Configure Mobile VPN with IKEv2 for a Cloud-Managed Firebox

Applies To: Cloud-managed Fireboxes

Before you enable Mobile VPN with IKEv2, you must configure authentication settings for the Firebox and add users and groups you want to authentication with Mobile VPN. Mobile VPN with IKEv2 supports authentication through the local Firebox authentication database (Firebox-DB) or a RADIUS authentication domain. For more information, see Authentication Methods for Mobile VPN.

Configure Mobile VPN Settings

To configure Mobile VPN with IKEv2 settings, from WatchGuard Cloud:

  1. Select Configure > Devices.
  2. Select the cloud-managed Firebox.
  3. Click Device Configuration.
  4. In the VPN section, click the Mobile VPN tile.
    The Select VPN page opens.

Screen shot of the Select VPN page

  1. Click IKEv2.
    The Mobile VPN with IKEv2 configuration page opens.

Screen shot of the Mobile VPN with IKEv2 page

  1. In the Name text box, type the VPN connection name.
    This name appears as the VPN connection name on the client.
  2. Configure other settings as described in these sections:
  3. To save the configuration changes to the cloud, click Save.

Add Firebox Addresses

In the Firebox Addresses settings, add an IP address or domain name for connections from IKEv2 VPN clients to the Firebox.

To configure Firebox addresses, from WatchGuard Cloud:

  1. Open the Mobile VPN with IKEv2 settings for the Firebox.

Screen shot of the Firebox Address section of the Mobile VPN configuration

  1. In the Firebox Addresses section, click Add Domain Name or IP Address.
    The Add Domain Name or IP Address dialog box opens.

Screen shot of the Add Domain Name or IP Address dialog box

  1. From the Type drop-down list, select the IP address type.
    • Host IPv4 — Specify an IP address for connections from IKEv2 VPN clients to the Firebox .
    • FQDN — Specify a fully qualified domain name for connections from IKEv2 VPN clients to the Firebox.
  2. Type the host IPv4 address or domain name.

If your Firebox is behind a NAT device, specify the public IP address or domain name of the NAT device.

  1. Click Add.

Add Authentication Domains

By default, Mobile VPN with IKEv2 uses the Firebox database for user authentication. You can also use a RADIUS server for authentication.

Before you can configure Mobile VPN with IKEv2 to use an authentication domain, you must add the authentication domain to WatchGuard Cloud, add groups and users, and add the authentication domain to the Firebox. For more information, see Authentication Methods for Mobile VPN.

To add an authentication domain:

  1. Open the Mobile VPN with IKEv2 settings for the Firebox.

Screen shot of the Authentication Domains section of the Mobile VPN configuration

  1. Click Add Authentication Domains.
    The Add Authentication Domains page opens.

  1. Select the authentication domains you want to use for Mobile VPN with IKEv2 user authentication.

Screen shot of selected authentication domains

  1. The first server in the list is the default authentication server. To change the server order, click the move handle for an authentication server and drag it up or down in the list.

  1. Click Close.

Add Users and Groups

After you specify the authentication domains, select users and groups that can use a IKEv2 VPN client to connect to network resources protected by the Firebox.

When you add users and groups, you select from a list of users or groups on the authentication servers you added in the previous step. Users and groups you select are automatically added to the IKEv2-Users group.

To add users and groups to the Mobile VPN with IKEv2 configuration:

  1. Open the Mobile VPN with IKEv2 settings for the Firebox.

  1. To add groups to the Mobile VPN with IKEv2 configuration:
    1. Click Add Groups.

    1. Select the check box for each group to add.
    2. Click Close.
      The selected groups are added to the groups list.
  2. To add users to the Mobile VPN with IKEv2 configuration:
    1. Click Add Users.

    1. Select the check box for each user to add to Mobile VPN with IKEv2.
    2. Click Close.
      The selected users are added to the Users list.

Screen shot of the Users and Groups settings with users and groups added

  1. To remove a user or group from the Mobile VPN with IKEv2 configuration, in the row for that user or group, click .

Edit the Virtual IP Address Pool

The virtual IP address pool is the group of private IP address the Firebox assigns to Mobile VPN with IKEv2 users. The default is 192.168.114.0/24. You can add other addresses to the pool and remove the default address.

Make sure the network IP addresses in the virtual IP address pool do not conflict with the IP addresses assigned to a Firebox network.

To update the virtual IP address pool:

  1. Open the Mobile VPN with IKEv2 settings for the Firebox.

  1. To add IP addresses to the pool:
    1. Click Add Virtual IP Address Pool.
      The Add Virtual IP Address Pool dialog box opens.

    Screen shot of the Add Virtual IP Address Pool dialog box

    1. Type an IP address and netmask.
    2. Click Add.
  2. To remove IP address from the pool, click .

Use an Internal DNS Server

By default, Mobile VPN with IKEv2 clients use the DNS server specified on the client. If you configured an internal DNS server for your Firebox, you can choose to use it for mobile IKEv2 VPN DNS resolution.

This setting appears only if your Firebox configuration includes an internal DNS server. For information about how to add an internal DNS server to the Firebox configuration, see Configure Firebox DNS Settings.

To configure mobile VPN connections to use the internal DNS server:

  1. Select the Use Internal DNS check box.

Screen shot of the Use Internal DNS setting in the Mobile VPN configuration

  1. From the Internal DNS Server drop-down list, select the IP address of the internal DNS server.

Next Steps

After you finish the Mobile VPN with IKEv2 configuration, click the Download tab and download the Mobile VPN with IKEv2 client profile, which contains information and setup files for IKEv2 VPN clients. For more information, see Configure Mobile VPN with IKEv2 Clients.

See Also

Add a Cloud-Managed Firebox to WatchGuard Cloud

Manage Device Configuration Deployment