Certificates for Branch Office VPN (BOVPN) Tunnel Authentication
When a BOVPN tunnel is created, the IPSec protocol checks the identity of each endpoint with either a pre-shared key (PSK) or a certificate imported and stored on the XTM device.
The certificates used for the devices at both ends of the tunnel must include the Extended Key Usage (EKU) identifier “IP security IKE intermediate” (OID 126.96.36.199.188.8.131.52.2)”. CSRs created by Firebox System Manager include this in the request by default.
To use a certificate for BOVPN tunnel authentication:
- Select VPN > Branch Office VPN.
In the Gateways section, click Add to create a new gateway.
Or, select an existing gateway and click Edit.
- Select Use IPSec Firebox Certificate.
- Select the certificate you want to use.
- Set other parameters as necessary.
If you use a certificate for BOVPN authentication:
- You must first import the certificate.
For more information, see Manage XTM Device Certificates.
- The certificate must be recognized as an IPSec-type certificate.
- Make sure certificates for the devices at each gateway endpoint use the same algorithm. Both endpoints must use either DSS or RSA. The algorithm for certificates appears on the Branch Office VPN page in the Gateway list .
- If you do not have a third-party or self-signed certificate, you must use the certificate authority on a WatchGuard Management Server.
Verify the Certificate
- Select System > Certificates.
The Certificates page appears.
- In the Type column, verify IPSec or IPSec/Web appears.
Verify VPN Certificates with an LDAP Server
You can use an LDAP server to automatically verify certificates used for VPN authentication if you have access to the server. You must have LDAP account information provided by a third-party CA service to use this feature.
- Select VPN > Global Settings.
The Global VPN Settings page appears.
- Select the Enable LDAP server for certificate verification check box.
- In the Server text box, type the name or address of the LDAP server.
- (Optional) Type the Port number.
Your XTM device checks the CRL stored on the LDAP server when tunnel authentication is requested.