About Mobile VPN with IPSec on the Firebox
You can configure the Firebox as an endpoint for Mobile VPN with IPSec tunnels. When you configure Mobile VPN with IPSec on the Firebox, you create a Mobile VPN with IPSec profile that defines the connection and access settings for a Mobile VPN group that you specify.
When you configure Mobile VPN with IPSec for a user group, an Any policy is automatically added to the Mobile VPN with IPSec Policies list to allow all traffic to pass to and from the authenticated Mobile VPN users in the group and your private networks. To restrict Mobile VPN client access, delete the Any policy and add other Mobile VPN policies that allow access to specific resources.
To make a Mobile VPN with IPSec connection, a mobile user must be a member of a Mobile VPN group and must have a Mobile VPN end-user profile for that group. After you configure Mobile VPN with IPSec for a group, you can generate the end-user profile that you distribute to mobile users.
For information about how to generate the end-user profile from Fireware Web UI see Generate Mobile VPN with IPSec Configuration Files.
If you use Policy Manager to configure Mobile VPN with IPSec, Policy Manager automatically generates and saves an end-user profile on the management computer. The user must have this end-user profile file to configure the Mobile VPN client. If you use a certificate for authentication, .p12 and cacert.pem files are automatically generated and saved in the same location as the end-user profile.
You can configure Mobile VPN with IPSec from Fireware Web UI, but if you use a certificate for authentication, you must use Policy Manager to generate the .p12 and cacert.pem files. These files are located in the same directory as the end-user profile generated by Policy Manager.
For information about how to configure the Mobile VPN profile for a group of users, see Configure the Firebox for Mobile VPN with IPSec.
After you configure Mobile VPN with IPSec on the Firebox, you must install a supported VPN client on each client computer, and import the end-user profile. For information about how to install the VPN client software and import the end-user profile, see Install the IPSec Mobile VPN Client Software.
When the VPN client is correctly configured, the user starts the Mobile VPN connection. If the credentials the user specifies are found in the authentication server database, and if the user is included in the Mobile VPN group you created, the Firebox starts the Mobile VPN session.
We recommend Mobile VPN with IKEv2 as an alternative to Mobile VPN with IPSec. The IKEv1 Aggressive Mode vulnerability described in CVE-2002-1623 affects Mobile VPN with IPSec. This vulnerability does not affect Mobile VPN with IKEv2 or L2TP. If you configure Mobile VPN with IPSec, we recommend that you configure a certificate instead of a pre-shared key if you have a WSM Management Server. If you do not have a Management Server, we recommend that you specify a strong pre-shared key and change it on a regular basis. We also recommend that you specify a strong hashing algorithm such as SHA-256.