When you configure each type of mobile VPN on the Firebox, you define a pool of virtual IP addresses. The Firebox assigns an IP address from the virtual IP address pool to each Mobile VPN user until all of the addresses are in use. When a user closes a VPN session, the IP address used by that session becomes available again.
Traffic from Mobile VPN clients is never considered trusted, even if the virtual IP addresses are on the same subnet as or overlap the address range of a trusted network. You must always create policies to allow traffic from Mobile VPN users to resources on your network.
If you configure Mobile VPN with SSL to bridge to a local network, the virtual IP addresses must be on the same subnet as the bridge interface you want to bridge to. For Mobile VPN with SSL configured for Routed VPN traffic, and for all other mobile VPN types, it is not necessary for the virtual IP addresses to be on the same subnet as the trusted network. For all types of mobile VPNs, the IP addresses in the virtual IP address pool cannot be used for anything else on your network.
If FireCluster is configured, you must add two virtual IP addresses for each mobile VPN user, and you must make sure the virtual IP address pool is not on the same subnet as a primary cluster IP address.
To enable the maximum number of VPN connections, make sure that the virtual IP address pool contains the same number of concurrent VPN users as the maximum number of VPN connections your Firebox supports. The maximum number of supported VPN connection for each VPN type is different for each type of VPN and for each Firebox model.
For more information about VPN tunnel licensing, see VPN Tunnel Capacity and Licensing
If the virtual IP address pool in the mobile VPN configuration contains fewer IP addresses than the maximum number of mobile VPN connections supported by the device, the maximum number of VPN connections is limited by the number of IP addresses in the virtual IP address pool.
We recommend that you do not use the private network ranges 192.168.0.0/24 or 192.168.1.0/24 on your corporate or guest networks. These ranges are commonly used on home networks. If a mobile VPN user has a home network range that overlaps with your corporate network range, traffic from the user does not go through the VPN tunnel. To resolve this issue, we recommend that you Migrate to a New Local Network Range.