Related Topics
Configure the Firebox for Mobile VPN with IPSec
You can enable Mobile VPN with IPSec for a group of users you have already created, or you can create a new user group. The users in the group can authenticate either to the Firebox or to a third-party authentication server included in your Firebox configuration.
For more information about how to add users to a group for local Firebox authentication, see Add Users to a Firebox Mobile VPN Group. If you use a third-party authentication server, follow the instructions in the documentation from the manufacturer.
Configure a Mobile VPN with IPSec Group
To configure Mobile VPN with IPSec for a group of users, you add a Mobile VPN with IPSec group configuration.
- Select VPN > Mobile VPN with IPSec.
The Mobile VPN with IPSec page appears.
- Click Add.
The Mobile User VPN with IPSec Settings page appears.
- In the Name text box, type a name for this Mobile VPN group.
You can type the name of an existing group or the name for a new Mobile VPN group. Make sure the name is unique among VPN group names as well as all interface and VPN tunnel names.
If you create a Mobile VPN user group that authenticates to an external authentication server, make sure you create a group on the server with the same name you specified in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with IPSec. For more information, see Configure the External Authentication Server.
- Configure these settings to edit the group profile:
Authentication Server
Select the authentication server to use for this Mobile VPN group. You can authenticate users with the internal Firebox database (Firebox-DB) or with a RADIUS, VASCO, SecurID, LDAP, or Active Directory server. Make sure that the method of authentication you choose is enabled.
Passphrase
Type a passphrase to encrypt the Mobile VPN profile (.wgx file) that you distribute to users in this group. The shared key can use only standard ASCII characters. If you use a certificate for authentication, this passphrase is also used to encrypt the exported certificate file you send to users.
Confirm
Type the passphrase again.
Primary
Type the primary external IP address to which Mobile VPN users in this group can connect. This can be an external IP address, secondary external IP address, or external VLAN. For a device in drop-in mode, use the IP address assigned to all interfaces.
Backup
Type a backup external IP address to which Mobile VPN users in this group can connect. This backup IP address is optional. If you add a backup IP address, make sure it is an IP address assigned to an external interface or VLAN.
Session Timeout
Select the maximum time in minutes that a Mobile VPN session can be active.
Idle Timeout
Select the time in minutes before the Firebox closes an idle Mobile VPN session. The session and idle timeout values are the default timeout values if the authentication server does not have its own timeout values. If you use the Firebox as the authentication server, the timeouts for the Mobile VPN group are always ignored because you set timeouts for each Firebox user account.
The session and idle timeouts cannot be longer than the value in the SA Life field.
To set this value, in the Mobile VPN with IPSec Settings dialog box, click the IPSec Tunnel tab, and click Advanced for Phase 1 Settings. The default value is 8 hours.
- Select the IPSec Tunnel tab.
The IPSec Tunnel page opens.
- Configure these settings:
Use the passphrase of the end user profile as the pre-shared key
Select this option to use the passphrase of the end user profile as the pre-shared key for tunnel authentication. You must use the same shared key on the remote device. This shared key can use only standard ASCII characters.
Use a certificate
Select this option to use a certificate for tunnel authentication.
For more information, see Certificates for Mobile VPN With IPSec Tunnel Authentication.
CA IP address
If you use a certificate, type the IP address of the Management Server that has been configured as a certificate authority.
Timeout
If you use a certificate, type the time in seconds before the Mobile VPN with IPSec client stops an attempt to connect if there is no response from the certificate authority. We recommend you keep the default value.
Phase 1 Settings
Select the authentication and encryption methods for the VPN tunnel. To configure advanced settings, such as NAT Traversal or the key group, click Advanced, and see Define Advanced Phase 1 Settings.
The Encryption options are listed from the most simple and least secure, to the most complex and most secure:
- DES
- 3DES
- AES (128 bit)
- AES (192 bit)
- AES (256 bit)
Phase 2 Settings
By default, PFS (Perfect Forward Secrecy) is enabled. From the drop-down list, select the Diffie-Hellman group.
To change other proposal settings, click Advanced and see Define Advanced Phase 2 Settings.
- Select the Resources tab.
The Resources page appears.
- Configure these settings:
Allow All Traffic Through Tunnel
To send all Mobile VPN user Internet traffic through the VPN tunnel, select this check box.
If you select this check box, the Mobile VPN user Internet traffic is sent through the VPN. This is more secure, but network performance decreases.
If you do not select this check box, Mobile VPN user Internet traffic is sent directly to the Internet. This is less secure, but users can browse the Internet more quickly.
Allowed Resources
This list includes the resources that users in the Mobile VPN authentication group can get access to on the network.
To add an IP address or a network IP address to the network resources list, click Add. Select Host IPv4 or Network IPv4, type the address, and click OK.
To delete the selected IP address or network IP address from the resources list, select a resource and click Remove.
Virtual IP Address Pool
This list includes the internal IP addresses that are used by Mobile VPN users over the tunnel.
To add an IP address or a network IP address to the virtual IP address pool, click Add. Select Host IPv4 or Network IPv4, type the address, and click OK.
To remove it from the virtual IP address pool, select a host or network IP address and click Remove.
The IP addresses in the virtual IP address pool cannot be used for anything else on your network.
