Contents

Related Topics

Use Mobile VPN with IPSec with an Android Device

Mobile devices that run Android version 4.x and higher include a native VPN client. In some cases, hardware manufacturers modify the native Android VPN client to add options, or they include their own VPN client on the device.

To make an IPSec VPN connection to a Firebox from an Android device:

  • Your VPN client must operate in Aggressive mode.
  • The Firebox must run Fireware v11.5.1 or higher.
  • The Firebox must be configured with Phase 1 and 2 transforms that are supported by the Android device.

Recent versions of the native Android VPN client use Main mode which is not compatible with Mobile VPN with IPSec. You cannot view or change the mode setting on the native Android VPN client. However, if the hardware manufacturer of your Android device modified the native VPN client, you might be able to change this setting.

If you cannot change your device settings to Aggressive mode, WatchGuard recommends that you try one of these connection methods:

  • If your hardware manufacturer installed its own VPN client on your Android device, try to connect with that client if it can operate in Aggressive mode. For more information, see the documentation from the manufacturer.
  • In the settings for the native Android VPN client, configure the L2TP with IPSec option. Next, enable L2TP on your Firebox. L2TP on the Firebox uses Main mode. For more information about L2TP, see About L2TP User Authentication.
  • Install the OpenVPN SSL client on your Android device. You must manually download the SSL client profile from the SSL Portal on your Firebox. For more information about the client profile, see Manually Distribute and Install the Mobile VPN with SSL Client Software and Configuration File.

Authentication and Encryption Settings

Android devices have a pre-configured list of supported VPN transforms. Unless the hardware manufacturer of your device modified the native Android VPN client, you cannot view this list or specify different default transforms. Recent Android OS versions have these default transforms:

Phase 1 — SHA2(256)–AES(256)–DH2

Phase 2 — SHA2(256)–AES(256)

Some older versions of Android OS use these default transforms:

Phase 1 — SHA1–AES(256)–DH2

Phase 2 — SHA1–AES(256)

In some cases, the hardware manufacturer of your Android device might specify different default transforms for the native Android VPN client.

To initiate a VPN connection to the Firebox, the Android device sends its default transform set to the Firebox. You must configure the Firebox with transforms supported by Android for the VPN connection to establish. WatchGuard recommends that you specify the default Android transform set in your Mobile VPN with IPSec settings on the Firebox.

If you specify Firebox transforms different from the default Android transform set, the Android device sends the next transform set on its list. This process repeats until the Android device finds a transform set on its list that match the Firebox settings, or until the Android device reaches a retry limit or has no additional transforms to test.

To troubleshoot connection issues, see Troubleshoot Mobile VPN with IPSec and Traffic Monitor.

Configure the Firebox

Before you can connect with the native Android VPN client, you must configure the Mobile VPN with IPSec settings on your Firebox.

The WatchGuard Mobile VPN app for Android is no longer available in the Google Play store. Information about the WatchGuard Mobile VPN app for Android is provided as a reference for legacy installations.

To authenticate from the Android VPN client, Android VPN users must be members of the authentication group you specified in the Add Mobile VPN with IPSec Wizard.

  • For information about how to add users to a Firebox user group, see Define a New User for Firebox Authentication.
  • If you use a third-party authentication server, use the instructions provided in your vendor documentation.

Configure the Native Android VPN Client

After you configure the Firebox, users in the authentication group you specified in the Mobile VPN with IPSec profile on the Firebox can use the native Android VPN client to connect. To use the native Android VPN client, the user must manually configure the VPN client settings to match the settings configured on the Firebox.

To manually configure the native VPN client on the Android device:

  1. On the Settings page, in the Wireless &  Networks section, select More > VPN.

  1. Click Add VPN Network.
    The Edit VPN network page appears.

  1. Configure these settings:
    • Name — A name to identify this VPN connection on the Android device
    • Type — Select IPSec Xauth PSK
    • Server address — The external IP address of the Firebox
    • IPSec Identifier — The group name you specified in the Firebox Mobile VPN with IPSec configuration
    • IPSec pre-shared key — The tunnel passphrase you set in the Firebox Mobile VPN with IPSec configuration
  1. Save the connection.
  2. Open the connection and type the Username and Password for a user in the specified authentication group.

Screen shot of the Android VPN client Connect page

  1. Click Connect.

To verify your connection was successful and that the VPN tunnel is active, browse to a website that shows your IP address such as www.whatismyip.com. If your Android device is connected through the VPN, your IP address is the external IP address of the Firebox.

Configure the WatchGuard Mobile VPN App for Android

The WatchGuard Mobile VPN app for Android is no longer available in the Google Play store. The information in this topic is provided as a reference for legacy installations.

If your mobile users use the WatchGuard Mobile VPN app for Android, you can generate a VPN profile and send it to the Mobile VPN user. This configures the WatchGuard Mobile VPN app to connect with Mobile VPN with IPSec.

Before you configure the WatchGuard Mobile VPN app, you must generate the .wgm profile for the Mobile VPN with IPSec group.

For information about how to generate the profile, see Generate Mobile VPN with IPSec Configuration Files.

To use the .wgm profile to configure the WatchGuard Mobile VPN app:

  1. Send the .wgm profile to the mobile users as an email attachment.
  2. Use a secure method to give the passphrase to the mobile users.
  3. In the email client on the Android device, open the email that contains the .wgm file attachment.
  4. Open the .wgm file attachment.
    The WatchGuard Mobile VPN app launches.
  5. Type the passphrase received from the administrator to decrypt the file.
    The WatchGuard Mobile VPN app imports the configuration and creates a VPN connection profile.
  6. Click the VPN connection profile in the WatchGuard Mobile VPN app to start the VPN connection.

See Also

Mobile VPN with IPSec

Define Advanced Phase 1 Settings

Define Advanced Phase 2 Settings

Give Us Feedback     Get Support     All Product Documentation     Technical Search