Related Topics
Select a Mobile VPN Type
Fireware supports four types of Mobile VPNs:
- Mobile VPN with IPSec
- Mobile VPN with SSL
- Mobile VPN with L2TP
- Mobile VPN with IKEv2
Your Firebox can support all four types of mobile VPNs simultaneously. You can also configure a client computer to use one or more types of mobile VPNs. Before you select which type of Mobile VPN to use, you must consider your current infrastructure and network policy preferences. Some of the things to consider when you select which type of Mobile VPN to use are described in these sections:
- Security
- Ease of Use
- Portability
- VPN Tunnel Capacity
- Authentication Server Compatibility
- Other Considerations
- Protocol Details
The Mobile VPN with PPTP feature is not available in Fireware v12.0 and higher. If your Firebox has Fireware v11.12.4 or lower, Mobile VPN with PPTP is automatically removed from your configuration when you upgrade to Fireware v12.0 or higher. We recommend that you migrate to a different mobile VPN solution before you upgrade. For more information, see How do I migrate from PPTP to L2TP before I upgrade to Fireware v12.0? in the WatchGuard Knowledge Base. For documentation for Mobile VPN with PPTP, see Fireware Help v11.12.x.
Security
Each type of Mobile VPN has different security traits.
IKEv2
Mobile VPN with IKEv2 offers the highest level of security. Mobile VPN with IKEv2 includes multi-layer security, but it is limited to local Firebox authentication and RADIUS. Certificate-based client authentication is supported instead of a pre-shared key. Two-factor authentication is not supported.
IPSec
Mobile VPN with IPSec offers a high level of security, with support for encryption levels up to 256-bit AES, and multi-layer encryption. You can use any authentication method supported by the Firebox, including two-factor authentication with SecurID and VASCO. An attacker who has the login credentials also needs detailed setup information to connect to the VPN, including the pre-shared key.
Mobile VPN with IPSec also supports certificate-based client authentication instead of the pre-shared key.
SSL
Mobile VPN with SSL is slightly less secure than IPSec because it does not support multi-layer encryption, and because an attacker needs to know only the Firebox IP address and client login credentials to connect.
L2TP
Mobile VPN with L2TP includes multi-layer security, but it is limited to local Firebox authentication and RADIUS. The client also must know the pre-shared key.
Mobile VPN with L2TP also supports certificate-based client authentication in place of the pre-shared key.
Ease of Use
IKEv2
Mobile VPN with IKEv2 supports connections from native IKEv2 VPN clients on iOS, macOS, and Windows mobile devices. Android users can configure an IKEv2 VPN connection with the third-party strongSwan app.
Administrators can download configuration scripts from the Firebox that automatically configure a IKEv2 VPN profile on iOS, macOS, and Windows devices. The configuration script also automatically installs the certificate.
Mobile VPN with IKEv2 sends all traffic over the VPN tunnel (full tunnel).
SSL
For Windows and Mac OSX users, the client is easy to download and install. To download the VPN client, users connect over HTTPS to the Firebox and log in. After users download the client, they only need to know their login credentials to connect. As an administrator, you can enable or disable the option for the VPN client to remember the user name and password.
Clients with other operating systems and mobile devices can use OpenVPN clients to connect. To use an OpenVPN client, the user needs the client.ovpn file, which is also easy to download from the Firebox.
IPSec
Windows users can download and install the WatchGuard Mobile VPN client which offers additional features. A paid license is required after a 30-day free trial. Most Windows users prefer the free and easy-to-use Shrew VPN Client for Windows, also distributed by WatchGuard.
For both clients, you must provide the client with a configuration file. If you use the WatchGuard IPSec Mobile VPN Client, you might also need to provide the pre-shared key. We recommend that you use a secure method, such as encrypted email, to distribute the configuration file.
Tunnel routing for both Windows clients can be as broad or specific as needed, based on the allowed resources you configure.
For Mac OSX devices, you must configure a Mobile VPN profile to match the default settings of the on-device client, and configure the client to connect to the VPN. The client needs a user name and passphrase to connect.
