For some reasons, sometimes a PSK is not secure enough. In these occasions, certificate authentication while using the newer IKEv2 standards might be helpful. This tutorial will help you establishing a IKEv2 Tunnel in no time!
Create the Phase 1 and Phase 2 settings as usual, but choose the USGs own certificate for authentication in Phase 1
Now go on to create the certificate for the client:
Navigate to “Object -> Certificate -> My Certificates -> Add”
Then choose these settings for new certificate:
Subject Information: Email
Extended Key Usage: Tick all 3 checkboxes
The mail address can be completely imaginary. Leave the other values untouched.
Double click on the created certificate and copy the displayed String to TXT file on your computer and give it the ending .cer
On the USG export it again with a password and give the downloaded file the ending .p12 :
On the USG: Delete the created certificate in “My Certificates” and upload the .cert certificate to Trusted Certificates. Else you would see an error message that a duplicate certificate already exists.
Configure the Greenbow client as you know it (Proposals, etc.)
But Choose “Certificate“ for Authentication and import the .p12 in Greenbow