Contents

Related Topics

Select the Type of Mobile VPN to Use

Fireware supports four types of Mobile VPNs:

  • Mobile VPN with IPSec
  • Mobile VPN with PPTP
  • Mobile VPN with SSL
  • Mobile VPN with L2TP

Your Firebox can support all four types of mobile VPNs simultaneously. You can also configure a client computer to use one or more types of mobile VPNs. Before you select which type of Mobile VPN to use, you must consider your current infrastructure and network policy preferences. Some of the things to consider when you select which type of Mobile VPN to use are described in these sections:

Security

When you consider which type of Mobile VPN to use, think about security. Each type of Mobile VPN has different security traits.

IPSec

Mobile VPN with IPSec offers the highest level of security, with support for encryption levels up to 256-bit AES, and multi-layer encryption. You can use any authentication method supported by the Firebox, including two-factor authentication with SecurID and VASCO. An attacker with the login credentials also needs detailed setup information to connect to the VPN, including the Pre-Shared Key.

Mobile VPN with IPSec also supports certificate-based client authentication in place of the Pre-Shared Key.

SSL

Mobile VPN with SSL has a slight reduction in security when compared to IPSec because it does not support multi-layer encryption, and because an attacker only needs to know the Firebox IP address and client login credentials to connect.

L2TP

Mobile VPN with L2TP also includes multi-layer security, but is limited to local Firebox authentication and RADIUS. The client also must know the Pre-Shared Key.

Mobile VPN with L2TP also supports certificate-based client authentication in place of the Pre-Shared Key.

PPTP

WatchGuard recommends against the use of Mobile VPN with PPTP due to the known weakness of its authentication protocol (MS-CHAP-v2) against directory attacks. Limit use of Mobile VPN with PPTP to scenarios where the user login credentials and session data do not need to be secure.

Ease of Use

SSL

For Windows and Mac users, the client is easy to download and install. Users connect over HTTPS to the Firebox and log in. After users download the client, they only need to know their login credentials to connect. As an administrator, you can enable or disable the option for the VPN client to remember the user name and password.

Clients with other operating systems and mobile devices can use OpenVPN clients to connect. To use an OpenVPN client, the user needs the client.ovpn file, which is also easy to download from the Firebox.

Mobile VPN with SSL has a limit of 24 configured routes for client traffic, which means that administrators with large network configurations might need to force all client traffic through the VPN tunnel, or use larger routes.

For information about how to work around the route limitation, see Troubleshoot Mobile VPN with SSL.

PPTP

You can use Mobile VPN with PPTP with Windows, Mac OSX, iOS, Android, and most devices that support PPTP. On many older devices, such as Palm or Windows Mobile, PPTP is the only option. To connect, the end user must type a user name and password which can be saved if the VPN client allows it.

Routing for client traffic over PPTP is controlled by the client system. Client systems typically have an option to route all client traffic through the tunnel, or to only route client traffic to the same /24 subnet as the virtual IP address through the tunnel.

IPSec

Windows users can download install the WatchGuard Mobile VPN client, which is not free but offers additional features. Most Windows users prefer the free and easy-to-use client from Shrew Soft, also distributed by WatchGuard.

For both clients, you must provide the client with a configuration file. If you use the WatchGuard IPSec Mobile VPN Client, you might also need to provide the Pre-Shared Key. WatchGuard recommends you use a secure method, such as encrypted email, to distribute the configuration file.

Tunnel routing for both Windows clients can be as broad or specific as needed, based on the Allowed Resources you configure.

For MacOS, iOS, and Android devices, you must configure a Mobile VPN profile to match the default settings of the on-device client, and configure the client to connect to the VPN. The client need a user name and passphrase to connect.

L2TP over IPSec

You can use Mobile VPN with L2TP with Windows, Mac OSX, iOS, Android, and most devices with L2TP over IPSec support. To connect, the end user must enter a user name and password which can be saved depending on the VPN client.

Routing for client traffic over L2TP is controlled by the client system. Client systems typically have an option to route all client traffic through the tunnel, or to only route client traffic to the same /24 subnet as the virtual IP address through the tunnel.

Portability

Portability refers to the network environments from which the VPN client can connect.

SSL

You can configure Mobile VPN with SSL to use any TCP or UDP port, or use the default setting, TCP 443. If you use a UDP port, you must still specify a TCP port for the initial authentication request. This makes Mobile VPN with SSL portable to almost any environment that allows outbound HTTPS. Many Internet filtering applications now support content inspection for HTTPS, which can prevent traffic such as Mobile VPN with SSL that does not conform to HTTPS protocol standards.

