Select a Mobile VPN Type

Fireware supports four types of Mobile VPNs:

  • Mobile VPN with IKEv2
  • Mobile VPN with L2TP
  • Mobile VPN with SSL
  • Mobile VPN with IPSec

Your Firebox can support all four types of mobile VPNs simultaneously. You can also configure a client computer to use one or more types of mobile VPNs.

Before you decide which type of Mobile VPN to use, consider your current infrastructure, network policy preferences, and these details:

The Mobile VPN with PPTP feature is not available in Fireware v12.0 and higher. If your Firebox has Fireware v11.12.4 or lower, Mobile VPN with PPTP is automatically removed from your configuration when you upgrade to Fireware v12.0 or higher. We recommend that you migrate to a different mobile VPN solution before you upgrade. For more information, see How do I migrate from PPTP to L2TP before I upgrade to Fireware v12.0? in the WatchGuard Knowledge Base. For documentation for Mobile VPN with PPTP, see Fireware Help v11.12.x.

Security

Each type of Mobile VPN has different security traits.

IKEv2

Mobile VPN with IKEv2 offers the highest level of security. Mobile VPN with IKEv2 includes multi-layer security, but it is limited to local Firebox authentication and RADIUS. Certificate-based client authentication is supported instead of a pre-shared key. For authentication, Mobile VPN with IKEv2 uses EAP and MS-CHAPv2.

In Fireware v12.2 or higher, the Firebox supports AES-GCM encryption.

In Fireware v12.5 or higher, the Firebox supports ECDSA (EC) certificates for Mobile VPN with IKEv2. Your IKEv2 VPN client must also support EC certificates. Support varies by operating system. For more information, see About Elliptic Curve Digital Signature Algorithm (ECDSA) certificates.

Mobile VPN with IKEv2 supports multi-factor authentication for MFA solutions that support MS-CHAPv2.

AuthPoint is the WatchGuard MFA solution. To use AuthPoint for Mobile VPN with IKEv2, see:

L2TP

Mobile VPN with L2TP offers a high level of security, which includes multi-layer security. However, authentication server options are limited to local Firebox authentication and RADIUS. The client must know the pre-shared key.

Mobile VPN with L2TP also supports certificate-based client authentication in place of the pre-shared key.

Mobile VPN with L2TP supports multi-factor authentication for MFA solutions that support MS-CHAPv2. AuthPoint, the WatchGuard MFA service, supports MS-CHAPv2 RADIUS authentication.

In Fireware v12.5.3 or higher, Mobile VPN with L2TP supports AuthPoint for multi-factor authentication to Active Directory through NPS. AuthPoint is the WatchGuard MFA service. To use AuthPoint with Mobile VPN with L2TP, see:

SSL

Mobile VPN with SSL is a secure mobile VPN option, but it is less secure than IPSec-based VPNs because:

  • It does not support multi-layer encryption
  • An attacker needs to know only the Firebox IP address and client login credentials to connect.

In Fireware v12.2 or higher, Mobile VPN with SSL supports AES-GCM.

If your RADIUS server supports multi-factor or two-factor authentication, you can use multi-factor or two-factor authentication with WatchGuard Mobile VPN with SSL.

AuthPoint is the WatchGuard MFA solution. To use AuthPoint for Mobile VPN with SSL, see Firebox Mobile VPN with SSL Integration with AuthPoint.

IPSec

Mobile VPN with IPSec supports encryption levels up to 256-bit AES and multi-layer encryption.

You can use any authentication method supported by the Firebox.

An attacker who has the login credentials also needs detailed setup information to connect to the VPN, which includes the pre-shared key.

Mobile VPN with IPSec also supports certificate-based client authentication instead of the pre-shared key.

If your RADIUS server supports multi-factor authentication, you can use multi-factor authentication with WatchGuard Mobile VPN with IPSec.

AuthPoint is the WatchGuard MFA solution. To use AuthPoint for Mobile VPN with IPSec, see Firebox Mobile VPN with IPSec Integration with AuthPoint.

