About Mobile VPN for a Cloud-Managed Firebox

Applies To: Cloud-managed Fireboxes

Mobile Virtual Private Networking (Mobile VPN) creates a secure connection between a remote computer and network resources behind the Firebox.

This topic explains:

Mobile VPN Types

Cloud-managed Fireboxes support two Mobile VPN types:

Mobile VPN with IKEv2

Mobile VPN with IKEv2 provides the best security, performance, and ease of deployment. This VPN type uses IPSec for strong encryption and authentication. Users connect with native Windows, macOS, or iOS VPN clients, or with the strongSwan app for Android.

To authenticate users, you can configure local authentication on the Firebox (Firebox-DB), RADIUS, and AuthPoint. If your users authenticate with Active Directory, we recommend that you configure RADIUS authentication so the Mobile VPN with IKEv2 can pass through Active Directory credentials.

To authenticate the VPN server, IKEv2 VPN clients use the certificate that you select in Mobile VPN with IKEv2 configuration. You can use the default certificate signed by the Firebox or a third-party certificate.

We recommend Mobile VPN with IKEv2 in most cases.

Mobile VPN with SSL

Mobile VPN with SSL provides good security and performance, and uses a default port (TCP 443) that is usually open on most networks. Mobile VPN with SSL uses Transport Layer Security (TLS) to secure the connection. Windows and macOS users can download a client from software.watchguard.com or from the Firebox that automatically receives a configuration. Administrators can download a client from WatchGuard Cloud. Android and iOS users can download an OpenVPN client from an app store.

To authenticate users, you can configure local authentication on the Firebox (Firebox-DB), Active Directory, RADIUS, and AuthPoint.

We recommend Mobile VPN with SSL when remote networks do not allow IKEv2 IPSec traffic.

Your Firebox can support Mobile VPN with IKEv2 and Mobile VPN with SSL simultaneously.

Mobile VPN Clients

For information about which operating systems are compatible with Mobile VPN with SSL, see the Operating System Compatibility list in the Fireware Release Notes. For information about changes to the WatchGuard Mobile VPN with SSL client, see the Enhancements and Resolved Issues section in the Release Notes. You can find the Release Notes for your version of Fireware OS on the Fireware Release Notes page.

You can configure a client computer to use more than one mobile VPN type.

Mobile VPN Certificates

In the Mobile VPN with IKEv2 configuration, you must select a certificate for VPN server authentication. You can select the default Firebox certificate or a third-party certificate.

For more information, see Mobile VPN and Certificates and Manage Certificates.

Mobile VPN Authentication

In the Mobile VPN with IKEv2 configuration, you must select one or more authentication domains for Mobile VPN users. You can select any authentication domain configured in the Firebox authentication settings.

For more information, see Authentication Methods for Mobile VPN.

Mobile VPN Policies

When you configure Mobile VPN with IKEv2 or Mobile VPN with SSL, the Firebox automatically creates a system policy to allow VPN traffic from external networks to the Firebox. You can add other policies that apply to mobile VPN users.

For more information, see Mobile VPN and Firewall Policies.

Configure Mobile VPN

To configure Mobile VPN with IKEv2, see:

To configure Mobile VPN with SSL, see:

Monitor Mobile VPN

For cloud-managed Fireboxes, and for locally-managed Fireboxes with cloud reporting enabled, you can view live status information for Mobile VPN with IKEv2 and Mobile VPN with SSL.

For more information, see Monitor VPNs on Fireboxes and FireClusters.

See Also

Add a Cloud-Managed Firebox to WatchGuard Cloud

Manage Device Configuration Deployment