Contents

Related Topics

Define Advanced Phase 1 Settings

You can define the advanced Phase 1 settings for your Mobile VPN user profile.

To configure advanced Phase 1 settings, from Fireware Web UI:

  1. On the Edit Mobile VPN with IPSec page, select the IPSec Tunnel tab.
  2. In the Phase 1 Settings section, click Advanced.
    The Phase1 Advanced Settings appear.

Screen shot of the MVPN with IPSec Settings page, Phase 1 Advanced Settings

  1. Configure the settings for the group, as described in the subsequent section.
    We recommend you use the default settings.
  2. Click OK.
  3. Click Save.

To configure advanced Phase 1 settings, from Policy Manager:

  1. From the IPSec Tunnel tab of the Edit Mobile VPN with IPSec dialog box, click Advanced.
    The phase1 Advanced Settings dialog box appears.

  1. Configure the settings for the group, as described in the subsequent section.
    We recommend you use the default settings.
  2. Click OK.

Phase 1 Options

SA Life

Select a SA (security association) lifetime duration and select Hour or Minute in the drop-down list. When the SA expires, a new Phase 1 negotiation starts. A shorter SA life is more secure but the SA negotiation can cause existing connections to fail.

Key Group

Select a Diffie-Hellman group supported by the IPSec VPN client you use.

  • The WatchGuard IPSec Mobile VPN client supports groups 1, 2, 5, and 14.
  • The Shrew Soft VPN client supports groups 1, 2, 5, 14, and 15.

Diffie-Hellman groups determine the strength of the master key used in the key exchange process. Higher group numbers are more secure, but require additional time to compute the key.

NAT Traversal

Select this check box to build a Mobile VPN tunnel between the Firebox and a VPN client that is behind a NAT device. NAT Traversal, or UDP Encapsulation, allows traffic to route to the correct destinations. NAT Traversal is enabled by default. Do not disable it unless you do not want to build tunnels between the Firebox and VPN clients behind a NAT device.

IKE Keep-alive

Select this check box only if this group connects to an older Firebox that does not support Dead Peer Detection. All Fireboxes with Fireware v9.x or lower, Edge v8.x or lower, and all versions of WFS do not support Dead Peer Detection. For these devices, select this check box to enable the Firebox to send messages to its IKE peer to keep the VPN tunnel open. Do not select both IKE Keep-alive and Dead Peer Detection.

Message interval

Select the number of seconds for the IKE keep-alive message interval.

Max failures

Set the maximum number of times the Firebox waits for a response to the IKE keep-alive messages before it terminates the VPN connection and starts a new Phase 1 negotiation.

Dead Peer Detection

Select this check box to enable Dead Peer Detection (DPD). Both endpoints must support DPD. All Firebox or XTM devices with Fireware v10.x or higher and Edge v10.x or higher support DPD. Do not select both IKE Keep-alive and Dead Peer Detection.

DPD is based on RFC 3706 and uses IPSec traffic patterns to determine if a connection is available before a packet is sent. When you select DPD, a message is sent to the peer when no traffic has been received from the peer within the selected time period. If DPD determines a peer is unavailable, additional connection attempts are not made.

Traffic idle timeout

Set the number of seconds the Firebox waits before it checks to see if the other device is active.

Max retries

Set the maximum number of times the Firebox tries to connect before it determines the peer is unavailable, terminates the VPN connection, and starts a new Phase 1 negotiation.

Give Us Feedback     Get Support     All Product Documentation     Technical Search