Contents

Select a Mobile VPN Type

Fireware supports four types of Mobile VPNs:

  • Mobile VPN with IKEv2
  • Mobile VPN with L2TP
  • Mobile VPN with SSL
  • Mobile VPN with IPSec

Your Firebox can support all four types of mobile VPNs simultaneously. You can also configure a client computer to use one or more types of mobile VPNs. Before you decide which type of Mobile VPN to use, you must consider your current infrastructure and network policy preferences. Some of the things to consider when you choose which type of Mobile VPN to use are described in these sections:

The Mobile VPN with PPTP feature is not available in Fireware v12.0 and higher. If your Firebox has Fireware v11.12.4 or lower, Mobile VPN with PPTP is automatically removed from your configuration when you upgrade to Fireware v12.0 or higher. We recommend that you migrate to a different mobile VPN solution before you upgrade. For more information, see How do I migrate from PPTP to L2TP before I upgrade to Fireware v12.0? in the WatchGuard Knowledge Base. For documentation for Mobile VPN with PPTP, see Fireware Help v11.12.x.

Security

Each type of Mobile VPN has different security traits.

IKEv2

Mobile VPN with IKEv2 offers the highest level of security. Mobile VPN with IKEv2 includes multi-layer security, but it is limited to local Firebox authentication and RADIUS. Certificate-based client authentication is supported instead of a pre-shared key. For authentication, Mobile VPN with IKEv2 uses EAP and MS-CHAPv2.

In Fireware v12.2 or higher, the Firebox supports AES-GCM encryption.

In Fireware v12.5 or higher, the Firebox supports ECDSA (EC) certificates for Mobile VPN with IKEv2. Your IKEv2 VPN client must also support EC certificates. Support varies by operating system. For more information, see About Elliptic Curve Digital Signature Algorithm (ECDSA) certificates.

Mobile VPN with IKEv2 supports two-factor authentication for MFA solutions that support MS-CHAPv2. AuthPoint, the WatchGuard MFA service, supports MS-CHAPv2 RADIUS authentication for manually created users as of the October 4, 2018 AuthPoint release.

L2TP

Mobile VPN with L2TP offers a high level of security, which includes multi-layer security. However, authentication server options are limited to local Firebox authentication and RADIUS. The client must know the pre-shared key.

Mobile VPN with L2TP also supports certificate-based client authentication in place of the pre-shared key.

SSL

Mobile VPN with SSL is slightly less secure than IPSec because it does not support multi-layer encryption, and because an attacker needs to know only the Firebox IP address and client login credentials to connect. In Fireware v12.2 or higher, AES-GCM is supported.

IPSec

Mobile VPN with IPSec supports encryption levels up to 256-bit AES and multi-layer encryption. You can use any authentication method supported by the Firebox, including two-factor authentication with SecurID and VASCO. An attacker who has the login credentials also needs detailed setup information to connect to the VPN, which includes the pre-shared key.

Mobile VPN with IPSec also supports certificate-based client authentication instead of the pre-shared key.

We recommend Mobile VPN with IKEv2 as an alternative to Mobile VPN with IPSec. The IKEv1 Aggressive Mode vulnerability described in CVE-2002-1623 affects Mobile VPN with IPSec. This vulnerability does not affect Mobile VPN with IKEv2 or L2TP. If you configure Mobile VPN with IPSec, we recommend that you configure a certificate instead of a pre-shared key if you have a WSM Management Server. If you do not have a Management Server, we recommend that you specify a strong pre-shared key and change it on a regular basis. We also recommend that you specify a strong hashing algorithm such as SHA-256.

Ease of Use

IKEv2

Mobile VPN with IKEv2 supports connections from native IKEv2 VPN clients on iOS, macOS, and Windows mobile devices. Android users can configure an IKEv2 VPN connection with the third-party strongSwan app.

Administrators can download a .bat configuration script from the Firebox to automatically configure a IKEv2 VPN profile on devices with Microsoft Windows 8 or higher. The configuration script also automatically installs the certificate. For computers with Windows 7, you must manually configure the native IKEv2 VPN client. The .bat script is not supported.

