Modify an Existing Mobile VPN with IPSec Group Profile

After you create a Mobile VPN with IPSec group, you can edit the profile to:

  • Change the shared key
  • Add access to more hosts or networks
  • Restrict access to a single destination port, source port, or protocol
  • Change the Phase 1 or Phase 2 settings
  • (Fireware v12.2.1 or higher) Specify DNS and WINS server settings

Configure a Mobile VPN with IPSec Group

  1. (Fireware v12.3 or higher) Select VPN > Mobile VPN.
  2. In the IPSec section, select Configure.
    The Mobile VPN with IPSec page appears.
  3. (Fireware v12.2.1 or lower) Select VPN > Mobile VPN with IPSec.
    The Mobile VPN with IPSec page appears.

Screen shot of the Mobile VPN with IPSec configuration page

  1. From the Groups list, select a group and click Edit.
    The Mobile User VPN with IPSec Settings page appears.

Screen shot of the MVPN with IPSec Settings page, General tab

  1. To edit the group profile, configure these options:

Authentication Server

Select the authentication server to use for this Mobile VPN group. You can authenticate users to the Firebox (Firebox-DB) or to a RADIUS, VASCO, SecurID, LDAP, or Active Directory authentication server. Make sure that this method of authentication is enabled.

Passphrase

To change the passphrase that encrypts the .WGX file, type a new passphrase. The shared key can use only standard ASCII characters. If you use a certificate for authentication, this is the PIN for the certificate.

Confirm

Type the new passphrase again.

Primary

Type the primary external IP address or domain to which Mobile VPN users in this group can connect. This can be an external IP address, secondary external IP address, or external VLAN. For a Firebox in drop-in mode, specify the IP address assigned to all interfaces.

Backup

Type a backup external IP address or domain to which Mobile VPN users in this group can connect. This backup IP address is optional. If you add a backup IP address, make sure it is an IP address assigned to a Firebox external interface or VLAN.

Session Timeout

Select the maximum time in minutes that a Mobile VPN session can be active.

Idle Timeout

Select the time in minutes before the Firebox closes an idle Mobile VPN session. The session and idle timeout values are the default timeouts if the authentication server does not return specific timeout values. If you use the Firebox as the authentication server, the timeouts for the Mobile VPN group are always ignored because you set timeouts in each Firebox user account.

The default value is 8 hours.

The session and idle timeouts cannot be longer than the value in the SA Life text box.

To set this value:

  1. Select the IPSec Tunnel tab.
  2. In the Phase 1 Settings section, click Advanced.
  1. Select the IPSec Tunnel tab.

Screen shot of the MVPN with IPSec Settings, edit IPSec page, IPSec Tunnel tab

  1. Configure these options to edit the IPSec settings:

IPSec Tunnel Settings

You can use a pre-shared key or a certificate for tunnel authentication.

To use the passphrase of the end-user profile as the pre-shared key for tunnel authentication, select Use the passphrase of the end-user profile as the pre-shared key. The passphrase is set on the General tab in the Passphrase section. You must use the same shared key on the remote device. The shared key can use only standard ASCII characters.

To use a certificate for tunnel authentication, select Use a certificate.
For more information, go to Certificates for Mobile VPN With IPSec Tunnel Authentication (Web UI).

If you use a certificate, you must also specify the CA IP Address and Timeout. In the CA IP Address text box, type the IP address of the Management Server that is configured as the certificate authority. In the Timeout text box, type the time, in seconds, before the Mobile VPN with IPSec client no longer attempts to connect to the certificate authority without a response. We recommend that you use the default setting.

Phase 1 Settings

Select the authentication and encryption methods for the Phase 1 transform for the Mobile VPN tunnel. For more information about these settings, go to About IPSec Algorithms and Protocols.

From the Authentication drop-down list, select an authentication method: MD5, SHA1, SHA2-256, SHA2-384, or SHA2-512. Tip!

SHA2 is supported for VPN connections from the WatchGuard IPSec Mobile VPN client v11.32. SHA2 is not supported for VPN connections from Android or iOS devices, and is not supported by older versions of the WatchGuard IPSec VPN client.

From the Encryption drop-down list, select an encryption method: AES (128-bit), AES (192-bit), AES (256-bit), DES, or 3DES. Tip!

To configure advanced settings, such as NAT Traversal or the key group, click Advanced. For more information, go to Define Advanced Phase 1 Settings.

Phase 2 Settings

To change the proposal and key expiration settings, click Proposal. For more information, go to Define Advanced Phase 2 Settings.

By default, Perfect Forward Secrecy (PFS) is enabled. If you keep PFS enabled, select the Diffie-Hellman group. Tip!