You can configure the HTTPS proxy on a Firebox to allow non-compliant HTTPS requests. To learn more about the HTTPS proxy, see HTTPS-Proxy: General Settings.

PPTP

Mobile VPN with PPTP requires the client to access the Firebox on TCP port 1723, and IP protocol 47. This is more likely to be allowed by default than IPSec.

IPSec

Mobile VPN with IPSec requires the client to access the Firebox on UDP ports 500 and 4500, and IP Protocol 50. This often requires a specific configuration on the client's internet gateway, so clients might not be able to connect from hotspots, or with mobile Internet connections.

You can configure a Firebox to allow outbound IPSec requests. To learn more about outbound IPSec pass-through, see About Global VPN Settings.

L2TP

Mobile VPN with L2TP only requires UDP port 1701, so it should be allowed in most environments, unless the network is configured to be extremely restrictive.

VPN Tunnel Capacity

When you select a type of tunnel, make sure to consider the number of tunnels your device supports and whether you can purchase an upgrade to increase the number of tunnels.

On all device models, Mobile VPN with PPTP supports a maximum of 50 tunnels. The maximum number of IPSec, SSL, and L2TP mobile VPN tunnels depends on the device model. On some device models, you must purchase additional licenses to enable the maximum tunnel capacity your device supports.

You can see the maximum number of each type of VPN tunnel your device supports in the device feature key. For more information, see VPN Tunnel Capacity and Licensing.

Authentication Server Compatibility

When you select a Mobile VPN solution, make sure to choose a solution that supports the type of authentication server you use.

Each type of Mobile VPN supports the use of Firebox-DB, with users and groups created directly on the Firebox. Mobile VPN with PPTP and L2TP are limited to Firebox-DB and RADIUS. Mobile VPN with SSL supports every authentication method. Mobile VPN with IPSec also supports every authentication method, but two-factor authentication is not supported by the free Shrew Soft client.

Mobile VPN Firebox RADIUS Vasco/ RADIUS SecurID LDAP Active Directory

WatchGuard IPSec Mobile VPN Client for Windows (Premium client)

Yes Yes

Yes

Yes

Yes Yes
Shrew Soft IPSec VPN Client for Windows Yes Yes No* No* Yes Yes
WatchGuard IPSec Mobile VPN Client for Mac OS X Yes Yes Yes Yes Yes Yes
WatchGuard Mobile VPN with IPSec for Android **** Yes Yes Yes No Yes Yes

Mobile VPN with IPSec for Mac OS X or iOS with the native VPN client

Yes No**

No

Yes No** No**
Mobile VPN with SSL Yes Yes Yes Yes Yes Yes
Mobile VPN with PPTP Yes Yes No No No Yes***
Mobile VPN with L2TP Yes Yes No No No Yes***

* The Shrew Soft IPSec VPN client does not support two-factor authentication.

** RADIUS, LDAP, and Active Directory authentication methods are not supported for the iOS and OS X native VPN client, but might operate correctly.

*** Active Directory authentication for PPTP and L2TP is supported only through a RADIUS server.

**** WatchGuard Mobile VPN with IPSec for Android is no longer available in the Google Play store. If you already use this app, WatchGuard continues to support it.

Other compatibility notes:

RADIUS 

RADIUS server must return the Filter-Id attribute (RADIUS attribute #11) in its Access-Accept response. The value of the Filter-Id attribute must match the name of the correct group (PPTP-Users or SSLVPN-Users, or the name of the group you define in the Mobile VPN with SSL or Mobile VPN with IPSec configuration).

Vasco RADIUS

The RADIUS Filter-Id attribute is currently not supported by Vasco. For a workaround, use the Microsoft® IAS RADIUS plug-in.

Other Considerations

  • Flexibility — Mobile VPN with IPSec is the only VPN type that allows you to configure different VPN configuration profiles for different groups of users.
  • Performance — Mobile VPN with L2TP, with IPSec enabled, takes more processing power on the Firebox than Mobile VPN with IPSec, and makes NAT more difficult.
  • Protocol Support — One advantage of Mobile VPN with L2TP as compared to Mobile VPN with IPSec is that you can use L2TP to transport protocols other than IP, such as IPX or AppleTalk.

Protocol Details

Each type of mobile VPN uses different ports, protocols, and encryption algorithms to establish a connection. The required ports and protocols must be open between the mobile device and your Firebox for the mobile VPN to function.

For Mobile VPN with SSL, you can choose a different port and protocol. For more information, see Choose the Port and Protocol for Mobile VPN with SSL

See Also

Give Us Feedback     Get Support     All Product Documentation     Technical Search