We recommend Mobile VPN with IKEv2 as an alternative to Mobile VPN with IPSec. The IKEv1 Aggressive Mode vulnerability described in CVE-2002-1623 affects Mobile VPN with IPSec. This vulnerability does not affect Mobile VPN with IKEv2 or L2TP. If you configure Mobile VPN with IPSec, we recommend that you configure a certificate instead of a pre-shared key if you have a WSM Management Server. If you do not have a Management Server, we recommend that you specify a strong pre-shared key and change it on a regular basis. We also recommend that you specify a strong hashing algorithm such as SHA-256.

Ease of Use

IKEv2

Mobile VPN with IKEv2 supports connections from native IKEv2 VPN clients on iOS, macOS, and Windows mobile devices. Android users can configure an IKEv2 VPN connection with the third-party strongSwan app.

Administrators can download a .bat configuration script from the Firebox to automatically configure a IKEv2 VPN profile on supported Windows operating systems. The configuration script also automatically installs the certificate. For operating system support information, see the Operating System Compatibility Matrix in the Fireware Release Notes.

For iOS and macOS, Administrators can download a .mobileconfig profile from the Firebox to automatically configure the native IKEv2 VPN client.

For Android, Firebox administrators can download a .sswan file from the Firebox to automatically configure the strongSwan app.

In Fireware v12.9 or higher, you can configure Mobile VPN with IKEv2 for full tunneling or split tunneling. In Fireware v12.8.1 or lower, Mobile VPN with IKEv2 sends all traffic over the VPN tunnel (full tunneling).

L2TP

You can use Mobile VPN with L2TP with native VPN clients and any L2TPv2 clients that comply with RFC 2661. To connect, the end user must specify a user name and password, which can be saved in some VPN clients. Users must manually configure the L2TP client.

Routing for client traffic over L2TP is controlled by the client configuration. Clients typically have an option to route all client traffic through the tunnel, or to route client traffic through the tunnel only for the same /24 subnet as the virtual IP address.

SSL

For Windows and macOS users, the client is easy to download and install. To download the VPN client, users connect over HTTPS to the Firebox and log in. After users download the client, they only need to know their login credentials to connect. As an administrator, you can enable or disable the option for the VPN client to remember the user name and password.

Clients with other operating systems and mobile devices can use OpenVPN clients to connect. To use an OpenVPN client, the user needs the client.ovpn file, which is also easy to download from the Firebox.

IPSec

Windows users can download and install the WatchGuard Mobile VPN client which offers additional features. A paid license is required after a 30-day free trial.

For both clients, you must provide the client with a configuration file. If you use the WatchGuard IPSec Mobile VPN Client, you might also need to provide the pre-shared key. We recommend that you use a secure method, such as encrypted email, to distribute the configuration file.

Tunnel routing for both Windows clients can be as broad or specific as needed, based on the allowed resources you configure.

For macOS devices, you must configure a Mobile VPN profile to match the default settings of the on-device client, and configure the client to connect to the VPN. The client needs a user name and passphrase to connect.

For information about which operating systems are compatible with each mobile VPN type, see the Operating System Compatibility list in the Fireware Release Notes. You can find the Release Notes for your version of Fireware OS on the Fireware Release Notes page of the WatchGuard website.

Portability

Portability refers to the network environments from which the VPN client can connect.

IKEv2

By default, IKEv2 uses IPSec, which requires UDP ports 500 and 4500, and ESP IP Protocol 50. You cannot disable IPSec.

L2TP

By default, L2TP uses IPSec, which requires UDP ports 500 and 4500, and ESP IP Protocol 50.

If you disable IPSec, Mobile VPN with L2TP requires only UDP port 1701. This type of L2TP configuration should be allowed in most environments unless the network is configured to be extremely restrictive. However, this configuration does not provide the security of IPSec.

If you disable IPsec in the Mobile VPN with L2TP configuration, you must also disable IPSec on the client devices. On some devices, this procedure might be more difficult. For information about IPSec settings on a device, see the device manufacturer’s documentation.