Perfect Forward Secrecy gives more protection to keys that are created in a session. Keys made with PFS are not made from a previous key. If a previous key is compromised after a session, your new session keys are secure. For more information, go to About Diffie-Hellman Groups.

  1. Select the Resources tab.

Screen shot of the MVPN with IPSec edit settings page, Resources tab

  1. Configure these options:

Allow All Traffic Through Tunnel

Select this check box to send all Mobile VPN user Internet traffic through the VPN tunnel. When this option is selected, Mobile VPN user Internet traffic is sent through the VPN. Websites might load more slowly for those users.

If this option is not selected, Mobile VPN user Internet traffic is not examined by Firebox policies, but users can browse the Internet more quickly.

Allowed Resources

This list includes the network resources that are available to users in the Mobile VPN group.

If you select the Allow All Traffic Through Tunnel option, the default values in the Allowed Resources list, Any-External and 0.0.0.0/0, are required. No other resources are required. You cannot remove the default resources or add additional resources when this option is selected.

If you do not select Allow All Traffic Through Tunnel, you can add or remove allowed resources:

  • To add an IP address or a network IP address to the network resources list, select Host IP or Network IP, type the address, and click Add.
  • To delete an IP address or network IP address from the resources list, select a resource and click Remove.

If you edit the allowed resources, the resource list is automatically updated only in the default Mobile VPN with IPSec policy for this group. The resources are not automatically updated for any other Mobile VPN with IPSec policies for group. You must edit the allowed resources in the Mobile VPN with IPSec policies and update if necessary. For more information, go to Configure Policies to Filter IPSec Mobile VPN Traffic.

Virtual IP Address Pool

The internal IP addresses that are used by Mobile VPN users over the tunnel appear in this list. These addresses cannot be used by any network devices or other Mobile VPN groups.

  • To add a host IP address or a network IP address to the virtual IP address pool, select Host IP or Network IP, type the address, and click Add.
  • To delete a host or network IP address from the virtual IP address pool, select the host or IP address and click Remove.

For more information about virtual IP addresses, go to Virtual IP Addresses and Mobile VPNs.

  1. Select the Advanced tab.

Screen shot of the Mobile VPN with IPSec Settings page, Advanced tab

  1. Configure the Line Management settings:

Connection mode

Manual — In this mode, the user must manually start the VPN tunnel. This is the default setting. The client does not try to restart the VPN tunnel automatically if the VPN tunnel goes down. To start the VPN tunnel, click Connect in the Mobile VPN client. Or, right-click the Mobile VPN icon on your Windows desktop toolbar and click Connect.

Automatic — In this mode, the client automatically tries to start the connection when your computer sends traffic to a remote host through the VPN tunnel. If the VPN tunnel goes down, the client automatically tries to restart the VPN tunnel when an application on the client computer sends traffic to a remote host.

Variable — In this mode, to manually start the VPN tunnel the first time, the user must click Connect. After the user starts the tunnel, the tunnel runs in automatic mode until the user clicks Disconnect. If the VPN tunnel goes down before the user clicks Disconnect, the client automatically tries to restart the VPN tunnel when an application on the client computer sends traffic to a remote host.

Inactivity timeout

The inactivity timeout specifies the time delay after the last transmission of traffic through the tunnel before the client automatically disconnects the tunnel. The inactivity timeout can have a maximum value of 65,535 seconds. By default, the inactivity value is set to 0. With the default value of 0, the VPN client does not automatically disconnect an established tunnel after inactivity. The user must manually disconnect the tunnel.

The default Line Management settings are Manual and 0 seconds. If you change either setting, you must use the .INI file to configure the client software.

  1. (Fireware v12.2.1 or higher) Configure the DNS settings:

Assign the network DNS/WINS settings to mobile clients

If you select this option, mobile clients receive the DNS and WINS settings you specify at Network > Interfaces > DNS/WINS. For example, if you specify the DNS server 10.0.2.53in the Network DNS/WINS settings, mobile VPN clients use 10.0.2.53as a DNS server.

By default, the Assign the Network DNS/WINS Server settings to mobile clients setting is selected for new mobile VPN configurations.

Do not assign DNS or WINS settings to mobile clients

If you select this option, clients do not receive DNS or WINS settings from the Firebox.

Assign these settings to mobile clients

If you select this option, mobile clients receive the domain name, DNS server, and WINS server settings you specify in this section. For example, if you specify example.com as the domain name and 10.0.2.53 as the DNS server, mobile clients use example.com for unqualified domain names and 10.0.2.53 as the DNS server.

You can specify one domain name, up to two DNS server IP addresses, and up to two WINS server IP addresses.

For more information about DNS and WINS server settings for Mobile VPN with IPSec users,go to Configure DNS and WINS Servers for Mobile VPN with IPSec.