For more information about virtual IP addresses, see Virtual IP Addresses and Mobile VPNs.
- Select the Advanced tab.
The Advanced page appears.
- Configure the Line Management settings:
Connection mode
Manual — In this mode, the client does not try to restart the VPN tunnel automatically if the VPN tunnel goes down. This is the default setting.
To restart the VPN tunnel, you must click the Connect button in Connection Monitor, or right-click the Mobile VPN icon on your Windows desktop toolbar and click Connect.
Automatic — In this mode, the client tries to start the connection when your computer sends traffic to a destination that you can reach through the VPN. The client also tries to restart the VPN tunnel automatically if the VPN tunnel becomes unavailable.
Variable — In this mode, the client tries to restart the VPN tunnel automatically until you click Disconnect. After you disconnect, the client does not try to restart the VPN tunnel again until you click Connect.
Inactivity timeout
If the Connect Mode is set to Automatic or Variable, the Mobile VPN with IPSec client software does not try to renegotiate the VPN connection until there has not been traffic from the network resources available through the tunnel for the length of time you enter for Inactivity timeout.
The default Line Management settings are Manual and 0 seconds. If you change either setting, you must use the .ini file to configure the client software.
- Click Save.
The Mobile VPN with IPSec page opens and the new IPSec group appears in the Groups list. - Click Save.
- Select VPN > Mobile VPN > IPSec.
The Mobile VPN with IPSec Configuration dialog box appears.
- Click Add.
The Add Mobile VPN with IPSec Wizard appears.
- Click Next.
The Select a user authentication server screen appears.
- From the Authentication Server drop-down list, select an authentication server.
You can authenticate users to the Firebox (Firebox-DB) or to a RADIUS, VASCO, SecurID, LDAP, or Active Directory server. Make sure that this method of authentication is enabled in Policy Manager. Select Setup > Authentication > Authentication Servers to see these settings.
- In the Group Name text box, type the name of the group.
You can type the name of a Mobile VPN group you have already created, or type a group name for a new Mobile VPN group. Make sure the name is unique among VPN group names, as well as all interface and tunnel names.
For more information about VPN group authentication, see Types of Firebox Authentication.
If you create a Mobile VPN user group that authenticates to an external authentication server, make sure you create a group on the server with the same name you specified in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with IPSec. For more information, see Configure the External Authentication Server.
- Click Next.
The Select a tunnel authentication method screen appears.
- Select an option for tunnel authentication:
- Use this passphrase
Type and confirm the passphrase. - Use an RSA certificate issued by your WatchGuard Management Server
Type the IP Address of your Management Server and the Administration Passphrase.
For more information about how to use an RSA certificate, see Certificates for Mobile VPN With IPSec Tunnel Authentication.
- Click Next.
The Direct the flow of Internet traffic screen appears.
- Select an option for Internet traffic:
- No, allow Internet traffic to go directly to the mobile user's ISP.
(Split tunneling) - Yes, force all Internet traffic to flow through the tunnel.
(Default-route VPN)
For more information about split tunneling and default-route VPN, see Options for Internet Access Through a Mobile VPN with IPSec Tunnel.
- Click Next.
The Identify the resources accessible through the tunnel screen appears.
- Click Add to specify the host or network IP addresses that users can connect to through the VPN tunnel.
- Click Next.
The Create the virtual IP address pool screen appears.
- Click Add to add one IP address or an IP address range.
To add more virtual IP addresses, repeat this step.
Mobile VPN users are assigned an IP address from the virtual IP address pool when they connect to your network. The number of IP addresses in the virtual IP address pool should be the same as the number of Mobile VPN users.
The virtual IP addresses must be on a different subnet than the local networks. The virtual IP addresses cannot be used for anything else on your network.
For more information about virtual IP addresses, see Virtual IP Addresses and Mobile VPNs.
- Click Next.
If you used a certificate for tunnel authentication, the Encrypt the VPN configuration file screen appears.
- Type and confirm the passphrase to use to encrypt the .wgx configuration file and the PKCS#12 certificate that is saved when you generate the VPN configuration file from Policy Manager.
If you used a passphrase for tunnel authentication, the wizard skips this step and the tunnel passphrase you specified earlier is used to encrypt the VPN configuration file.
- Click Next.
The Add Mobile VPN with IPSec Wizard has completed successfully screen appears.
- To add users to the new Mobile VPN with IPSec group, select the Add users check box.
- Click Finish.
The Mobile VPN with IPSec group end-user configuration file is available at the location specified on this screen.
When you add a Mobile VPN with IPSec group, a Mobile VPN with IPSec Any policy is automatically created to allow all traffic from users in the group to the resources available through the tunnel. For more information about Mobile VPN with IPSec policies, see Configure Policies to Filter IPSec Mobile VPN Traffic.
Users that are members of the group you create are not able to connect until they import the correct configuration file in their WatchGuard IPSec Mobile VPN Client software. You must generate the configuration file and then provide it to the end users. For more information, see Generate Mobile VPN with IPSec Configuration Files
If users cannot connect to the VPN or to network resources, check for these common causes:
- Incorrect DNS settings
- Disabled or deleted policies
- Incorrect user group settings
- IP address pool overlap
- Incorrect route settings