Generate Mobile VPN with IPSec Configuration Files

To configure the WatchGuard IPSec Mobile VPN Client, you import a configuration file. The configuration file is also called the end user profile. When you first configure a Mobile VPN with IPSec group, or if you make a change to the settings for a group, you must regenerate the configuration file for the group and provide it to mobile users.

To generate an end-user profile file for a group, from Fireware Web UI:

  1. (Fireware v12.3 or higher) Select VPN > Mobile VPN.
  2. In the IPSec section, select Configure.
    The Mobile VPN with IPSec page appears.
  3. (Fireware v12.2.1 or lower) Select VPN > Mobile VPN with IPSec.
    The Mobile VPN with IPSec page appears.
  4. In the Groups list, select the Mobile VPN group.
  5. From the Client drop-down list, select WatchGuard Mobile VPN to generate a .ini file for the WatchGuard Mobile VPN client.
  6. Click Generate.
  7. Select a file name and location to save the configuration file. The correct file extension is automatically added when the file is saved. Do not specify a different file extension.

To generate an end user profile file for a group, from Policy Manager:

  1. Select VPN > Mobile VPN > IPSec.
  2. Select the Mobile VPN group.
  3. Click Generate.

    Policy Manager generates the configuration files and shows the location where you can find the generated files.

You can now distribute the configuration file to the end users.

There are three types of configuration files.


The .wgx file is used by the WatchGuard IPSec Mobile VPN Client. A .wgx file cannot set the Line Management settings in the client software. If you set Line Management to anything other than Manual, you must use the .ini configuration file. The .wgx file is encrypted with the passphrase specified in the Mobile VPN with IPSec configuration. You must use Policy Manager to generate the encrypted .wgx file.


The .ini file is used by the WatchGuard IPSec Mobile VPN Client. Use this file format only if you did not set Line Management to Manual. The .ini file is not encrypted.

For more information, see Line Management on the Advanced tab in Modify an Existing Mobile VPN with IPSec Group Profile.


The .vpn file is used by the Shrew Soft VPN Client. We no longer provide technical customer support for mobile VPN tunnels created with the Shrew Soft VPN Client. The Firebox no longer supports interoperability with the Shrew Soft VPN client.

The .ini file for the WatchGuard IPSec Mobile VPN Client can be generated as read-only so that the end users cannot change settings in the client.

For more information, see Lock Down an End User Profile.

If you use certificates for VPN authentication, copies of the CA and client certificates from your Management Server are also exported when you generate the end-user profile. For more information about these certificates, see Configure the Certificate Authority on the Management Server.