Configure the Firebox or XTM Device for Mobile VPN with IPSec

You can use Policy Manager to enable Mobile VPN with IPSec for a group of users you have already created, or you can create a new user group. The users in the group can authenticate either to the Firebox or XTM device, or to a third-party authentication server included in your Firebox or XTM device configuration.

For more information about how to add users to a group for local Firebox authentication, see Add Users to a Firebox Mobile VPN Group. If you use a third-party authentication server, follow the instructions provided in the documentation from its manufacturer.

1. Select VPN > Mobile VPN > IPSec.
   The Mobile VPN with IPSec Configuration dialog box appears.

2. Click Add.
   The Add Mobile User VPN with IPSec Wizard appears.

3. Click Next.
   The Select a user authentication server screen appears.

4. From the Authentication Server drop-down list, select an authentication server.

You can authenticate users to the Firebox or XTM device (Firebox-DB) or to a RADIUS, VASCO, SecurID, LDAP, or Active Directory server. Make sure that this method of authentication is enabled in Policy Manager. Select Setup > Authentication > Authentication Servers to see these settings.

5. In the Group Name text box, type the name of the group.

You can type the name of a Mobile VPN group you have already created, or enter a group name for a new Mobile VPN group. Make sure the name is unique among VPN group names, as well as all interface and tunnel names.

For more information about VPN group authentication, see Types of Firebox Authentication.

6. Click Next.
   The Select a tunnel authentication method screen appears.

7. Select an option for tunnel authentication:

• Use this passphrase
  Type and confirm the passphrase.
• Use an RSA certificate issued by your WatchGuard Management Server
  Type the IP Address of your Management Server and the Administration Passphrase.

8. Click Next.
   The Direct the flow of Internet traffic screen appears.

9. Select an option for Internet traffic:

• No, allow Internet traffic to go directly to the mobile user's ISP.
  (Split tunneling)
• Yes, force all Internet traffic to flow through the tunnel.
  (Default-route VPN)

For more information about split tunneling and default-route VPN, see Options for Internet Access Through a Mobile VPN with IPSec Tunnel.

10. Click Next.
    The Identify the resources accessible through the tunnel screen appears.

11. Click Add to specify the host or network IP addresses that users can connect to through the VPN tunnel.
12. Click Next.
    The Create the virtual IP address pool screen appears.

13. Click Add to add one IP address or an IP address range.
    To add more virtual IP addresses, repeat this step.

Mobile VPN users are assigned one of these IP addresses when they connect to your network. The number of IP addresses should be the same as the number of Mobile VPN users. If High Availability is configured, you must add two virtual IP addresses for each Mobile VPN user. The IP addresses cannot be used for anything else on your network.

14. Click Next.
    The Add Mobile VPN with IPSec Wizard has completed successfully screen appears.
    

The Mobile VPN with IPSec group end-user configuration file is available at the location specified on this screen.

15. To add users to the new Mobile VPN with IPSec group, select the Add users to check box.
16. Click Finish.

Give us feedback  •   Get Support  •   All product documentation  •   Knowledge Base

© 2010 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, Core, and Fireware are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.