  1. Click Save.
    The Mobile VPN with IPSec page appears.
  2. Click Save.
  1. (Fireware v12.3 or higher) Select VPN > Mobile VPN > IPSec.
  2. (Fireware v12.2.1 or lower) Select VPN > Mobile VPN with IPSec.
    The Mobile VPN with IPSec Configuration dialog box appears.

Screen shot of the Mobile VPN with IPSec Configuration dialog box

  1. From the profile list, select the group to change.
  2. Click Edit.
    The Edit Mobile VPN with IPSec dialog box appears.

Screen shot of the Edit Mobile VPN with IPSec dialog box

  1. On the General tab, edit the group profile and configure these settings:

Authentication Server

Select the authentication server to use for this Mobile VPN group. You can authenticate users with the internal Firebox database (Firebox-DB) or with a RADIUS, VASCO, SecurID, LDAP, or Active Directory authentication server.

To configure your authentication server, select Setup > Authentication > Authentication Servers.

Passphrase

Type a passphrase to encrypt the Mobile VPN profile (.wgx file) that you distribute to users in this group. The shared key can use only standard ASCII characters. If you use a certificate for authentication, this is the PIN for the certificate.

Confirm

Type the passphrase again.

Primary

Select or type the primary external IP address or domain to which Mobile VPN users in this group can connect. This can be an external IP address, secondary external IP address, or external VLAN. For a Firebox in drop-in mode, use the IP address assigned to all interfaces.

Backup

Type or select the backup external IP address or domain to which Mobile VPN users in this group can connect. This backup IP address is optional. If you add a backup IP address, make sure it is an IP address assigned to a Firebox external interface or VLAN.

Session

Select the maximum time in minutes that a Mobile VPN session can be active.

Idle

Select the time in minutes before the Firebox closes an idle Mobile VPN session. The session and idle timeout values are the default timeouts if the authentication server does not return specific timeout values. If you use the Firebox as the authentication server, the timeouts for the Mobile VPN group are always ignored because you set timeouts in each Firebox user account.

The session and idle timeouts cannot be longer than the value specified for the SA Life. To set this value, from the IPSec Tunnel tab of the Edit Mobile VPN with IPSec dialog box, click Advanced. The default value is 8 hours.

  1. Select the IPSec Tunnel tab.

Screen shot of the Edit MVPN with IPSec dialog box - IPSec Tunnel tab

  1. Edit the IPSec tunnel settings:

Tunnel Authentication Method

You can use a pre-shared key or a certificate for tunnel authentication.

To use the passphrase of the end-user profile as the pre-shared key for tunnel authentication, select Use the passphrase of the end-user profile as the pre-shared key. You must use the same shared key on the remote device. Use only standard ASCII characters in the shared key.

To use a certificate for tunnel authentication, select Use a certificate. For more information, go to Certificates for Mobile VPN with IPSec Tunnel Authentication (WSM).

If you use a certificate, you must also specify the CA IP Address and Timeout. In the CA IP Address text box, type the IP address of the Management Server that is configured as the certificate authority. In the Timeout text box, type the time, in seconds, before the Mobile VPN with IPSec client no longer attempts to connect to the certificate authority without a response. We recommend you use the default setting.

Phase 1 Settings

Select the authentication and encryption methods for the Phase 1 transform for the Mobile VPN tunnel. For more information about these settings, go to About IPSec Algorithms and Protocols.

From the Authentication drop-down list, select an authentication method: MD5, SHA1, SHA2-256, SHA2-384, or SHA2-512. Tip!

SHA2 is supported for VPN connections from the WatchGuard IPSec Mobile VPN client v11.32. SHA2 is not supported for VPN connections from Android or iOS devices, and is not supported by older versions of the WatchGuard IPSec VPN client.

From the Encryption drop-down list, select an encryption method: AES (128-bit), AES (192-bit), AES (256-bit), DES, or 3DES. Tip!

To configure advanced settings, such as NAT Traversal or the key group, click Advanced. For more information, go to Define Advanced Phase 1 Settings.

Phase 2 Settings

To change the proposal and key expiration settings, click Proposal. For more information, go to Define Advanced Phase 2 Settings.

By default, Perfect Forward Secrecy (PFS) is enabled. If you keep PFS enabled, select the Diffie-Hellman group. Tip!

Perfect Forward Secrecy gives more protection to keys that are created in a session. Keys made with PFS are not made from a previous key. If a previous key is compromised after a session, your new session keys are secure. For more information, go to About Diffie-Hellman Groups.

