IPsec Site-to-Site VPN Example with Certificate Authentication

Using certificate-based authentication for identification of VPN tunnel peers is much stronger than using a simple Pre-Shared Key.

To utilize certificate authentication, first create a PKI structure. This can be performed in the GUI using the Certificate Manager feature.

First, designate one firewalls to hold the CA/Certificate structure. For this document, it will be called Firewall A. The other firewall will be Firewall B.

On Firewall A:

  • Create a Certificate Authority (CA).
  • Create a Certificate for Firewall A. Set the Common Name to the hostname of Firewall A, add an Alternative Names entry with a Type of IP Address and the Value set to the IP address of the WAN interface on Firewall A.
  • Create a Certificate for Firewall B. Set the Common Name to the hostname of Firewall B, add an Alternative Names entry with a Type of IP Address and the Value set to the IP address of the WAN interface on Firewall B.
  • Export the CA Certificate, and the Firewall B certificate and key On Firewall B:
  • Import the CA Certificate and the Firewall B certificate and key On both firewalls:
  • Configure the IPsec tunnel as described in IPsec Site-to-Site VPN Example with Pre-Shared Keys, with the following exceptions
    • Set Authentication method to Mutual Certificate
    • Select the certificate for this firewall for My Certificate
    • Select the certificate authority created above for My Certificate Authority
  • Click Save
  • Click Apply Changes
© Copyright 2025 . All Rights Reserved. AZTCO-FW| Developed By AZTCO-FW. Powered by AZTCO.