Additional Mobile VPN Topics

This section describes special topics for Mobile VPN with IPSec.

Making Outbound IPSec Connections from Behind a Firebox

A user might have to make IPSec connections to a Firebox from behind another Firebox. For example, if a mobile employee travels to a customer site that has a Firebox, that user can make IPSec connections to their network. For the local Firebox to correctly manage the outgoing IPSec connection, you must set up an IPSec policy that includes the IPSec packet filter.

For more information on how to enable policies, see About Policies.

Because the IPSec policy enables a tunnel to the IPSec server and does not complete any security checks at the firewall, add only the users that you trust to this policy.

Terminate IPSec Connections

To fully stop VPN connections, you must restart the Firebox. Current connections do not stop when you remove the IPSec policy.

Global VPN Settings

Global VPN settings on your Firebox apply to all manual BOVPN tunnels, managed tunnels, and Mobile VPN tunnels. These settings do not apply to Mobile VPN with TLS.

You can use these settings to:

  • Enable IPSec pass-through
  • Clear or maintain the settings of packets with Type of Service (TOS) flags set
  • Use an LDAP server to verify certificates

To change the global VPN settings, from Fireware Web UI, select VPN > Global Settings.

To change the global VPN settings from Policy Manager, select VPN > VPN Settings.

For more information about these settings, see About Global VPN Settings.

See the Number of Mobile VPN Licenses

You can look at the Feature Key to see the number of Mobile VPN licenses your Firebox supports.

To see the feature key, from Fireware Web UI

  1. Select System > Feature Key.
  2. Scroll down to Mobile VPN Users in the Feature column, and find the number in the Value column. This is the maximum number of Mobile VPN users that can connect at the same time.

To see the feature key, from Policy Manager:

  1. Select Setup > Feature Keys.
  2. Scroll down to Mobile VPN Users in the Feature column, and find the number in the Value column. This is the maximum number of Mobile VPN users that can connect at the same time.

Purchase Additional Mobile VPN Licenses

WatchGuard Mobile VPN with IPSec is an optional feature. Each Firebox includes a number of Mobile VPN licenses. You can purchase more licenses for Mobile VPN.

Licenses are available through your local reseller, or on the WatchGuard website at https://www.watchguard.com/sales.

Add Feature Keys

For more information on how to add feature keys, see About Feature Keys.

Mobile VPN and VPN Failover

You can configure VPN tunnels to fail over to a backup endpoint if the primary endpoint becomes unavailable. For more information on VPN failover, see Configure Branch Office VPN (BOVPN) Failover.

If VPN failover is configured and failover occurs, Mobile VPN sessions are interrupted. The mobile user must authenticate with the Mobile VPN client again to make a new Mobile VPN tunnel.

To configure VPN failover for Mobile VPN tunnels, from Fireware Web UI:

  1. (Fireware v12.3 or higher) Select VPN > Mobile VPN.
  2. In the IPSec section, click Configure.
    The Mobile VPN with IPSec Settings page appears.
  3. (Fireware v12.2.1 or lower) Select VPN > Mobile VPN with IPSec.
    The Mobile VPN with IPSec Settings page appears.
  4. Select a mobile user group from the list and click Edit.
    The Edit Mobile VPN with IPSec dialog box appears.
  5. Select the General tab.
  6. In the Firebox IP Addresses section, type a backup WAN interface IP address in the Backup text box.
    You can specify only one backup interface for tunnels to fail over to, even if you have additional WAN interfaces.

To configure VPN failover for Mobile VPN tunnels, from Policy Manager:

  1. Select VPN > Mobile VPN > IPSec.
    The Mobile VPN with IPSec Configuration dialog box appears.
  2. Select a mobile user group from the list and click Edit.
    The Edit Mobile VPN with IPSec dialog box appears.
  3. Select the General tab.
  4. In the Firebox IP Addresses section, type a backup WAN interface IP address in the Backup text box.
    You can specify only one backup interface for tunnels to fail over to, even if you have additional WAN interfaces.