L2TP
You can use Mobile VPN with L2TP with Windows, Mac OSX, iOS, Android, and most devices that support L2TP over IPSec. To connect, the end user must specify a user name and password which can be saved in some VPN clients.
Routing for client traffic over L2TP is controlled by the client configuration. Clients typically have an option to route all client traffic through the tunnel, or to route client traffic through the tunnel only for the same /24 subnet as the virtual IP address.
Portability
Portability refers to the network environments from which the VPN client can connect.
IKEv2
By default, IKEv2 uses IPSec, which requires UDP ports 500 and 4500, and ESP IP Protocol 50. You cannot disable IPSec.
SSL
You can configure Mobile VPN with SSL to use any TCP or UDP port, or use the default setting, TCP 443. If you use a UDP port, you must still specify a TCP port for the initial authentication request. This makes Mobile VPN with SSL portable to almost any environment that allows outbound HTTPS. Many Internet filtering applications support content inspection for HTTPS, which can prevent traffic such as Mobile VPN with SSL that does not conform to HTTPS protocol standards.
You can configure the HTTPS proxy on a Firebox to allow non-compliant HTTPS requests. To learn more about the HTTPS proxy, see HTTPS-Proxy: General Settings.
IPSec
Mobile VPN with IPSec requires the client to access the Firebox on UDP ports 500 and 4500, and ESP IP Protocol 50. This often requires a specific configuration on the client's internet gateway, so clients might not be able to connect from hotspots or with mobile Internet connections.
You can configure a Firebox to allow outbound IPSec requests. To learn more about outbound IPSec pass-through, see About Global VPN Settings.
L2TP
By default, L2TP uses IPSec, which requires UDP ports 500 and 4500, and ESP IP Protocol 50.
If you disable IPSec, Mobile VPN with L2TP requires only UDP port 1701. This type of L2TP configuration should be allowed in most environments unless the network is configured to be extremely restrictive. However, this configuration does not provide the security of IPSec.
If you disable IPsec in the Mobile VPN with L2TP configuration, you must also disable IPSec on the client devices. On some devices, this procedure might be more difficult. For information about IPSec settings on a device, see the device manufacturer’s documentation.
VPN Tunnel Capacity
When you select a type of VPN, make sure to consider the number of tunnels your device supports and whether you can purchase an upgrade to increase the number of tunnels.
The maximum number of IPSec, SSL, L2TP, and IKEv2 mobile VPN tunnels depends on the Firebox model. On some models, you must purchase additional licenses to enable the maximum tunnel capacity your Firebox model supports.
You can see the maximum number of each type of VPN tunnel your Firebox supports in the Firebox feature key. For more information, see VPN Tunnel Capacity and Licensing.
Authentication Server Compatibility
Make sure the Mobile VPN solution you choose supports the type of authentication server you use.
- Each type of Mobile VPN supports the use of Firebox-DB, the local Firebox authentication server. With Firebox-DB, you create users and groups directly on the Firebox.
- L2TP and IKEv2 are limited to Firebox-DB and RADIUS.
- IKEv2 does not support two-factor authentication.
- Mobile VPN with SSL supports every authentication method supported by the Firebox.
- Mobile VPN with IPSec also supports every authentication method, but two-factor authentication is not supported by the free Shrew Soft client.
| Mobile VPN | Firebox | RADIUS | Vasco/RADIUS | SecurID | LDAP | Active Directory |
|---|---|---|---|---|---|---|
|
WatchGuard IPSec Mobile VPN Client for Windows (Premium client) |
Yes | Yes |
Yes |
Yes |
Yes | Yes |
| Shrew Soft IPSec VPN Client for Windows | Yes | Yes | No1 | No1 | Yes | Yes |
|
Mobile VPN with IPSec for Mac OS X or iOS with the native VPN client |
Yes | No2 |
No |
Yes | No2 | No2 |
| Mobile VPN with SSL | Yes | Yes | Yes | Yes | Yes | Yes |
| Mobile VPN with L2TP | Yes | Yes | No | No | No | Yes3 |
| Mobile VPN with IKEv2 | Yes | Yes | No | No | No | Yes3 |
- The Shrew Soft IPSec VPN client does not support two-factor authentication.