For iOS and macOS, Administrators can download a .mobileconfig profile from the Firebox to automatically configure the native IKEv2 VPN client.

For Android, Firebox administrators can download a .sswan file from the Firebox to automatically configure the strongSwan app.

Mobile VPN with IKEv2 sends all traffic over the VPN tunnel (full tunnel).

L2TP

You can use Mobile VPN with L2TP with native VPN clients and any L2TPv2 clients that comply with RFC 2661. To connect, the end user must specify a user name and password, which can be saved in some VPN clients. Users must manually configure the L2TP client.

Routing for client traffic over L2TP is controlled by the client configuration. Clients typically have an option to route all client traffic through the tunnel, or to route client traffic through the tunnel only for the same /24 subnet as the virtual IP address.

SSL

For Windows and macOS users, the client is easy to download and install. To download the VPN client, users connect over HTTPS to the Firebox and log in. After users download the client, they only need to know their login credentials to connect. As an administrator, you can enable or disable the option for the VPN client to remember the user name and password.

Clients with other operating systems and mobile devices can use OpenVPN clients to connect. To use an OpenVPN client, the user needs the client.ovpn file, which is also easy to download from the Firebox.

IPSec

Windows users can download and install the WatchGuard Mobile VPN client which offers additional features. A paid license is required after a 30-day free trial.

For both clients, you must provide the client with a configuration file. If you use the WatchGuard IPSec Mobile VPN Client, you might also need to provide the pre-shared key. We recommend that you use a secure method, such as encrypted email, to distribute the configuration file.

Tunnel routing for both Windows clients can be as broad or specific as needed, based on the allowed resources you configure.

For macOS devices, you must configure a Mobile VPN profile to match the default settings of the on-device client, and configure the client to connect to the VPN. The client needs a user name and passphrase to connect.

Portability

Portability refers to the network environments from which the VPN client can connect.

IKEv2

By default, IKEv2 uses IPSec, which requires UDP ports 500 and 4500, and ESP IP Protocol 50. You cannot disable IPSec.

L2TP

By default, L2TP uses IPSec, which requires UDP ports 500 and 4500, and ESP IP Protocol 50.

If you disable IPSec, Mobile VPN with L2TP requires only UDP port 1701. This type of L2TP configuration should be allowed in most environments unless the network is configured to be extremely restrictive. However, this configuration does not provide the security of IPSec.

If you disable IPsec in the Mobile VPN with L2TP configuration, you must also disable IPSec on the client devices. On some devices, this procedure might be more difficult. For information about IPSec settings on a device, see the device manufacturer’s documentation.

SSL

You can configure Mobile VPN with SSL to use any TCP or UDP port, or use the default setting, TCP 443. If you use a UDP port, you must still specify a TCP port for the initial authentication request. This makes Mobile VPN with SSL portable to almost any environment that allows outbound HTTPS. Many Internet filtering applications support content inspection for HTTPS, which can prevent traffic such as Mobile VPN with SSL that does not conform to HTTPS protocol standards.

You can configure the HTTPS proxy on a Firebox to allow non-compliant HTTPS requests. To learn more about the HTTPS proxy, see HTTPS-Proxy: General Settings.

IPSec

Mobile VPN with IPSec requires the client to access the Firebox on UDP ports 500 and 4500, and ESP IP Protocol 50. This often requires a specific configuration on the client's internet gateway, so clients might not be able to connect from hotspots or with mobile Internet connections.

You can configure a Firebox to allow outbound IPSec requests. To learn more about outbound IPSec pass-through, see About Global VPN Settings.

Performance

IKEv2

Mobile VPN with IKEv2 performs better than Mobile VPN with L2TP and Mobile VPN with SSL.

L2TP

Mobile VPN with L2TP is faster than Mobile VPN with SSL, but slower than Mobile VPN with IKEv2.

