MUVPN - Silent migration to different Firebox

blabarbera

Hello,
We have a IKEv2 MUVPN and want to redirect users to a different Firebox without changing the client side configuration. In other words, we have to Fireboxes on our network - one that is setup as the active MUVPN connection point, and another that is not but we want to make it the active MUVPN connection point. This should be pretty simple, but I have a question about the MUVPN cert on the Fireboxes. Do I need to use the SAME certificate on both Fireboxes, or just two certificates with the same FQDN (Subject Name)?

james.carson

Hi @blabarbera
The certificate will generally be the selfsigned certificate on each firebox. You'll need to distribute the new VPN profile to the machines that need to use it so they get that new cert.

The only chance that you wouldn't need to touch the client PCs is if you happen to be using your own certificate (as in you imported both the public and private key for the IPSEC cert onto both firewalls) and you used a FQDN for the Mobile VPN endpoint (meaning you could change what IP the FQDN points at in your DNS.)

If the mobile VPN profile is using a selfsigned certificate and/or an IP address, you'll need to deploy a new profile to the machines.

blabarbera

@james.carson Sorry, I should have explained my question better.

In the past, I've minted a 3rd party cert in IIS, exported the PK and imported the cert/PK on two different firewalls. My connection uses a FQDN, so no IP's to complicate things. That approach works fine.

What I'm asking is, if I'm using a FQDN, does it HAVE to be the SAME cert, or can I just mint two different certs with the same FQDN? It's a third party cert, so the root CA's are updated automatically on the client machines and technically there are no certs to distribute.

james.carson

@blabarbera The connection will fail if the certs are not identical. The only way that I've seen this work is if the same exact cert is used on both firewalls.

blabarbera

@james.carson Got it. Thank you.