Certificates for Mobile VPN With IPSec Tunnel Authentication

When a Mobile VPN tunnel is created, the identity of each endpoint must be verified with a key. This key can be a passphrase or pre-shared key (PSK) known by both endpoints, or a certificate from the Management Server. Your XTM device must be a managed device to use a certificate for Mobile VPN authentication. You must use WatchGuard System Manager to configure your XTM device as a managed device.

For more information, see the WatchGuard System Manager Help.

To use certificates for a new Mobile VPN with IPSec tunnel:

  1. Select VPN > Mobile VPN with IPSec.
  2. Click Add.
  3. Select the IPSec Tunnel tab.
  4. In the IPSec Tunnel section, select Use a certificate.
  5. In the CA IP Address text box, type the IP address of your Management Server.
  6. In the Timeout text box, type or select the time in seconds the Mobile VPN with IPSec client waits for a response from the certificate authority before it stops connection attempts. We recommend you keep the default value.
  7. Complete the Mobile VPN group configuration.

For more information, see Configure the XTM Device for Mobile VPN with IPSec.

To change an existing Mobile VPN tunnel to use certificates for authentication:

  1. Select VPN > Mobile VPN with IPSec.
  2. Select the Mobile VPN group you want to change. Click Edit.
  3. Select the IPSec Tunnel tab.
  4. In the IPSec Tunnel section, select Use a certificate.
  5. In the CA IP Address text box, type the IP address of your Management Server.
  6. In the Timeout text box, type or select the time in seconds the Mobile VPN with IPSec client waits for a response from the certificate authority before it stops connection attempts. We recommend you keep the default value.
  7. Click Save.

When you use certificates, you must give each Mobile VPN user three files:

Copy all of the files to the same directory. When an Mobile VPN user imports the .wgx file, the root and client certificates in the cacert.pem and the .p12 files are automatically loaded.

For more information on Mobile VPN with IPSec, see About Mobile VPN with IPSec.

Verify VPN Certificates with an LDAP Server 

You can use an LDAP server to automatically verify certificates used for VPN authentication if you have access to the server. You must have LDAP account information provided by a third-party CA service to use this feature.

  1. Select VPN > Global Settings.

    The Global VPN Settings page appears.

Screen shot of the Global VPN Settings page

  1. Select the Enable LDAP Server for certificate verification check box.
  2. In the Server text box, type the name or IP address of the LDAP server.
  3. (Optional) Type or select the Port number.
  4. Click OK.
    Your XTM device checks the CRL stored on the LDAP server when tunnel authentication is requested.

See Also

About Certificates

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base