{
    "title": "How to set-up WatchGuard VPN with IKEv2 under Debian and Fedora",
    "slug": "how-to-set-up-watchguard-vpn-with-ikev2-under-debian-and-fedora",
    "excerpt": "A blog post detailing how to set-up WatchGuard VPN with IKEv2 under both Debian and Fedora Linux. This guide works for me under Debian 12 (bookworm) and Fedora 40/41, but your mileage may vary depending on how your VPN service is configured.",
    "body": "As far as I know, I'm the only Linux user at the company where I work and for the longest time I used OpenVPN to connect to our [WatchGuard](https://www.watchguard.com/) VPN service. OpenVPN was quick and easy to configure and worked out-of-the-box on my Debian and Fedora systems. However, WatchGuard deprecated OpenVPN in favour of [IKEv2](https://en.wikipedia.org/wiki/Internet_Key_Exchange).\n\nWatchGuard provide [helpful instructions](https://www.watchguard.com/help/docs/help-center/en-us/Content/en-US/Fireware/mvpn/ikev2/mvpn_ikev2_client_config.html) for using their VPN service with Windows, macOS, iOS and Android, but do not provide any instructions for Linux users. I found searching the web for instructions to be a bit sketchy, so I figured I'd write some instructions that I found work for me.\n\n## Debian\n\nAt the time of writing, I am using Debian 12 (bookworm). The following instructions assume you are using the default GNOME desktop environment. Support for other desktops is beyond the scope of this post.\n\n### Install packages\n\nEnter the following terminal command to install the additional required packages:\n\n```\nsudo apt install network-manager-strongswan libcharon-extra-plugins\n```\n\n### Install WatchGuard root CA certificate\n\nYou will need to install the WatchGuard certificate file. WatchGuard provide details on how to obtain the certificate [here](https://www.watchguard.com/help/docs/help-center/en-us/Content/en-US/Fireware/mvpn/ikev2/mvpn_ikev2_client_config.html). If you don't have admin access to your VPN service, ask your VPN administrator to provide it.\n\nUnder Debian, CA certificates are located in `/usr/local/share/ca-certificates/`. I create a new directory under that directory to store the WatchGuard certificate, before running the terminal command to update the system's store of CA certificates.\n\n```\nsudo mkdir /usr/local/share/ca-certificates/watchguard\nsudo cp rootca.crt /usr/local/share/ca-certificates/watchguard/\nsudo update-ca-certificates\n```\n\nIf successful, the `update-ca-certificates` command should produce output similar to below:\n\n```\nUpdating certificates in /etc/ssl/certs...\nrehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL\n1 added, 0 removed; done.\nRunning hooks in /etc/ca-certificates/update.d...\ndone.\n```\n\n### Set-up VPN connection\n\nNext, using GNOME settings app, create a new VPN connection. Open the GNOME settings app, navigate to the 'Network' tab and click the plus icon next to the VPN heading.\n\n![Screenshot of GNOME settings app showing where to click to create a new VPN connection.](https://blog.philipnewborough.co.uk/media/7b455ed7-c3c5-4832-8cb5-a1d5b399a38b.png)\n\nSelect the 'IPsec/IKEv2 (strongswan)' option when presented.\n\n![Screenshot of GNOME settings app showing which VPN option to select.](https://blog.philipnewborough.co.uk/media/ee79f291-5d7a-499c-a992-b7cf59475b4f.png)\n\nOn the VPN Identity settings screen, enter the following details:\n\n* Provide a name for VPN connection. You can name it whatever you like, I named my connection \"WatchGuard\".\n* Enter the IP address of your WatchGuard VPN service. If you don't know it, ask your VPN administrator.\n* Enter your username and password.\n* Check both \"Request an inner IP address\" and \"Enforce UDP encapsulation\"\n\n![Screenshot of GNOME settings app showing VPN identity settings.](https://blog.philipnewborough.co.uk/media/285aba63-40f9-4db8-8310-c9136f4549e9.png)\n\nYour VPN connection should now be working.\n\n## Fedora\n\nAt the time of writing, I am using Fedora 40 and 41. The following instructions assume you are using the default GNOME desktop environment. Support for other desktops is beyond the scope of this post.\n\n### Install packages\n\nEnter the following terminal command to install the additional required packages:\n\n```\nsudo dnf install NetworkManager-strongswan NetworkManager-strongswan-gnome strongswan-charon-nm\n```\n### Install WatchGuard root CA certificate\n\nYou will need to install the WatchGuard certificate file. WatchGuard provide details on how to obtain the certificate [here](https://www.watchguard.com/help/docs/help-center/en-us/Content/en-US/Fireware/mvpn/ikev2/mvpn_ikev2_client_config.html). If you don't have admin access to your VPN service, ask your VPN administrator to provide it.\n\nUnder Fedora, the WatchGuard CA certificate needs to be placed in `/etc/strongswan/ipsec.d/cacerts/`. This can be achieved with the following terminal command:\n\n```\nsudo cp -p rootca.pem /etc/strongswan/ipsec.d/cacerts/\n```\n\n**Fedora 41 note:** Depending on how your WatchGuard certificate is configured, this may or may not be required, but I had to adjust the crypto policies under Fedora 41 to allow for SHA1. This can be done by editing the file `/etc/crypto-policies/config`  to read.\n\n```\nDEFAULT:SHA1\n```\n\nBefore running the terminal command:\n\n```\nsudo update-crypto-policies\n```\n\n### Set-up VPN connection\n\nNext, using GNOME settings app, create a new VPN connection. The instructions for this are exactly the same as for Debian, see above.\n\n## Debugging connection issues\n\nIf for any reason the connection fails to connect, it can be helpful to read your system's logs to try and debug any errors. Network Manager logs can be read using the following terminal command:\n\n```\nsudo journalctl -u NetworkManager.service\n```",
    "tags": [],
    "published_at": "2025-01-16 22:05:43",
    "url": "https://blog.philipnewborough.co.uk/posts/how-to-set-up-watchguard-vpn-with-ikev2-under-debian-and-fedora",
    "featured_image": "https://blog.philipnewborough.co.uk/media/og-60790d55-fa7e-49a3-9b56-cc74de2dbd15.png"
}