Contents

Related Topics

Mobile VPN Traffic Through a Branch Office VPN Tunnel

You can configure a Firebox to send traffic from mobile VPN users to a remote network through a branch office VPN tunnel. When you configure a mobile VPN, you assign virtual IP addresses to assign to mobile VPN users. These are the IP addresses the Firebox sees when the mobile users send traffic to the local network, or to a remote network connected by a branch office VPN tunnel.

To enable mobile VPN clients to get access to network resources through a branch office VPN tunnel, you must make sure that:

  • The mobile VPN client sends traffic to the remote networks through the mobile VPN tunnel
  • The branch office VPN can send traffic from mobile VPN user virtual IP addresses to the remote network
  • The policies that control mobile VPN and branch office VPN traffic allow traffic between the mobile VPN clients and the remote network

Configure Mobile VPN Client Routes

Mobile VPN with IPSec

You can configure Mobile VPN with IPSec to force all network traffic from the VPN client through the tunnel, or you can specify the network resources the VPN client can access through the tunnel. If you specify the allowed network resources in the Mobile VPN with IPSec profile, make sure the allowed resources list includes the IP address of the remote networks.

For information about how to edit the allowed resources, see Modify an Existing Mobile VPN with IPSec Group Profile

If you edit the allowed resources in a Mobile VPN with IPSec group profile, the resource list is not automatically updated in the Mobile VPN with IPSec policies for this group. You must edit the allowed resources in the Mobile VPN with IPSec policies and update if necessary to add the same resources.

For information about how to edit the IPSec policies, see Configure Policies to Filter IPSec Mobile VPN Traffic.

If you update the allowed resources in an existing Mobile VPN with IPSec profile, you must distribute a new configuration file to each user.

For information about how to distribute configuration profiles, see Distribute the Software and Profiles.

Mobile VPN with SSL

When you configure Mobile VPN with SSL on your Firebox, you select whether to bridge or route VPN traffic to the network.

If you select Bridge VPN Traffic, the Firebox assigns each VPN client an IP address on one of your internal networks. With this configuration, the Mobile VPN with SSL client sends all traffic that does not overlap with the client's local network through the SSL VPN tunnel. This enables traffic to go through the branch office VPN tunnel as if the client were directly connected to your internal network.

If you select Routed VPN Traffic, you can configure the client to force all client traffic through the tunnel, or to send only specific network traffic through the tunnel. If you don't force all the traffic through the tunnel, you must select Specify allowed resources, and then specify the network resources the VPN client can access through the tunnel. If you specify the allowed network resources, make sure the allowed resources list includes the IP address of the remote networks.

Mobile VPN with L2TP and Mobile VPN with PPTP

You do not configure tunnel routes for the Mobile VPN with PPTP and Mobile VPN with L2TP VPN clients on the Firebox. Instead, tunnel routes are defined on the client computer. On most client devices, the user can choose to force all outbound traffic through the mobile VPN tunnel (default-route VPN), or to route traffic through the tunnel only to destinations on the same subnet as the virtual IP address assigned to the VPN client (split-tunnel VPN). For example, in a split-tunnel VPN, a client that uses a virtual IP address of 10.0.2.230 only sends traffic for the 10.0.2.x network through the mobile VPN tunnel. If you want the VPN client to send traffic to other networks through the mobile VPN tunnel, you must either configure the VPN client to force all traffic through the tunnel, or you must manually add TCP/IP routes to the routing table on the client computer.

To learn how to configure the split-tunnel and default-route VPN options for a Windows VPN client, see:

Configure Manual Branch Office VPN Routes

Branch office VPN tunnel routes define which local network traffic the Firebox sends through the VPN tunnel to remote networks. If you want the Firebox to send traffic from mobile VPN users through a branch office VPN tunnel, you must make sure that the branch office VPN configuration includes a tunnel route from the network that includes the mobile VPN client's virtual IP address to the remote network.

If a branch office VPN tunnel route to the remote network has a local address of 0.0.0.0/0, then all traffic from the local network that does not overlap with other configured routes is sent through the branch office VPN tunnel, including traffic from your mobile VPN clients.

If you need to add a new branch office VPN tunnel route that includes the mobile VPN client virtual IP addresses, make sure to add the matching route in the VPN configuration on the remote VPN device. For more information, see Add Routes for a Tunnel.

For an example of how to add VPN tunnel routes for connections from the Mobile VPN with SSL client, see Allow Mobile VPN with SSL Users to use Resources Through a BOVPN Tunnel.

Configure BOVPN Virtual Interface Routes

For a BOVPN virtual interface, you do not explicitly configure the local and remote addresses for each tunnel route. Instead, you configure static routes that use the BOVPN virtual interface as a gateway. Because BOVPN virtual interface routes do not specify which local networks can send traffic through the tunnel, traffic from mobile VPN clients can be sent through the tunnel to any destination as long as a route exists to the remote network.

For information about BOVPN virtual interface routes, see Configure VPN Routes.

Configure Policies to Allow the Connection

Policies control traffic allowed through all VPN tunnels. You must make sure that all policies that control VPN traffic allow the traffic between the remote network and the virtual IP addresses of the mobile VPN users.

On the remote device, confirm that the policy that allows traffic through the branch office VPN tunnel includes the virtual IP address of the VPN client. If the remote device is a Firebox, the alias of the branch office VPN tunnel appears in the BOVPN-Allow.in and BOVPN-Allow.out policies by default. This means that the policy allows all traffic that matches the routes for this tunnel.

On the local device, the policies that control mobile VPN traffic also apply to traffic through the branch office VPN tunnel. Make sure that the policies for each mobile VPN client allow connections to remote network resources.

Mobile VPN with IPSec

The policies that apply to traffic from Mobile VPN with IPSec users are in the Mobile VPN with IPSec tab in Policy Manager. By default, Mobile VPN with IPSec users have full access to all resources with the Any Mobile VPN with IPSec policy. If you make a change to the allowed resources for a Mobile VPN with IPSec profile, you might also need to update the policy for that profile to include the new resources.

For information about how to edit the IPSec policies, see Configure Policies to Filter IPSec Mobile VPN Traffic.

Mobile VPN with SSL

When you configure Mobile VPN with SSL, the Firebox automatically creates the Allow SSLVPN-Users policy that allows traffic from the user group SSLVPN-Users to Any. If you have modified this policy to be more specific, you could need to update your policy to include the remote networks.

For more information, see Configure the Firebox for Mobile VPN with SSL.

Mobile VPN with L2TP

When you configure Mobile VPN with L2TP, the L2TP setup wizard automatically creates the Allow L2TP-Users policy that allows traffic from the user group L2TP-Users to Any. If you have modified this policy to be more specific, you could need to update your policy to include the remote networks.

For more information, see About L2TP Policies.

Mobile VPN with PPTP

When you configure Mobile VPN with PPTP, you must create a policy to allow those users access to local or remote networks. To allow traffic to the remote networks, make sure that there is a policy that allows traffic from PPTP clients to the remote network.

For information about how to edit the IPSec policies, see Configure Policies to Filter IPSec Mobile VPN Traffic.

See Also

Virtual IP Addresses and Mobile VPNs

About Manual Branch Office VPNs

Give Us Feedback     Get Support     All Product Documentation     Technical Search