Mobile VPN with SSL - request client certificate before password

Luke_Nat · October 10

I've setup "Mobile VPN with SSL" on M270. The users authenticate by password only. I want Mobile client to have to present valid client certificate to the firewall before connection to the Firebox is even established (on SSL level). It reduces attack surface greatly. Is it possible on Firebox?

james.carson · October 10

Hi @Luke_Nat There's a few open feature requests for this, but I would suggest this one best matches FBX-17280 (which is the ability to use 3rd party certs for SSLVPN/data encryption.)

If you'd like to do this, I'd suggest looking into the IKEv2 VPN.

See:
https://www.watchguard.com/help/docs/help-center/en-US/content/en-US/Fireware/certificates/authentication_mvpn_ikev2.html

Luke_Nat · October 10

@james.carson said:
Hi @Luke_Nat There's a few open feature requests for this, but I would suggest this one best matches FBX-17280 (which is the ability to use 3rd party certs for SSLVPN/data encryption.)

If you'd like to do this, I'd suggest looking into the IKEv2 VPN.

See:
https://www.watchguard.com/help/docs/help-center/en-US/content/en-US/Fireware/certificates/authentication_mvpn_ikev2.html

I went to the guide you mention for IKEv2 and following links, but did not find how to configure client cert request.
I have set up IKEv2 Mobile VPN, selected Firebox-Generated Certificate in the Security tab, but my Windows 11 VPN client does not have any certificate and can connect with password only.

james.carson · October 20

Hi @Luke_Nat IKEv2 only uses the cert for verification -- if you're looking for prior the feature request should include that.

Mobile VPN with SSL - request client certificate before password

Comments