Contents

Edit the Mobile VPN with IKEv2 Configuration

We recommend that you use the WatchGuard IKEv2 Setup Wizard to set up Mobile VPN with IKEv2 for the first time. For more information, see Use the WatchGuard IKEv2 Setup Wizard.

Edit Network Settings

On the Networking tab, in the Firebox Addresses section, specify an IP address or domain name for connections from Mobile VPN with IKEv2 users. If your Firebox is behind a NAT device, you must specify the public IP address or domain name of the NAT device.

Edit the Virtual IP Address Pool

On the Networking tab, the Virtual IP Address Pool shows the internal IP addresses that are used by Mobile VPN with IKEv2 users over the tunnel. The virtual IP address pool must contain at least two IP addresses. By default, the Firebox assigns addresses in the 192.168.114.0/24 range to Mobile VPN with IKEv2 clients.

For more information about virtual IP addresses, see Virtual IP Addresses and Mobile VPNs.

To add to the virtual IP address pool:

  1. Click Add.
    The Add Address Pool dialog box appears.
  2. From the Choose Type drop-down list, select Network IPv4 or Host IPv4.
  3. In the adjacent text box, type an IP address or network IP address.

Edit Authentication Settings

On the Authentication tab you can configure authentication servers and the authorized users and groups.

Configure Authentication Servers

  1. Select the Authentication tab.
  2. In the Authentication Servers section, select Firebox-DB, RADIUS, or both.
  3. If you select both Firebox-DB and RADIUS, you can select Set as default server to make RADIUS the default authentication server.

Configure Users and Groups

If you use Firebox-DB for authentication, you must use the IKEv2-Users group that is created by default. You can add the names of other groups and users that use Mobile VPN with IKEv2. For each group or user you add, you can select the authentication server where the group exists or select Any if that group exists on more than one authentication server. The group or user name you add must exist on the authentication server. The group and user names are case sensitive and must exactly match the name on your authentication server.

For more information about user authentication, see About Mobile VPN with IKEv2 User Authentication.

For more information about how to add Firebox-DB users, see Define a New User for Firebox Authentication.

For more information about how to add Firebox-DB groups, see Define a New Group for Firebox Authentication.

For more information about how to add RADIUS users and groups, see Use Users and Groups in Policies.

Configure a Certificate for Authentication

You can select a Firebox certificate or a third-party certificate for Mobile VPN with IKEv2 authentication. Firebox and third-party certificates have these requirements:

  • Extended Key Usage (EKU) flags "serverAuth" and "IP Security IKE Intermediate” (OID 1.3.6.1.5.5.8.2.2)
  • IP address or DNS name as a Subject Alternative Name value

In Fireware v12.5 or higher, the Firebox supports ECDSA (EC) certificates for Mobile VPN with IKEv2. Your IKEv2 client must also support EC certificates. Support varies by operating system. For more information, see About Elliptic Curve Digital Signature Algorithm (ECDSA) certificates.

To select a certificate for authentication:

  1. Click the Security tab.
  2. To specify a certificate for authentication, click Edit.
    The Firebox Address and Certificate Settings dialog box appears.
  3. In the Type drop-down list, select Firebox-Generated Certificate or Third-Party Certificate.

Configure the Phase 1 and 2 Settings

To configure the Phase 1 settings, select VPN > IKEv2 Shared Settings. For more information about IKEv2 Shared Settings, see Configure IKEv2 Shared Settings.

The IPSec Phase 2 proposals used for Mobile VPN with IKEv2 are the same proposals you configure to use with an IPSec branch office VPN. If you want to configure a new Phase 2 proposal to use with Mobile VPN with IKEv2, you must add it in the Phase 2 Proposals page. Then you can add it to the Mobile VPN with IKEv2 configuration.

Configure the DNS and WINS Settings

In Fireware v12.2.1 or higher, you can specify DNS and WINS servers in the Mobile VPN with IKEv2 configuration.

In Fireware v12.2 or lower, you cannot configure DNS and WINS settings in the Mobile VPN with IKEv2 configuration. Clients automatically receive the DNS and WINS servers specified in the Network (global) DNS/WINS settings on the Firebox. The domain name suffix is not inherited. Although you can specify up to three Network DNS servers, mobile VPN clients use only the first two in the list. For information about the Network DNS/WINS settings, see Configure Network DNS and WINS Servers.

See Also

Use the WatchGuard IKEv2 Setup Wizard

Mobile VPN with IKEv2

Configure iOS and macOS Devices for Mobile VPN with IKEv2

Configure Windows Devices for Mobile VPN with IKEv2

Configure Android Devices for Mobile VPN with IKEv2

Configure Client Devices for Mobile VPN with IKEv2

Internet Access Through a Mobile VPN with IKEv2 Tunnel

Certificates for Mobile VPN with IKEv2 Tunnel Authentication

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search