Related Topics
Edit the Mobile VPN with IKEv2 Configuration
We recommend that you use the WatchGuard IKEv2 Setup Wizard to set up Mobile VPN with IKEv2 for the first time. For more information, see Use the WatchGuard IKEv2 Setup Wizard.
- Select VPN > Mobile VPN with IKEv2.
- Click Configure.
- Select the Activate Mobile VPN with IKEv2 check box if Mobile VPN with IKEv2 is not already activated.
- Use the information in the next sections to configure the Mobile VPN with IKEv2 settings.
- Select VPN > Mobile VPN > IKEv2 > Configure.
The Mobile VPN with IKEv2 Configuration dialog box appears.
- Select the Activate Mobile VPN with IKEv2 check box if Mobile VPN with IKEv2 is not already activated.
- Use the information in the next sections to configure the Mobile VPN with IKEv2 settings.
Edit Network Settings
On the Networking tab, in the Firebox Addresses section, specify an IP address or domain name for connections from Mobile VPN with IKEv2 users. If your Firebox is behind a NAT device, you must specify the public IP address or domain name of the NAT device.
Edit the Virtual IP Address Pool
On the Networking tab, the Virtual IP Address Pool shows the internal IP addresses that are used by Mobile VPN with IKEv2 users over the tunnel. The virtual IP address pool must contain at least two IP addresses. By default, the Firebox assigns addresses in the 192.168.114.0/24 range to Mobile VPN with IKEv2 clients.
For more information about virtual IP addresses, see Virtual IP Addresses and Mobile VPNs.
To add to the virtual IP address pool:
- Click Add.
The Add Address Pool dialog box appears. - From the Choose Type drop-down list, select Network IPv4 or Host IPv4.
- In the adjacent text box, type an IP address or network IP address.
Edit Authentication Settings
On the Authentication tab you can configure authentication servers and the authorized users and groups.
Configure Authentication Servers
- Select the Authentication tab.
- In the Authentication Servers section, select Firebox-DB, RADIUS, or both.
- If you select both Firebox-DB and RADIUS, you can select Set as default server to make RADIUS the default authentication server.
Configure Users and Groups
If you use Firebox-DB for authentication, you must use the IKEv2-Users group that is created by default. You can add the names of other groups and users that use Mobile VPN with IKEv2. For each group or user you add, you can select the authentication server where the group exists or select Any if that group exists on more than one authentication server. The group or user name you add must exist on the authentication server. The group and user names are case sensitive and must exactly match the name on your authentication server.
For more information about user authentication, see About Mobile VPN with IKEv2 User Authentication.
- In the Users and Groups section, select users and groups for Mobile VPN with IKEv2.
- To add a new Firebox-DB user or group, select Firebox-DB from the drop-down list.
- To add a new RADIUS user or group, select RADIUS from the drop-down list.
- To add a new user or group for both Firebox-DB and RADIUS, select Any from the drop-down list.
- From the adjacent drop-down list, select User or Group.
- Click Add.
The Firebox User, Firebox Group, or Add User or Group dialog box appears. - Specify the settings for the user or group.
For more information about how to add Firebox-DB users, see Define a New User for Firebox Authentication.
For more information about how to add Firebox-DB groups, see Define a New Group for Firebox Authentication.
For more information about how to add RADIUS users and groups, see Use Users and Groups in Policies.
- In the Users and Groups section, select users and groups for Mobile VPN with IKEv2.
- To add a new Firebox-DB user or group, click New.
- Select Firebox-DB User/Group or External User/Group.
The Authentication Servers dialog box appears. - To add a user, in the Users section, click Add.
The Setup Firebox User dialog box appears. - Specify the user name, password, timeout settings, and login limit settings for the user. For more information about how to add users, see Define a New User for Firebox Authentication.
- To add a group, in the Group section, click Add.
The Setup Firebox Group dialog box appears. - Specify the user name, password, timeout settings, and login limit settings for the user. For more information about how to add users, see Define a New Group for Firebox Authentication.
Configure a Certificate for Authentication
You can select a Firebox certificate or a third-party certificate for Mobile VPN with IKEv2 authentication. Firebox and third-party certificates have these requirements:
- Extended Key Usage (EKU) flags "serverAuth" and "IP Security IKE Intermediate” (OID 1.3.6.1.5.5.8.2.2)
- IP address or DNS name as a Subject Alternative Name value
To select a certificate for authentication:
- Click the Security tab.
- To specify a certificate for authentication, click Edit.
The Firebox Address and Certificate Settings dialog box appears. - In the Type drop-down list, select Firebox-Generated Certificate or Third-Party Certificate.
Configure the Phase 1 and 2 Settings
To configure the Phase 1 settings, select VPN > IKEv2 Shared Settings. For more information about IKEv2 Shared Settings, see Configure IKEv2 Shared Settings.
The IPSec Phase 2 proposals used for Mobile VPN with IKEv2 are the same proposals you configure to use with a branch office VPN. If you want to configure a new Phase 2 proposal to use with Mobile VPN with IKEv2, you must add it in the Phase 2 Proposals page. Then you can add it to the Mobile VPN with IKEv2 configuration.
- Select VPN > Mobile VPN > IKEv2 > Configure.
- Select Security > Phase 2.
- Select the Phase 2 Settings tab.
- Select Enabled Perfect Forward Secrecy to enable Perfect Forward Secrecy (PFS).
- From the adjacent drop-down list, select a Diffie-Hellman Group.
- In the IPSec Proposals section, select an existing proposal from the drop-down list.
- Click Add.
- To add a new proposal, select VPN > Phase 2 Proposals. For more information about Phase 2 Proposals, see Add a Phase 2 Proposal.
- Click Save.
- Select VPN > Mobile VPN > IKEv2 > Configure.
- Select Security > Phase 2.
- Select the Phase 2 Settings tab.
- Select the PFS check box to enable Perfect Forward Secrecy (PFS).
- From the adjacent drop-down list, select a Diffie-Hellman Group.
- In the IPSec Proposals section, select an existing proposal from the drop-down list.
- Click Add.
- To add a new proposal, select VPN > Phase 2 Proposals. For more information about Phase 2 Proposals,see Add a Phase 2 Proposal.
- Click OK.
See Also
Use the WatchGuard IKEv2 Setup Wizard
Configure iOS and macOS Devices for Mobile VPN with IKEv2
Configure Windows Devices for Mobile VPN with IKEv2
Configure Android Devices for Mobile VPN with IKEv2
Configure Client Devices for Mobile VPN with IKEv2
Internet Access Through a Mobile VPN with IKEv2 Tunnel
Certificates for Mobile VPN with IKEv2 Tunnel Authentication