Configure Mobile VPN with IPSec to a Dynamic IP Address

We recommend that you use either a static IP address for a Firebox or XTM device that is a VPN endpoint, or use Dynamic DNS. For more information about Dynamic DNS, see About the Dynamic DNS Service.

If neither of these options are possible, and the external IP address of the Firebox or XTM device changes, you must either give remote IPSec users a new .wgx configuration file or have them edit the client configuration to include the new IP address each time that the IP address changes. Otherwise, IPSec users cannot connect until they get the new configuration file or IP address.

Use these instructions to configure the Firebox or XTM device and support the IPSec client users if the Firebox or XTM device has a dynamic IP address and you cannot use Dynamic DNS.

Keep a Record of the Current IP Address

From Policy Manager, you can find the current IP address of the Firebox or XTM device external interface.

1. Select Network > Configuration.
2. Look for the interface with type External and look at the IP address in the IP column. This is the external IP address of the Firebox or XTM device.

This is the IP address that is saved to the .wgx configuration files. When remote users say that they cannot connect, check the external IP address of the Firebox or XTM device to see if the IP address has changed.

Configure the Firebox or XTM Device and IPSec Client Computers

The Firebox or XTM device must have an IP address assigned to the external interface before you download the .wgx files. This is the only difference from the normal configuration of the Firebox or XTM device and IPSec client computers.

Update the Client Configurations when the Address Changes

When the external IP address of the Firebox or XTM device changes, the remote Mobile VPN with IPSec client computers cannot connect until they have been configured with the new IP address. You can change the IP address in two ways.

• Give remote users a new .wgx configuration file to import.
• Have remote users manually edit the IPSec client configuration. For this option, you must configure the Firebox or XTM device so remote users can edit the configuration. For more information, see Lock down an end user profile Lock Down an End User Profile.

From Policy Manager, you can give users a new .wgx configuration file.

1. Select VPN > Mobile VPN > IPSec.

2. Select a Mobile VPN user group and click Generate to generate and download the .wgx files.
3. Distribute the .wgx files to the remote users.
4. Tell the remote users to Import the End-User Profile.

To have users manually edit the client configuration:

1. Give remote users the new external IP address of the Firebox or XTM device and tell them to perform the next five steps.
2. On the IPSec client computer, select Start > All Programs > WatchGuard Mobile VPN > Mobile VPN Monitor.
3. Select Configuration > Profile Settings.
4. Select the profile and click Configure.
5. In the left column, select IPSec General Settings.
6. In the Gateway text box, type the new external IP address of the Firebox or XTM device.

Give us feedback  •   Get Support  •   All product documentation  •   Knowledge Base

© 2010 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, Core, and Fireware are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.