Use the macOS or iOS Native IPSec VPN Client

Apple iOS devices (iPhone, iPad, and iPod Touch) and macOS 10.6 and higher devices include a native Cisco IPSec VPN client. You can use this client to make an IPSec VPN connection to a Firebox. To use the native IPSec VPN client to make a connection to your Firebox, you must configure the VPN settings on your Firebox to match those on the iOS or macOS device.

For IPSec VPN connections from a macOS device, you can also use the WatchGuard IPSec VPN Client for macOS. For more information, see Install the IPSec Mobile VPN Client Software.

You must configure Mobile VPN with IPSec for default-route VPN (0.0.0.0/0). The VPN client on the macOS or iOS device does not support split tunneling.

Supported Phase 1 and 2 Settings

For devices with iOS 9.3 and higher or macOS 10.11.4 and higher, these combinations of Phase 1 and 2 settings are supported.

If Diffie-Hellman Group 14 is selected in the Phase 1 settings:

  • Phase 1 Authentication — MD5, SHA1, SHA2-256, SHA2-512
  • Phase 1 Encryption — AES256
  • Phase 2 Authentication — MD5, SHA1
  • Phase 2 Encryption — 3DES, AES128, AES256
  • Perfect Forward Secrecy — No

If Diffie-Hellman Group 2 is selected in the Phase 1 settings:

  • Phase 1 Authentication — MD5, SHA1
  • Phase 1 Encryption — DES, 3DES, AES128, AES256
  • Phase 2 Authentication — SHA1, MD5
  • Phase 2 Encryption — 3DES, AES128, AES256
  • Phase 2 PFS — No

For devices with versions of iOS lower than 9.3, these Phase 1 and 2 settings are supported.

  • Diffie-Hellman Group 2
  • Phase 1 Authentication — MD5 , SHA1
  • Phase 1 Encryption — DES, 3DES, AES128, AES256
  • Phase 2 Authentication — MD5 , SHA1
  • Phase 2 Encryption — 3DES, AES128, AES256
  • Phase 2 PFS — No

SHA2 is not supported for Phase 2 for Mobile VPN with IPSec connections from macOS and iOS devices. We recommend you use SHA1.

Diffie-Hellman Group 5 is not supported on Apple devices for aggressive mode. Mobile VPN with IPSec only supports aggressive mode.

Configure the Firebox

Many of the VPN tunnel configuration settings in the VPN client on the macOS or iOS device are not configurable by the user. It is very important to configure the settings on your Firebox to match the settings required by the VPN client on the macOS or iOS device.

Configure the VPN Client on an iOS Device

To manually configure the VPN client settings on the iOS device:

  1. Select Settings > General > VPN > Add VPN Configuration.
  2. Configure these settings in the VPN client:
    • Type — IPSec
    • Server — The external IP address of the Firebox
    • Account — The user name on the authentication server
      Specify the user name only. Do not preface the user name with a domain name and do not specify an email address.
    • Password — The password for the user on the authentication server
    • Use Certificate — Set this option to OFF
    • Group Name — The group name you chose in the Firebox Mobile VPN with IPSec configuration
    • Secret — The tunnel passphrase you set in the Firebox Mobile VPN with IPSec configuration

After you add the VPN configuration, a VPN switch appears in the Settings menu on the iOS device.

To enable or disable the VPN client, click the VPN switch. When a VPN connection is established, the VPN icon appears in the status bar.

The VPN client on the iOS device stays connected to the VPN only while the iOS device is in use. If the iOS device locks itself, the VPN client might disconnect. Users can manually reconnect their VPN clients. If users save their passwords, they do not have to retype the password each time the VPN client reconnects. If users do not save their passwords, they must type the password each time the client reconnects.

The WatchGuard Mobile VPN app for iOS is no longer available in the Apple Store.

Configure the VPN Client on a macOS Device

The Firebox does not generate a client configuration file for the VPN client on the macOS device. The user must manually configure the VPN client settings to match the settings configured on the Firebox.

To configure the VPN settings on the macOS device:

  1. Open System Preferences and select Network.
  2. Click + at the bottom of the list to add a new interface. Configure these settings:
    • Interface — VPN
    • VPN Type — Cisco IPSec
    • Service Name — Type the name to use for this connection
  3. Click Create.
    The new VPN interface appears in the list of network interfaces.
  4. Select the new interface in the list. Edit these settings:
    • Server Address — The external IP address of the Firebox
    • Account Name — The user name on the authentication server
      Specify the user name only. Do not preface the user name with a domain name and do not specify an email address.
    • Password — The password for the user on the authentication server
  5. Click Authentication Settings. Configure these settings:
    • Shared Secret — The tunnel passphrase you set in the Firebox Mobile VPN with IPSec configuration
    • Group Name — The group name you chose in the Firebox Mobile VPN with IPSec configuration
  6. To add the VPN status icon to the macOS menu bar, select the Show VPN status in menu bar check box .
  7. Click Connect to start the VPN tunnel.

After you apply these settings, a VPN status icon appears in the menu bar of the macOS  device.

To start or stop the VPN client connection, click the VPN status icon.

See Also

Mobile VPN with IPSec

Define Advanced Phase 1 Settings

Define Advanced Phase 2 Settings