  1. Select the Resources tab.

Screen shot of the Edit MVPN with IPSec dialog box - Resources tab

  1. Add or remove allowed network resources and virtual IP addresses:

Force All Traffic Through Tunnel

To send all Mobile VPN user Internet traffic through the VPN tunnel, select this check box. When this option is selected, Mobile VPN user Internet traffic is sent through the VPN, and websites can load more slowly for those users.

If this option is not selected, Mobile VPN user Internet traffic is not examined by Firebox policies, but users can browse the Internet more quickly.

Allowed Resources list

This list shows the resources that users in the group can get access to on the network.

If you select the Force All Traffic Through Tunnel option, the default values in the Allowed Resources list, Any-External and 0.0.0.0/0, are required. No other resources are required.You cannot remove the default resources or add additional resources when this option is selected.

If you do not select Force All Traffic Through Tunnel, you can add or remove allowed resources:

  • To add a host IP address or network IP address to the allowed resources list, click Add.
  • To delete a host IP address or network IP address from the allowed resources list, select a resource and click Remove

If you edit the allowed resources, the resource list is not automatically updated in the Mobile VPN with IPSec policies for this group. You must manually edit the allowed resources in the Mobile VPN with IPSec policies and update them as necessary. For more information, go to Configure Policies to Filter IPSec Mobile VPN Traffic

Virtual IP Address Pool

This list shows the internal IP addresses that are used by Mobile VPN users over the tunnel. These addresses are used only when they are needed.

To add a host IP address or a host range of IP addresses to the virtual IP address pool, click Add.

To clear the selected host IP address or a host range of IP addresses from the virtual IP address pool, click Remove.

For more information about virtual IP addresses, go to Virtual IP Addresses and Mobile VPNs.

  1. Select the Advanced tab.

Screen shot of the Edit MVPN with IPSec dialog box - Advanced tab

  1. Configure the Line Management settings:

Connection mode

Manual — In this mode, the user must manually start the VPN tunnel. This is the default setting. The client does not try to restart the VPN tunnel automatically if the VPN tunnel goes down. To start the VPN tunnel, in the Mobile VPN client, click Connect. Or, right-click the Mobile VPN icon on your Windows desktop toolbar and click Connect.

Automatic — In this mode, the client automatically tries to start the connection when your computer sends traffic to a remote host through the VPN tunnel. If the VPN tunnel goes down, the client automatically tries to restart the VPN tunnel when an application on the client computer sends traffic to a remote host.

Variable — In this mode, to manually start the VPN tunnel the first time, the user must click Connect. After the user starts the tunnel, the tunnel runs in automatic mode until the user clicks Disconnect. If the VPN tunnel goes down before the user clicks Disconnect, the client automatically tries to restart the VPN tunnel whenever an application on the client computer sends traffic to a remote host.

Inactivity timeout

The inactivity timeout specifies the time delay after the last transmission of traffic through the tunnel before the client automatically disconnects the tunnel. The inactivity timeout can have a maximum value of 65,535 seconds. By default, the inactivity value is set to 0. With the default value of 0, the VPN client does not automatically disconnect an established tunnel after inactivity. The user must manually disconnect the tunnel.

The default Line Management settings are Manual and 0 seconds. If you change this setting, you must use the .INI file to configure the client software.

  1. (Fireware v12.2.1 or higher) Configure the DNS settings:

Assign the network DNS/WINS settings to mobile clients

If you select this option, mobile clients receive the DNS and WINS settings you specify at Network > Interfaces > DNS/WINS. For example, if you specify the DNS server 10.0.2.53in the Network DNS/WINS settings, mobile VPN clients use 10.0.2.53as a DNS server.

By default, the Assign the Network DNS/WINS Server settings to mobile clients setting is selected for new mobile VPN configurations.

Do not assign DNS or WINS settings to mobile clients

If you select this option, clients do not receive DNS or WINS settings from the Firebox.

Assign these settings to mobile clients

If you select this option, mobile clients receive the domain name, DNS server, and WINS server settings you specify in this section. For example, if you specify example.com as the domain name and 10.0.2.53 as the DNS server, mobile clients use example.com for unqualified domain names and 10.0.2.53 as the DNS server.

You can specify one domain name, up to two DNS server IP addresses, and up to two WINS server IP addresses.

For more information about DNS and WINS server settings for Mobile VPN with IPSec users, go to Configure DNS and WINS Servers for Mobile VPN with IPSec.

  1. Click OK.
  2. Save the configuration to the Firebox.

Users that are members of the group you edit are not able to connect until they import the correct configuration file to their WatchGuard IPSec Mobile VPN Client software. You must generate the configuration file and then provide it to the end users. 

For more information, go to Generate Mobile VPN with IPSec Configuration Files.

Related Topics

Generate Mobile VPN with IPSec Configuration Files

Configure DNS and WINS Servers for Mobile VPN with IPSec