Related Topics
Modify an Existing Mobile VPN with IPSec Group Profile
After you create a Mobile VPN with IPSec group, you can edit the profile to:
- Change the shared key
- Add access to more hosts or networks
- Restrict access to a single destination port, source port, or protocol
- Change the Phase 1 or Phase 2 settings
Configure a Mobile VPN with IPSec Group
- Select VPN > Mobile VPN with IPSec.
The Mobile VPN with IPSec page appears.
- From the Groups list, select a group and click Edit.
The Mobile User VPN with IPSec Settings page appears.
- To edit the group profile, configure these options:
Authentication Server
Select the authentication server to use for this Mobile VPN group. You can authenticate users to the Firebox (Firebox-DB) or to a RADIUS, VASCO, SecurID, LDAP, or Active Directory authentication server. Make sure that this method of authentication is enabled.
Passphrase
To change the passphrase that encrypts the .WGX file, type a new passphrase. The shared key can use only standard ASCII characters. If you use a certificate for authentication, this is the PIN for the certificate.
Confirm
Type the new passphrase again.
Primary
Type the primary external IP address or domain to which Mobile VPN users in this group can connect. This can be an external IP address, secondary external IP address, or external VLAN. For a Firebox in drop-in mode, specify the IP address assigned to all interfaces.
Backup
Type a backup external IP address or domain to which Mobile VPN users in this group can connect. This backup IP address is optional. If you add a backup IP address, make sure it is an IP address assigned to a Firebox external interface or VLAN.
Session Timeout
Select the maximum time in minutes that a Mobile VPN session can be active.
Idle Timeout
Select the time in minutes before the Firebox closes an idle Mobile VPN session. The session and idle timeout values are the default timeouts if the authentication server does not return specific timeout values. If you use the Firebox as the authentication server, the timeouts for the Mobile VPN group are always ignored because you set timeouts in each Firebox user account.
The default value is 8 hours.
The session and idle timeouts cannot be longer than the value in the SA Life text box.
To set this value:
- Select the IPSec Tunnel tab.
- In the Phase 1 Settings section, click Advanced.
- Select the IPSec Tunnel tab.
- Configure these options to edit the IPSec settings:
IPSec Tunnel Settings
You can use a pre-shared key or a certificate for tunnel authentication.
To use the passphrase of the end-user profile as the pre-shared key for tunnel authentication, select Use the passphrase of the end-user profile as the pre-shared key. The passphrase is set on the General tab in the Passphrase section. You must use the same shared key on the remote device. The shared key can use only standard ASCII characters.
To use a certificate for tunnel authentication, select Use a certificate.
For more information, see Certificates for Mobile VPN With IPSec Tunnel Authentication.
If you use a certificate, you must also specify the CA IP Address and Timeout. In the CA IP Address text box, type the IP address of the Management Server that is configured as the certificate authority. In the Timeout text box, type the time, in seconds, before the Mobile VPN with IPSec client no longer attempts to connect to the certificate authority without a response. We recommend that you use the default setting.
Phase 1 Settings
Select the authentication and encryption methods for the Phase 1 transform for the Mobile VPN tunnel. For more information about these settings, see About IPSec Algorithms and Protocols.
From the Authentication drop-down list, select an authentication method: MD5, SHA1, SHA2-256, SHA2-384, or SHA2-512. Tip!We recommend the SHA-2 variants, SHA-256 and SHA-512, which are stronger than SHA-1.
SHA-2 is not supported on XTM
SHA2 is supported for VPN connections from the Shrew Soft VPN client v2.2.1 or higher, or the WatchGuard IPSec Mobile VPN client v11.32. SHA2 is not supported for VPN connections from Android or iOS devices, and is not supported by older versions of the Shrew Soft or WatchGuard IPSec VPN clients.
From the Encryption drop-down list, select an encryption method: AES (128-bit), AES (192-bit), AES (256-bit), DES, or 3DES. Tip!We recommend AES encryption. For the best performance, choose AES (128-bit). For the strongest encryption, choose AES (256-bit). We do not recommend DES or 3DES.
