Certificates for Branch Office VPN (BOVPN) Tunnel Authentication

When a BOVPN tunnel is created, the IPSec protocol checks the identity of each endpoint with either a pre-shared key (PSK) or a certificate imported and stored on the XTM device.

The certificates used for the devices at both ends of the tunnel must include the Extended Key Usage (EKU) identifier “IP security IKE intermediate” (OID 1.3.6.1.5.5.8.2.2)”. CSRs created by Firebox System Manager include this in the request by default.

To use a certificate for BOVPN tunnel authentication:

  1. Select VPN > Branch Office VPN.
  2. In the Gateways section, click Add to create a new gateway.
    Or, select an existing gateway and click Edit.
  3. Select Use IPSec Firebox Certificate.
  4. Select the certificate you want to use.
  5. Set other parameters as necessary.
  6. Click Save.

If you use a certificate for BOVPN authentication:

Verify the Certificate

  1. Select System > Certificates.
    The Certificates page appears.
  2. In the Type column, verify IPSec or IPSec/Web appears.

Verify VPN Certificates with an LDAP Server

You can use an LDAP server to automatically verify certificates used for VPN authentication if you have access to the server. You must have LDAP account information provided by a third-party CA service to use this feature.

  1. Select VPN > Global Settings.
    The Global VPN Settings page appears.

Screen shot of the VPN Global Settings page

  1. Select the Enable LDAP server for certificate verification check box.
  2. In the Server text box, type the name or address of the LDAP server.
  3. (Optional) Type the Port number.
  4. Click Save.
    Your XTM device checks the CRL stored on the LDAP server when tunnel authentication is requested.

See Also

About Certificates

Configure Gateways

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base