Configure Network Settings > Mobile VPN Tunnels > Mobile VPN with IPSec > Use Mobile VPN with IPSec with an Android Device

Use Mobile VPN with IPSec with an Android Device

Mobile devices that run Android version 4.x and higher include a native VPN client. You can use the Android VPN client to make an IPSec VPN connection to a Firebox that runs Fireware v11.5.1 or higher. To do this, you must configure the VPN settings on your Firebox to match those on the Android device. Then, manually configure the VPN client settings on the Android device to match the settings on the Firebox. We recommend you use Android version 4.0.4 or higher for IPSec VPN connections to a WatchGuard Firebox.

You can use the same Mobile VPN with IPSec settings for VPN connections from the native Android VPN client.

In the Mobile VPN with IPSec settings on the Firebox, do not use SHA2 in the Phase 1 and Phase 2 settings. SHA2 is not supported on the VPN clients on Android devices.

You cannot use a certificate for VPN tunnel authentication between the native VPN client and a Firebox. This does not work because the VPN client uses main mode, and the Firebox uses aggressive mode for Phase 1 VPN negotiations.

You can use the same generated profile for VPN connections from the Mac OS X or iOS devices. For information about how to configure the VPN client on an iOS device, see Use the Mac OS X or iOS Native IPSec VPN Client.

If you have an older Android phone installed with the WatchGuard Mobile VPN app for Android, a legacy app that is no longer available in the Google Play store, you can continue to use the app. WatchGuard continues to support the WatchGuard Mobile VPN app for Android. For connections from new Android devices, we recommend you use the native Android VPN client. For more information, see About the WatchGuard Mobile VPN App.

Configure the Firebox

You use the same Mobile VPN with IPSec configuration settings for the native Android VPN client and for the WatchGuard Mobile VPN app.

To authenticate from the Android VPN client, Android VPN users must be members of the authentication group you specified in the Add Mobile VPN with IPSec Wizard.

  • For information about how to add users to a Firebox user group, see Define a New User for Firebox Authentication.
  • If you use a third-party authentication server, use the instructions provided in your vendor documentation.

Configure the Native Android VPN Client

After you configure the Firebox, users in the authentication group you specified in the Mobile VPN with IPSec profile on the Firebox can use the native Android VPN client to connect. To use the native Android VPN client, the user must manually configure the VPN client settings to match the settings configured on the Firebox.

To manually configure the native VPN client on the Android device:

  1. On the Settings page, in the Wireless &  Networks section. select More > VPN.

  1. Click Add VPN Network.
    The Edit VPN network page appears.

  1. Configure these settings:
    • Name — A name to identify this VPN connection on the Android device
    • Type — Select IPSec Xauth PSK
    • Server address — The external IP address of the Firebox
    • IPSec Identifier —The group name you specified in the Firebox Mobile VPN with IPSec configuration
    • IPSec pre-shared key — The tunnel passphrase you set in the Firebox Mobile VPN with IPSec configuration
  2. Save the connection.
  3. Open the connection and type the Username and Password for a user in the specified authentication group.

Screen shot of the Android VPN client Connect page

  1. Click Connect.

To verify your connection was successful and that the VPN tunnel is active, browse to a website that shows your IP address, such as www.whatismyip.com. If your Android device is connected through the VPN, your IP address is the external IP address of the Firebox.

Configure the WatchGuard Mobile VPN App for Android

If your mobile users use the WatchGuard Mobile VPN app for Android, you can generate a VPN profile and send it to the Mobile VPN user. This configures the WatchGuard Mobile VPN app to connect with Mobile VPN with IPSec.

The WatchGuard Mobile VPN app for Android is no longer available in the Google Play store. If you already use this app, WatchGuard continues to support it.

Before you configure the WatchGuard Mobile VPN app, you must generate the .wgm profile for the Mobile VPN with IPSec group.

For information about how to generate the profile, see Generate Mobile VPN with IPSec Configuration Files.

To use the .wgm profile to configure the WatchGuard Mobile VPN App:

  1. Send the .wgm profile to the mobile users as an email attachment.
  2. Use a secure method to give the passphrase to the mobile users
  3. On the Android device, install the free WatchGuard Mobile VPN app from the Google Play app store.
  4. In the email client on the Android device, open the email that contains the .wgm file attachment.
  5. Open the .wgm file attachment.
    The WatchGuard Mobile VPN app launches.
  6. Type the passphrase received from the administrator to decrypt the file.
    The WatchGuard Mobile VPN app imports the configuration and creates a VPN connection profile.
  7. Click the VPN connection profile in the WatchGuard Mobile VPN app to start the VPN connection.

See Also

Mobile VPN with IPSec

Define Advanced Phase 1 Settings

Define Advanced Phase 2 Settings

Give Us Feedback     Get Support     All Product Documentation     Technical Search