IPSec VPN certificate expires soon- how do I (re)create a valid certificate directly on the USG?

Options
Zyxel_USG_User
Zyxel_USG_User Posts: 81  Ally Member
First Answer First Comment Friend Collector First Anniversary

I have an USG20W-VPN firewall.

My IPSec VPN certificate will expire soon. How do I create a valid new certificate for the VPN part? I have seen the instructions when using Nebula, I do not use that.

How can I do that directly on the firewall? Thank you.

Best Answers

  • Zyxel_Melen
    Zyxel_Melen Posts: 3,503  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Answer ✓

    Hi @Zyxel_USG_User

    Where do I get the details from the existing certificate?

    Please double click your VPN certificate, the firewall will pop-out a window and show the details.

    https://jam.dev/c/f2409097-a8a9-4a03-940c-2bdd2806fe57

    How do I enter these into the new?

    You can click the add button to create a new self-assigned certification. You only need to enter the IP, same key type/signature algorithm/lifetime/extend key usage.

    Please reference this video:

    https://jam.dev/c/2f531058-5f90-4bd3-b2c5-21953453d812

    How do I bind the 'new' self-signed certificate to the remote access configurations?

    Please navigate to Configuration > VPN > IPSec VPN > VPN gateway to change the binding certificate.

    https://jam.dev/c/b3d570a3-d8fc-4075-8c74-7e43f18eb8f3

    Assumption- when I log onto SecuExtender, I can synchronise the configuration and the new certificate will be imported locally?

    You can get the new certificate by the function "get from server" on SecuExtender. After it gets the new configuration and certificate, it will ask you if you want to replace the VPN or other actions.

    does it mean that the 'old' and not yet expired certificate will be afterwards invalid? Or I have to delete it / remove the existing bindings?

    After binding the new certificate, the old one will not be used. You can delete it after unbind since it is still in your PKI storage.

    Zyxel Melen


  • Zyxel_USG_User
    Zyxel_USG_User Posts: 81  Ally Member
    First Answer First Comment Friend Collector First Anniversary
    Answer ✓

    Hello,

    Thank you so much for your very detailed instructions, all went well. Kind regards

All Replies

  • PeterUK
    PeterUK Posts: 3,879  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited June 16

    Is it a Self-signed? by IP or Domain Name?

    You can make Self-signed in in object > Certificates with

    ServerAuthentication,

    ClientAuthentication

    leave IKE Intermediate unchecked

    Then you have to export to the client OS in trusted root

  • Zyxel_USG_User
    Zyxel_USG_User Posts: 81  Ally Member
    First Answer First Comment Friend Collector First Anniversary
    edited June 16

    yes, self-signed see picture:

    image.png

    OK, I see now… click add, then enter the details. As I haven't done this yet, how do I reach the following steps?

    1. Where do I get the details from the existing certificate?

    2. How do I enter these into the new?

    3. How do I bind the 'new' self-signed certificate to the remote access configurations?

    4. Assumption- when I log onto SecuExtender, I can synchronise the configuration and the new certificate will be imported locally?

    5. does it mean that the 'old' and not yet expired certificate will be afterwards invalid? Or I have to delete it / remove the existing bindings?

    Many thanks.

  • PeterUK
    PeterUK Posts: 3,879  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited June 16

    Under subject will list if its IP or Domain Name then you click add
    Name
    select and put in the whats listed for subnet
    Host IP Address
    or
    Host Domain Name
    check ServerAuthentication, ClientAuthentication
    and ok

    Go to VPN settings for the VPN gateway used for Remote Access (Server Role) under Authentication you can select your new Certificate

    Not sure about SecuExtender I go check…hmmm not sure why but can't get the "get from server" to work but if you got SecuExtender setup with the current Certificate all you need to do is download the new Certificate (without setting a password) then in SecuExtender under IKE V2 their should be Ikev2Gateway click the Certificate and CA Management > Add CA > next find your Certificate and OK

  • Zyxel_Melen
    Zyxel_Melen Posts: 3,503  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Answer ✓

    Hi @Zyxel_USG_User

    Where do I get the details from the existing certificate?

    Please double click your VPN certificate, the firewall will pop-out a window and show the details.

    https://jam.dev/c/f2409097-a8a9-4a03-940c-2bdd2806fe57

    How do I enter these into the new?

    You can click the add button to create a new self-assigned certification. You only need to enter the IP, same key type/signature algorithm/lifetime/extend key usage.

    Please reference this video:

    https://jam.dev/c/2f531058-5f90-4bd3-b2c5-21953453d812

    How do I bind the 'new' self-signed certificate to the remote access configurations?

    Please navigate to Configuration > VPN > IPSec VPN > VPN gateway to change the binding certificate.

    https://jam.dev/c/b3d570a3-d8fc-4075-8c74-7e43f18eb8f3

    Assumption- when I log onto SecuExtender, I can synchronise the configuration and the new certificate will be imported locally?

    You can get the new certificate by the function "get from server" on SecuExtender. After it gets the new configuration and certificate, it will ask you if you want to replace the VPN or other actions.

    does it mean that the 'old' and not yet expired certificate will be afterwards invalid? Or I have to delete it / remove the existing bindings?

    After binding the new certificate, the old one will not be used. You can delete it after unbind since it is still in your PKI storage.

    Zyxel Melen


  • Zyxel_USG_User
    Zyxel_USG_User Posts: 81  Ally Member
    First Answer First Comment Friend Collector First Anniversary
    Answer ✓

    Hello,

    Thank you so much for your very detailed instructions, all went well. Kind regards