Configure Mobile VPN with IPSec to Connect to a Dynamic IP Address

We recommend that you use either a static IP address for a Firebox that is a VPN endpoint, or use Dynamic DNS. For more information about Dynamic DNS, see About the Dynamic DNS Service.

If neither of these options are possible, and the external IP address of the Firebox changes, you must either give remote IPSec users a new .wgx configuration file or have them edit the client configuration to include the new IP address each time that the IP address changes. Otherwise, IPSec users cannot connect until they get the new configuration file or IP address.

Use these instructions to configure the Firebox and support the IPSec client users if the Firebox has a dynamic IP address and you cannot use Dynamic DNS.

Keep a Record of the Current IP Address

To find the current ip address of the external interface, from Fireware Web UI:

  1. Select Dashboard > Interfaces.
  2. Find the interface with the alias External and review the IP address. This is the external IP address of the Firebox.

To find the current IP address of the external interface, from Policy Manager:

  1. Select Network > Configuration.
  2. Find the interface with type External and review the IP address in the IP column. This is the external IP address of the Firebox.

The current external interface IP address is saved to the .wgx configuration files. If remote users cannot connect, check the external IP address of the Firebox to see if the IP address has changed.

Configure the Firebox and IPSec Client Computers

The Firebox must have an IP address assigned to the external interface before you download the .wgx files. This is the only difference from the normal configuration of the Firebox and IPSec client computers.

Update the Client Configurations When the Address Changes

When the external IP address of the Firebox changes, the remote IPSec Mobile VPN client computers cannot connect until they have been configured with the new IP address. You can change the IP address in two ways.

  • Give remote users a new .wgx configuration file to import.
  • Have remote users manually edit the IPSec client configuration. For this option, you must configure the Firebox so remote users can edit the configuration. You can control whether the users can edit the configuration when you generate the .wgx file. For information about how to save an unlocked.wgx file, see Lock Down an End User Profile.

You can generate a new .wgx configuration file and distribute it to your mobile users.

To generate a new .wgx file, from Fireware Web UI:

  1. (Fireware v12.3 or higher) Select VPN > Mobile VPN.
  2. In the IPSec section, select Configure.
    The Mobile VPN with IPSec page appears.
  3. (Fireware v12.2.1 or lower) Select VPN > Mobile VPN with IPSec.
    The Mobile VPN with IPSec page appears.
  4. Select a Mobile VPN user group and click Generate to generate and download the .wgx files.
  5. Distribute the .wgx files to the remote users.
  6. Tell the remote users to Import the End-User Profile.

To generate a new .wgx file, from Policy Manager:

  1. Select VPN > Mobile VPN > IPSec.
  2. Select a Mobile VPN user group and click Generate to generate and download the .wgx files.
  3. Distribute the .wgx files to the remote users.
  4. Tell the remote users to Import the End-User Profile.

If you do not generate and distribute a new .wgx file, you can instruct your users to manually edit the gateway IP address in the Mobile VPN with IPSec client configuration.

For users to manually edit the client configuration:

  1. Give remote users the new external IP address of the Firebox and tell them to perform the next five steps.
  2. On the IPSec client computer, select Start > All Programs > WatchGuard Mobile VPN > Mobile VPN Monitor.
  3. Select Configuration > Profile Settings.
  4. Select the profile and click Configure.
  5. In the left column, select IPSec General Settings.
  6. In the Gateway text box, type the new external IP address of the Firebox.

See Also

Mobile VPN with IPSec