- RADIUS, LDAP, and Active Directory authentication methods are not supported for the iOS and OS X native VPN client, but might operate correctly.
- Active Directory authentication for L2TP and IKEv2 is supported only through a RADIUS server.
Other compatibility notes:
RADIUS
The RADIUS server must return the Filter-Id attribute (RADIUS attribute #11) in its Access-Accept response. The value of the Filter-Id attribute must match the name of the correct group (SSLVPN-Users, or the name of the group you define in the Mobile VPN with SSL or Mobile VPN with IPSec configuration).
Vasco RADIUS
The RADIUS Filter-Id attribute is currently not supported by Vasco. For a workaround, use the Microsoft® IAS RADIUS plug-in.
The WatchGuard Mobile VPN app for Android is no longer available in the Google Play store. The WatchGuard Mobile VPN app for iOS is no longer available in the Apple Store. WatchGuard no longer supports these legacy apps.
Other Considerations
- Flexibility — Mobile VPN with IPSec is the only VPN type that allows you to configure different VPN configuration profiles for different groups of users.
- Performance — Mobile VPN with SSL is the slowest VPN option.
- Protocol Support — One advantage of Mobile VPN with L2TP as compared to Mobile VPN with IPSec is that you can use L2TP to transport protocols other than IP.
Protocol Details
Each type of mobile VPN uses different ports, protocols, and encryption algorithms to establish a connection. The required ports and protocols must be open between the mobile device and your Firebox for the mobile VPN to function.
- Required ports:
- UDP port 500 for IKE
- UDP port 4500 for NAT traversal (NAT-T)
- Transport and authentication protocols:
- IPSec (Internet Protocol Security)
- IKE (Internet Key Exchange)
- ESP (Encapsulating Security Payload)
- Authentication: MD5, SHA-1, SHA2-256, SHA2-384, SHA2-512
- Encryption protocols: DES, 3DES, AES
- Encryption strength:
- DES and 3DES: 56 bit
- AES: 128, 192, or 256 bit
- Required ports:
- TCP port 443
- UDP port 43
- Transport and authentication protocols:
- SSL (Secure Sockets Layer)
- TLS (Transport Layer Security)
- Authentication: SHA-1, SHA-256, SHA-512 Tip!SHA-256 and SHA-512 are SHA-2 variants.
- Encryption protocols:
- 3DES
- AES
- Encryption strength:
- 3DES: 56 bit
- AES: 128, 192, or 256 bit
- Required ports: UDP port 1701, UDP port 500 for IKE
- Transport and authentication protocols:
- L2TP (Layer 2 Tunneling Protocol)
- IPSec (Internet Protocol Security)
- IKE (Internet Key Exchange)
- ESP (Encapsulating Security Payload)
- Authentication: MD5, SHA-1, SHA2-256, SHA2-384, SHA2-512
- Encryption protocols: DES, 3DES, AES
- Encryption strength:
- DES and 3DES: 56 bit
- AES: 128, 192, or 256 bit
- Required ports: UDP port 1701, UDP port 500 for IKE
- Transport and authentication protocols:
- IKEv2 (Internet Key Exchange Tunneling Protocol v2)
- IPSec (Internet Protocol Security)
- IKE (Internet Key Exchange)
- ESP (Encapsulating Security Payload)
- Authentication: MD5, SHA-1, SHA2-256, SHA2-384, SHA2-512
- Encryption protocols: DES, 3DES, AES
- Encryption strength:
- DES and 3DES: 56 bit
- AES: 128, 192, or 256 bit
For Mobile VPN with SSL, you can choose a different port and protocol in some cases. For more information, see Choose the Port and Protocol for Mobile VPN with SSL