To configure advanced settings, such as NAT Traversal or the key group, click Advanced. For more information, see Define Advanced Phase 1 Settings.
Phase 2 Settings
To change the proposal and key expiration settings, click Proposal. For more information, see Define Advanced Phase 2 Settings.
By default, Perfect Forward Secrecy (PFS) is enabled. If you keep PFS enabled, select the Diffie-Hellman group. Tip!For stronger security, we recommend that you keep PFS enabled and keep the default Diffie-Hellman value of Group 14.
Perfect Forward Secrecy gives more protection to keys that are created in a session. Keys made with PFS are not made from a previous key. If a previous key is compromised after a session, your new session keys are secure. For more information, see About Diffie-Hellman Groups.
- Select the Resources tab.
- Configure these options:
Allow All Traffic Through Tunnel
Select this check box to send all Mobile VPN user Internet traffic through the VPN tunnel. When this option is selected, Mobile VPN user Internet traffic is sent through the VPN. Websites might load more slowly for those users.
If this option is not selected, Mobile VPN user Internet traffic is not examined by Firebox policies, but users can browse the Internet more quickly.
Allowed Resources
This list includes the network resources that are available to users in the Mobile VPN group.
If you select the Allow All Traffic Through Tunnel option, the default values in the Allowed Resources list, Any-External and 0.0.0.0/0, are required. No other resources are required. In Fireware v11.12 and higher, you cannot remove the default resources or add additional resources when this option is selected.
If you do not select Allow All Traffic Through Tunnel, you can add or remove allowed resources:
- To add an IP address or a network IP address to the network resources list, select Host IP or Network IP, type the address, and click Add.
- To delete an IP address or network IP address from the resources list, select a resource and click Remove.
If you edit the allowed resources, the resource list is automatically updated only in the default Mobile VPN with IPSec policy for this group. The resources are not automatically updated for any other Mobile VPN with IPSec policies for group. You must edit the allowed resources in the Mobile VPN with IPSec policies and update if necessary. For more information, see Configure Policies to Filter IPSec Mobile VPN Traffic.
Virtual IP Address Pool
The internal IP addresses that are used by Mobile VPN users over the tunnel appear in this list. These addresses cannot be used by any network devices or other Mobile VPN groups.
- To add a host IP address or a network IP address to the virtual IP address pool, select Host IP or Network IP, type the address, and click Add.
- To delete a host or network IP address from the virtual IP address pool, select the host or IP address and click Remove.
For more information about virtual IP addresses, see Virtual IP Addresses and Mobile VPNs.
- Select the Advanced tab.
- Configure the Line Management settings:
Connection mode
Manual — In this mode, the user must manually start the VPN tunnel. This is the default setting. The client does not try to restart the VPN tunnel automatically if the VPN tunnel goes down. To start the VPN tunnel, click Connect in the Mobile VPN client. Or, right-click the Mobile VPN icon on your Windows desktop toolbar and click Connect.
Automatic — In this mode, the client automatically tries to start the connection when your computer sends traffic to a remote host through the VPN tunnel. If the VPN tunnel goes down, the client automatically tries to restart the VPN tunnel when an application on the client computer sends traffic to a remote host.
Variable — In this mode, to manually start the VPN tunnel the first time, the user must click Connect. After the user starts the tunnel, the tunnel runs in automatic mode until the user clicks Disconnect. If the VPN tunnel goes down before the user clicks Disconnect, the client automatically tries to restart the VPN tunnel when an application on the client computer sends traffic to a remote host.
Inactivity timeout
The inactivity timeout specifies the time delay after the last transmission of traffic through the tunnel before the client automatically disconnects the tunnel. The inactivity timeout can have a maximum value of 65,535 seconds. By default, the inactivity value is set to 0. With the default value of 0, the VPN client does not automatically disconnect an established tunnel after inactivity. The user must manually disconnect the tunnel.
The default Line Management settings are Manual and 0 seconds. If you change either setting, you must use the .INI file to configure the client software.
