Windows 7???
"Support for Windows 7 ended on January 14, 2020. If you are still using Windows 7, your PC may become more vulnerable to security risks."
Here is where I made the mistake:
7. Select Show physical stores.
8. Select Trusted Root Certification Authorities.
9. Select Local Computer.
There is no "Local Computer" even with "Show physical stores" is checked. I got around that by getting into mmc.exe and adding Certificate store Snap-in. I can see "Local Computer" with the workaround.
Once rootca.crt gets imported to Local Computer, IKEv2 successfully connects.
@WCS said:
Thanks
I have another question
Can vpn user change the password I have made it ?
That depends upon where you set account. If you are pulling from Windows domain accounts and you let your domain users change their own passwords, then yes, they can change the SSLVPN password because it's using their domain account credentials. If they are Firebox-DB users, then no.
Gregg - how does this work from the SSLVPN client?
How would one access something to change the password?
The SSLVPN user is not really authenticated to the domain as a domain user logon to a domain PC would be, is it?
It doesn't work from the SSLVPN client, it works from the connecting device IF it is joined to the domain, as are some laptops. "If you are pulling from Windows domain accounts" means if the SSLVPN-Users are pulled from Active Directory.
If the SSLVPN-Users are pulled via RADIUS or if one uses AuthPoint to sync users from LDAP, AND if the remote device, say a laptop, is domain-joined, then yes, they could change their domain password unless there is a domain policy to prevent domain users from changing their own passwords. Once a domain-joined laptop connects to the SSLVPN, it is no different than a LAN computer. Again, if the SSLVPN-Users are local Firebox-DB users, then no, they would not be able to change their passwords.
Answers
Windows 7???
"Support for Windows 7 ended on January 14, 2020. If you are still using Windows 7, your PC may become more vulnerable to security risks."
Why not use the Shrew soft IPSec VPN client?
If this is for IKEv2, review the "To manually add a new VPN connection in Windows 7" section:
Configure Windows Devices for Mobile VPN with IKEv2
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ikev2/mvpn_ikev2_windows_client.html
Did you import Firebox certificate into Windows 7?
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ikev2/mvpn_ikev2_windows_client.html
Here is where I made the mistake:
7. Select Show physical stores.
8. Select Trusted Root Certification Authorities.
9. Select Local Computer.
There is no "Local Computer" even with "Show physical stores" is checked. I got around that by getting into mmc.exe and adding Certificate store Snap-in. I can see "Local Computer" with the workaround.
Once rootca.crt gets imported to Local Computer, IKEv2 successfully connects.
Thanks
I have another question
Can vpn user change the password I have made it ?
No. The password changes need to be make by an admin for whatever authentication server you have selected.
That depends upon where you set account. If you are pulling from Windows domain accounts and you let your domain users change their own passwords, then yes, they can change the SSLVPN password because it's using their domain account credentials. If they are Firebox-DB users, then no.
Gregg Hill
Gregg - how does this work from the SSLVPN client?
How would one access something to change the password?
The SSLVPN user is not really authenticated to the domain as a domain user logon to a domain PC would be, is it?
Bruce,
It doesn't work from the SSLVPN client, it works from the connecting device IF it is joined to the domain, as are some laptops. "If you are pulling from Windows domain accounts" means if the SSLVPN-Users are pulled from Active Directory.
If the SSLVPN-Users are pulled via RADIUS or if one uses AuthPoint to sync users from LDAP, AND if the remote device, say a laptop, is domain-joined, then yes, they could change their domain password unless there is a domain policy to prevent domain users from changing their own passwords. Once a domain-joined laptop connects to the SSLVPN, it is no different than a LAN computer. Again, if the SSLVPN-Users are local Firebox-DB users, then no, they would not be able to change their passwords.
Gregg Hill
Thank you for everyone