SSLVPN client 12.10 vs12.11 & CA cert

RobClarkeRobClarke
in Firebox - Certificates

Hi, I upgraded the firebox to firmware version 12.11 from 12.10, a couple of weeks ago.
All endpoints are running the 12.10 VPN client.

On my test machine to trial the 12.11 client (including SMAL auth, which works great), I get a certificate mismatch warning on the first run. If I install the certificate but cancel the connection. On the next run I get a different warning that the certificate name does not match the name of the site.

I don't recall having to have made any changes with the firebox certs previously so I'm a little unsure of the next steps.
This official WG video runs through the steps to add a cert with a valid SAN names. https://youtube.com/watch?v=tDoC9_O2mUw

  1. If I do this will this disconnect existing VPN sessions?
  2. If I do this will it affect the VPN clients still running 12.10?

I'm happy enough to distribute the updated certificate when I roll out the upgrade to 12.11. I'll package it up into an intunewin and deploy via InTune. I already include an OpenVPN & a Watchguard cert this way.

I'm just a bit worried if modifying the CA cert will affect anyone using the older VPN client.

Additionally we have a couple of users using the IKEv2 method, will this be affected if the cert if updated?

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @RobClarke

    Make sure that the primary and backup addresses are what you're typing in to your VPN client. That's where the profile and cert data is derived from. If you put an IP in that field, and type in a FQDN, you might get a cert name mismatch.

    IKEv2 will simply fail to connect if the cert is not correct, as it uses that in part for authentication.

    If you want to change the cert for IKEv2, please check the help article here to ensure that your cert has the correct EKU flags set:

    (Certificates for Mobile VPN with IKEv2 Tunnel Authentication)
    https://www.watchguard.com/help/docs/help-center/en-US/content/en-US/Fireware/certificates/authentication_mvpn_ikev2.html

    -James Carson
    WatchGuard Customer Support

  • RobClarkeRobClarke

    Hi @james.carson thanks for the reply.

    I just need to clarify this a little further.
    With regards the VPN client 12.10. After the firebox upgrade to 12.11 - there have not been any certificate warnings or name mismatch prompts. I've also checked a couple of machines and they do not contain an older version of Firewire CA cert in any of the machine or user based certificate stores.

    From my testing on VPN client 12.11 it prompts regarding the newly created CA cert from the firebox. This is date stamped the same day as the 12.11 upgrade.
    It's almost as if the 12.10 didn't rely or require the CA cert. But the 12.11 client does.
    Is this correct?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @RobClarke

    Accepting the certificate is actually a Windows system dialogue. If the cert has been accepted/trusted previously, you won't see it pop up again, even if the client is uninstalled and reinstalled, as that is installed into the windows system cert store.

    If the cert changes somehow, you may be prompted to accept it again.

    The dialogue boxes are handled by windows and will follow whatever schema might have been enforced (by group policy, for example.) If the certificate CSR was created by the windows domian (via the AD member that has the cert manager) your clients may already trust the cert.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.