Watchguard IKEv2 Certificates

From RoseWiki
Jump to navigation Jump to search

Watchguard Fireboxes have several VPN protocols available for their Mobile VPN service. When using IKEv2, there's a problem that can arise if using the built-in self-signed certificates which are generated automatically. The problem is that the Firebox uses an internal CA certificate to sign the certificate. When configuring the client machine, you install a certificate bundle from the Firebox. For pretty reasonable security reasons, however, you cannot move this internal CA certificate from one Firebox to another, meaning that when you upgrade the machine, you must redo all VPN configurations, as the root CA installed on each client machine no longer matches. This is hugely inconvenient. The solution is to use a certificate signed by a third party certificate. You can either use a major third party certificate like Sectigo, or you can host this in-house.

You can use Windows CA Server but this requires another license. The other solution is to use an open-source CA system like step-ca.

Step CA Configuration

Step CA Host Certificate Length

Step CA was originally designed for automated recertification of internal web services. For this reason the default length of a certificate is 24 hours. If you want your certificates to last longer when signing them, we first need to edit the configuration of Step. 

# -- snippet start - /root/.step/configs/ca.json --
"authority": {
    "claims": {
        "maxTLSCertDuration":"175200h" # ~20 years 
    },
    "provisioners": [ # -- snippet end --

Firebox Certificates

The IKEv2 certificate authenticates based on two things: trust and SAN matching.

Trust

The benefit of using a third party certificate server is that the only thing you have to install on the client machines is the root CA, not the certificate on the Firebox. This means that as long as the same certificate is used to sign any certificate assigned to the firebox, it will maintain trust and be authenticated. This means you can swap out the physical hardware an indefinite amount of times, change the hostname / IP of the machine, and as long as the rest of the certificate matches and is signed by the same root CA, no action (except for updating the endpoint address) has to be taken on the clients.

SAN matching

As long as certificate trust is maintained, the next thing you have to consider is the SANs (Subject Alternative Name) on the certificate on the Firebox. The SAN is set as such in OpenSSL syntax: 

subjectAltName=DNS:hostname.domainname.com,IP:203.0.113.2
Retrieved from "https://www.rosemarknetworks.com/wiki/index.php?title=Watchguard_IKEv2_Certificates&oldid=149"