- Click Save.
The Mobile VPN with IPSec page appears. - Click Save.
- Select VPN > Mobile VPN > IPSec.
The Mobile VPN with IPSec Configuration dialog box appears.
- From the profile list, select the group to change.
- Click Edit.
The Edit Mobile VPN with IPSec dialog box appears.
- On the General tab, edit the group profile and configure these settings:
Authentication Server
Select the authentication server to use for this Mobile VPN group. You can authenticate users with the internal Firebox database (Firebox-DB) or with a RADIUS, VASCO, SecurID, LDAP, or Active Directory authentication server.
To configure your authentication server, select Setup > Authentication > Authentication Servers.
Passphrase
Type a passphrase to encrypt the Mobile VPN profile (.wgx file) that you distribute to users in this group. The shared key can use only standard ASCII characters. If you use a certificate for authentication, this is the PIN for the certificate.
Confirm
Type the passphrase again.
Primary
Select or type the primary external IP address or domain to which Mobile VPN users in this group can connect. This can be an external IP address, secondary external IP address, or external VLAN. For a Firebox in drop-in mode, use the IP address assigned to all interfaces.
Backup
Type or select the backup external IP address or domain to which Mobile VPN users in this group can connect. This backup IP address is optional. If you add a backup IP address, make sure it is an IP address assigned to a Firebox external interface or VLAN.
Session
Select the maximum time in minutes that a Mobile VPN session can be active.
Idle
Select the time in minutes before the Firebox closes an idle Mobile VPN session. The session and idle timeout values are the default timeouts if the authentication server does not return specific timeout values. If you use the Firebox as the authentication server, the timeouts for the Mobile VPN group are always ignored because you set timeouts in each Firebox user account.
The session and idle timeouts cannot be longer than the value specified for the SA Life. To set this value, from the IPSec Tunnel tab of the Edit Mobile VPN with IPSec dialog box, click Advanced. The default value is 8 hours.
- Select the IPSec Tunnel tab.
- Edit the IPSec tunnel settings:
Tunnel Authentication Method
You can use a pre-shared key or a certificate for tunnel authentication.
To use the passphrase of the end-user profile as the pre-shared key for tunnel authentication, select Use the passphrase of the end-user profile as the pre-shared key. You must use the same shared key on the remote device. Use only standard ASCII characters in the shared key.
To use a certificate for tunnel authentication, select Use a certificate. For more information, see Certificates for Mobile VPN with IPSec Tunnel Authentication.
If you use a certificate, you must also specify the CA IP Address and Timeout. In the CA IP Address text box, type the IP address of the Management Server that is configured as the certificate authority. In the Timeout text box, type the time, in seconds, before the Mobile VPN with IPSec client no longer attempts to connect to the certificate authority without a response. We recommend you use the default setting.
Phase1 Settings
Select the authentication and encryption methods for the Phase 1 transform for the Mobile VPN tunnel. For more information about these settings, see About IPSec Algorithms and Protocols.
From the Authentication drop-down list, select an authentication method: MD5, SHA1, SHA2-256, SHA2-384, or SHA2-512. Tip!We recommend the SHA-2 variants, SHA-256 and SHA-512, which are stronger than SHA-1.
SHA-2 is not supported on XTM
SHA2 is supported for VPN connections from the Shrew Soft VPN client v2.2.1 or higher, or the WatchGuard IPSec Mobile VPN client v11.32. SHA2 is not supported for VPN connections from Android or iOS devices, and is not supported by older versions of the Shrew Soft or WatchGuard IPSec VPN clients.
From the Encryption drop-down list, select an encryption method: AES (128-bit), AES (192-bit), AES (256-bit), DES, or 3DES. Tip!We recommend AES encryption. For the best performance, choose AES (128-bit). For the strongest encryption, choose AES (256-bit). We do not recommend DES or 3DES.
To configure advanced settings, such as NAT Traversal or the key group, click Advanced. For more information, see Define Advanced Phase 1 Settings.
