Skip to main content

How to set-up WatchGuard VPN with IKEv2 under Debian and Fedora

As far as I know, I'm the only Linux user at the company where I work and for the longest time I used OpenVPN to connect to our WatchGuard VPN service. OpenVPN was quick and easy to configure and worked out-of-the-box on my Debian and Fedora systems. However, WatchGuard deprecated OpenVPN in favour of IKEv2.

WatchGuard provide helpful instructions for using their VPN service with Windows, macOS, iOS and Android, but do not provide any instructions for Linux users. I found searching the web for instructions to be a bit sketchy, so I figured I'd write some instructions that I found work for me.

Debian

At the time of writing, I am using Debian 12 (bookworm). The following instructions assume you are using the default GNOME desktop environment. Support for other desktops is beyond the scope of this post.

Install packages

Enter the following terminal command to install the additional required packages:

sudo apt install network-manager-strongswan libcharon-extra-plugins

Install WatchGuard root CA certificate

You will need to install the WatchGuard certificate file. WatchGuard provide details on how to obtain the certificate here. If you don't have admin access to your VPN service, ask your VPN administrator to provide it.

Under Debian, CA certificates are located in /usr/local/share/ca-certificates/. I create a new directory under that directory to store the WatchGuard certificate, before running the terminal command to update the system's store of CA certificates.

sudo mkdir /usr/local/share/ca-certificates/watchguard
sudo cp rootca.crt /usr/local/share/ca-certificates/watchguard/
sudo update-ca-certificates

If successful, the update-ca-certificates command should produce output similar to below:

Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

Set-up VPN connection

Next, using GNOME settings app, create a new VPN connection. Open the GNOME settings app, navigate to the 'Network' tab and click the plus icon next to the VPN heading.

Screenshot of GNOME settings app showing where to click to create a new VPN connection.

Select the 'IPsec/IKEv2 (strongswan)' option when presented.

Screenshot of GNOME settings app showing which VPN option to select.

On the VPN Identity settings screen, enter the following details:

  • Provide a name for VPN connection. You can name it whatever you like, I named my connection "WatchGuard".
  • Enter the IP address of your WatchGuard VPN service. If you don't know it, ask your VPN administrator.
  • Enter your username and password.
  • Check both "Request an inner IP address" and "Enforce UDP encapsulation"

Screenshot of GNOME settings app showing VPN identity settings.

Your VPN connection should now be working.

Fedora

At the time of writing, I am using Fedora 40 and 41. The following instructions assume you are using the default GNOME desktop environment. Support for other desktops is beyond the scope of this post.

Install packages

Enter the following terminal command to install the additional required packages:

sudo dnf install NetworkManager-strongswan NetworkManager-strongswan-gnome strongswan-charon-nm

Install WatchGuard root CA certificate

You will need to install the WatchGuard certificate file. WatchGuard provide details on how to obtain the certificate here. If you don't have admin access to your VPN service, ask your VPN administrator to provide it.

Under Fedora, the WatchGuard CA certificate needs to be placed in /etc/strongswan/ipsec.d/cacerts/. This can be achieved with the following terminal command:

sudo cp -p rootca.pem /etc/strongswan/ipsec.d/cacerts/

Fedora 41 note: Depending on how your WatchGuard certificate is configured, this may or may not be required, but I had to adjust the crypto policies under Fedora 41 to allow for SHA1. This can be done by editing the file /etc/crypto-policies/config to read.

DEFAULT:SHA1

Before running the terminal command:

sudo update-crypto-policies

Set-up VPN connection

Next, using GNOME settings app, create a new VPN connection. The instructions for this are exactly the same as for Debian, see above.

Debugging connection issues

If for any reason the connection fails to connect, it can be helpful to read your system's logs to try and debug any errors. Network Manager logs can be read using the following terminal command:

sudo journalctl -u NetworkManager.service
View as: JSON Markdown

If you enjoyed this post or found it useful, you can subscribe to my RSS feed.

Similar posts

  1. Debian 13 (Trixie) server set-up

    A practical, production-ready guide to setting up a Debian 13 web server using Apache, PHP-FPM, and MariaDB. Covers installation, performance tuning, security basics, and modern best practices.

    debian apache mariadb php fail2ban ufw
  2. Upgrading from Fedora 41 to Fedora 42

    If someone were to ask me which Linux distro has provided the best desktop experience, I wouldn't hesitate to answer: Fedora Workstation 41. So of course I upgraded to Fedora 42.

    fedora linux
  3. How to install PHP extension for Microsoft SQL Server under Fedora

    I found myself needing to connect to a Microsoft SQL Server via a PHP application running under Fedora. Finding concise details about installing the necessary drivers and extensions was not easy, so here is a blog post detailing how I did it.

    php microsoft fedora mssql sql linux
  4. My Debian 12 (bookworm) server set-up

    I've been running Debian on my servers for years. It's dependable. I guess my server set-up is pretty common, consisting of Apache, PHP and MariaDB, but I figure it is still worth sharing details of how I provision my servers.

    php composer mariadb apache debian linux node fish
  5. My Debian 12 (bookworm) desktop set-up

    Creating a good Debian desktop experience is not too difficult, thanks to the excellent work of the Debian developers, but I thought it might be interesting to share how I set-up my Debian systems.

    debian linux
  6. Upgrading from Fedora 40 to Fedora 41

    A post describing my first experience of upgrading a Fedora installation. TLDR: The upgrade went smoothly and Fedora continues to impress me.

    fedora linux
  7. Calling Puppeteer via PHP

    A blog post detailing an issue where a Puppeteer screenshot script, triggered through a PHP application using CodeIgniter, stopped working due to Chromium not starting under the Apache www-data user on Debian.

    php javascript node debian apache
  8. Switching desktop Linux from Debian to Fedora

    Last week I switched the operating system on my daily driver (Lenovo ThinkPad T14s) from Debian 12 to Fedora 40. In this post I write a little about why I switched and how the switch went.

    debian linux fedora
  9. Firefox Nightly as a daily driver

    I believe that it's really important to support and use Firefox. Not only do I think that Mozilla understand/support user's privacy more than Google, but I also think it's important for the health of the web that more than one option exists when it comes to rendering engines. Also, it's a really good web browser.

    debian chrome firefox mozilla
  10. Single computing device lifestyle

    I've recently decided to simplify my life by moving away from using multiple computers to using a single laptop. What are the main advantages and disadvantages of using a single computer?

    debian thinkpad
  11. Redux

    As a web developer, I like to build and rebuild websites. My own website is no different.

    markdown fediverse mastodon codeigniter php bootstrap jquery debian
  12. How to create Bash aliases in Fedora

    Creating your own Bash aliases is a relatively easy process. That said, I recently switched my desktop linux distribution from Debian to Fedora and there are subtle differences.

    linux fedora debian bash