SSL

Mobile VPN with SSL is slower than other mobile VPN types. It is not the best option for latency-sensitive traffic such as VoIP or high-bandwidth file transfers. However, you can improve Mobile VPN with SSL performance if you select UDP for the data channel and AES-GCM ciphers.

VPN Tunnel Capacity

When you select a type of VPN, make sure to consider the number of tunnels your device supports and whether you can purchase an upgrade to increase the number of tunnels.

The maximum number of IKEv2, L2TP, SSL, and IPSec mobile VPN tunnels depends on the Firebox model.

You can see the maximum number of each type of VPN tunnel your Firebox supports in the Firebox feature key. For more information, see VPN Tunnel Capacity and Licensing.

Authentication Server Compatibility

Make sure the Mobile VPN solution you choose supports the type of authentication server you use.

  • Each type of Mobile VPN supports the use of Firebox-DB, the local Firebox authentication server. With Firebox-DB, you create users and groups directly on the Firebox.
  • L2TP and IKEv2 are limited to Firebox-DB and RADIUS.
  • IKEv2 supports two-factor authentication for MFA solutions that support MS-CHAPv2. AuthPoint, the WatchGuard MFA service, supports MS-CHAPv2 RADIUS authentication for manually created users as of the October 4, 2018 AuthPoint release.
  • Mobile VPN with SSL supports every authentication method supported by the Firebox.
  • Mobile VPN with IPSec also supports every authentication method

This list shows the supported authentication servers for each mobile VPN type.

Mobile VPN Firebox RADIUS Vasco/RADIUS SecurID LDAP Active Directory
Mobile VPN with IKEv2 Yes Yes No No No Yes1
Mobile VPN with L2TP Yes Yes No No No Yes1
Mobile VPN with SSL Yes Yes Yes Yes Yes Yes

WatchGuard IPSec Mobile VPN Client for Windows (Premium client)

Yes Yes

Yes

Yes

Yes Yes

Mobile VPN with IPSec for Mac macOS or iOS with the native VPN client

Yes No2

No

Yes No2 No2
  1. Active Directory authentication for IKEv2 and L2TP is supported only through a RADIUS server.
  2. We do not support RADIUS, LDAP, or Active Directory authentication for the iOS and macOS native VPN clients.

Other compatibility notes:

RADIUS 

The RADIUS server must return the Filter-Id attribute (RADIUS attribute #11) in its Access-Accept response. The value of the Filter-Id attribute must match the name of the correct group (SSLVPN-Users, or the name of the group you define in the Mobile VPN with SSL or Mobile VPN with IPSec configuration).

Vasco RADIUS

The RADIUS Filter-Id attribute is currently not supported by Vasco. For a workaround, use the Microsoft IAS RADIUS plug-in.

The WatchGuard Mobile VPN app for Android is no longer available in the Google Play store. The WatchGuard Mobile VPN app for iOS is no longer available in the Apple Store. We no longer support these legacy apps.

Other Considerations

  • Mobile VPN with IKEv2 offers the highest level of security, best performance, and easiest deployment. This VPN type has certificate-based client authentication instead of a pre-shared key.
  • Mobile VPN with IKEv2, L2TP, and IPSec work only when the required ports and protocols are allowed on the remote networks. This means these mobile VPN types might not work on all remote networks.
  • With Mobile VPN with L2TP, you can use L2TP to transport protocols other than IP.
  • Mobile VPN with IPSec is the only VPN type that allows you to configure different VPN configuration profiles for different groups of users.
  • We recommend Mobile VPN with SSL when IKEv2 IPSec traffic is not allowed on the remote network or when split tunneling is required.

Protocol Details

Each type of mobile VPN uses different ports, protocols, and encryption algorithms to establish a connection. The required ports and protocols must be open between the mobile device and your Firebox for the mobile VPN to function.

For Mobile VPN with SSL, you can choose a different port and protocol in some cases. For more information, see Choose the Port and Protocol for Mobile VPN with SSL

See Also

Mobile VPN with IKEv2

Mobile VPN with L2TP

Mobile VPN with SSL

Mobile VPN with IPSec

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search