Phase2 Settings
To change the proposal and key expiration settings, click Proposal. For more information, see Define Advanced Phase 2 Settings.
By default, Perfect Forward Secrecy (PFS) is enabled. If you keep PFS enabled, select the Diffie-Hellman group. Tip!For stronger security, we recommend that you keep PFS enabled and keep the default Diffie-Hellman value of Group 14.
Perfect Forward Secrecy gives more protection to keys that are created in a session. Keys made with PFS are not made from a previous key. If a previous key is compromised after a session, your new session keys are secure. For more information, see About Diffie-Hellman Groups.
- Select the Resources tab.
- Add or remove allowed network resources and virtual IP addresses:
Force All Traffic Through Tunnel
To send all Mobile VPN user Internet traffic through the VPN tunnel, select this check box. When this option is selected, Mobile VPN user Internet traffic is sent through the VPN, and websites can load more slowly for those users.
If this option is not selected, Mobile VPN user Internet traffic is not examined by Firebox policies, but users can browse the Internet more quickly.
Allowed Resources list
This list shows the resources that users in the group can get access to on the network.
If you select the Force All Traffic Through Tunnel option, the default values in the Allowed Resources list, Any-External and 0.0.0.0/0, are required. No other resources are required. In Fireware v11.12 and higher, you cannot remove the default resources or add additional resources when this option is selected.
If you do not select Force All Traffic Through Tunnel, you can add or remove allowed resources:
- To add a host IP address or network IP address to the allowed resources list, click Add.
- To delete a host IP address or network IP address from the allowed resources list, select a resource and click Remove
If you edit the allowed resources, the resource list is not automatically updated in the Mobile VPN with IPSec policies for this group. You must manually edit the allowed resources in the Mobile VPN with IPSec policies and update them as necessary. For more information, see Configure Policies to Filter IPSec Mobile VPN Traffic
Virtual IP Address Pool
This list shows the internal IP addresses that are used by Mobile VPN users over the tunnel. These addresses are used only when they are needed.
To add a host IP address or a host range of IP addresses to the virtual IP address pool, click Add.
To clear the selected host IP address or a host range of IP addresses from the virtual IP address pool, click Remove.
For more information about virtual IP addresses, see Virtual IP Addresses and Mobile VPNs.
- Select the Advanced tab.
- Configure the Line Management settings:
Connection mode
Manual — In this mode, the user must manually start the VPN tunnel. This is the default setting. The client does not try to restart the VPN tunnel automatically if the VPN tunnel goes down. To start the VPN tunnel, in the Mobile VPN client, click Connect. Or, right-click the Mobile VPN icon on your Windows desktop toolbar and click Connect.
Automatic — In this mode, the client automatically tries to start the connection when your computer sends traffic to a remote host through the VPN tunnel. If the VPN tunnel goes down, the client automatically tries to restart the VPN tunnel when an application on the client computer sends traffic to a remote host.
Variable — In this mode, to manually start the VPN tunnel the first time, the user must click Connect. After the user starts the tunnel, the tunnel runs in automatic mode until the user clicks Disconnect. If the VPN tunnel goes down before the user clicks Disconnect, the client automatically tries to restart the VPN tunnel whenever an application on the client computer sends traffic to a remote host.
Inactivity timeout
The inactivity timeout specifies the time delay after the last transmission of traffic through the tunnel before the client automatically disconnects the tunnel. The inactivity timeout can have a maximum value of 65,535 seconds. By default, the inactivity value is set to 0. With the default value of 0, the VPN client does not automatically disconnect an established tunnel after inactivity. The user must manually disconnect the tunnel.
The default Line Management settings are Manual and 0 seconds. If you change this setting, you must use the .INI file to configure the client software.
- Click OK.
- Save the configuration to the Firebox.
Users that are members of the group you edit are not able to connect until they import the correct configuration file to their WatchGuard IPSec Mobile VPN Client software. You must generate the configuration file and then provide it to the end users.
For more information, see Generate Mobile VPN with IPSec Configuration Files.