

To configure an existing Mobile VPN with L2TP tunnel to use certificates for authentication, from Policy Manager:

  1. Select VPN > Mobile VPN > L2TP > Configure.
    The Mobile VPN with L2TP Configuration dialog box opens.
  2. Select the IPSec tab.
  3. Select Use IPSec certificate and select an RSA certificate from the list. If you do not see your certificate, select the Show All Certificates check box.
  4. Click OK.

For more information on Mobile VPN with L2TP, go to Mobile VPN with L2TP.

Verify VPN Certificates with an LDAP Server 

You can use an LDAP server to automatically verify certificates used for VPN authentication if you have access to the server. You must have LDAP account information provided by a third-party CA service to use this feature.

To verify VPN certificates with an LDAP server, from Fireware Web UI:

  1. Select VPN > Global Settings.
    The Global VPN Settings page opens.

Screen shot of the Global VPN Settings dialog box

  1. Select the Enable LDAP Server for certificate verification check box.
  2. In the Server text box, type the name or IP address of the LDAP server.
  3. (Optional) Type or select the Port number.
  4. Click OK.
    Your Firebox checks the CRL stored on the LDAP server when tunnel authentication is requested.

To verify VPN certificates with an LDAP server, from Policy Manager:

  1. From Policy Manager, select VPN > VPN Settings.
    The VPN Settings dialog box opens.

Screen shot of the VPN Settings dialog box

  1. Select the Enable LDAP Server for certificate verification check box.
  2. In the Server text box, type the name or IP address of the LDAP server.
  3. (Optional) Type or select the Port number.
  4. Click OK.
    Your Firebox checks the CRL stored on the LDAP server when tunnel authentication is requested.

Related Topics

About Certificates

Use the WatchGuard L2TP Setup Wizard

Configure the Certificate Authority on the Management Server