SSL

You can configure Mobile VPN with SSL to use any TCP or UDP port, or use the default setting, TCP 443. If you use a UDP port, you must still specify a TCP port for the initial authentication request. This makes Mobile VPN with SSL portable to almost any environment that allows outbound HTTPS and does not decrypt the traffic.

Although Mobile VPN with SSL usually works on most networks, it can fail because of firewall restrictions:

  • Content inspection — If a network device decrypts HTTPS traffic to inspect it for malicious content, Mobile VPN with SSL fails.
  • Protocol enforcement — If you enable the Allow only TLS-compliant traffic option on your Firebox, Mobile VPN with SSL might fail.
  • Application control — If an application control service blocks the open-source OpenVPN software, Mobile VPN with SSL fails.

You can configure the HTTPS proxy on a Firebox to allow non-compliant HTTPS requests. To learn more about the HTTPS proxy, see HTTPS-Proxy: General Settings.

IPSec

Mobile VPN with IPSec requires the client to access the Firebox on UDP ports 500 and 4500, and ESP IP Protocol 50. This often requires a specific configuration on the client's internet gateway, so clients might not be able to connect from hotspots or with mobile Internet connections.

You can configure a Firebox to allow outbound IPSec requests. To learn more about outbound IPSec pass-through, see About Global VPN Settings.

Performance

IKEv2

Mobile VPN with IKEv2 performs better than Mobile VPN with L2TP and Mobile VPN with SSL.

L2TP

Mobile VPN with L2TP is faster than Mobile VPN with SSL, but slower than Mobile VPN with IKEv2.

SSL

Mobile VPN with SSL is slower than other mobile VPN types. It is not the best option for latency-sensitive traffic such as VoIP or high-bandwidth file transfers. However, you can improve Mobile VPN with SSL performance if you select UDP for the data channel and AES-GCM ciphers.

VPN Tunnel Capacity

When you select a type of VPN, make sure to consider the number of tunnels your device supports.

The maximum number of IKEv2, L2TP, SSL, and IPSec mobile VPN tunnels depends on the Firebox model.

You can see the maximum number of each type of VPN tunnel your Firebox supports in the Firebox feature key. For more information, see VPN Tunnel Capacity and Licensing.

Authentication Support

Make sure the Mobile VPN solution you choose supports the type of authentication server you use.

Mobile VPN Type AuthPoint Active Directory LDAP RADIUS SecurID Firebox (Firebox-DB) Local Authentication
Mobile VPN with IKEv2 Yes Yes* No Yes No Yes
Mobile VPN with L2TP Yes Yes* No Yes No Yes
Mobile VPN with SSL Yes Yes Yes Yes Yes Yes

Mobile VPN with IPSec for iOS, Windows, and macOS
(WatchGuard/NCP premium client)

Yes Yes Yes Yes

Yes

Yes

Mobile VPN with IPSec for Android (native client)

Yes Yes Yes Yes No Yes

* Active Directory authentication for IKEv2 and L2TP is supported only through a RADIUS server.

The RADIUS server must return the Filter-Id attribute (RADIUS attribute #11) in its Access-Accept response. The value of the Filter-Id attribute must match the name of the correct group (SSLVPN-Users, or the name of the group you define in the Mobile VPN with SSL or Mobile VPN with IPSec configuration).

Other Considerations

  • Mobile VPN with IKEv2 offers the highest level of security, best performance, and easiest deployment. This VPN type has certificate-based client authentication instead of a pre-shared key.
  • Mobile VPN with IKEv2, L2TP, and IPSec work only when the required ports and protocols are allowed on the remote networks. This means these mobile VPN types might not work on all remote networks.
  • With Mobile VPN with L2TP, you can use L2TP to transport protocols other than IP.
  • Mobile VPN with IPSec is the only VPN type that allows you to configure different VPN configuration profiles for different groups of users.
  • We recommend Mobile VPN with SSL when IKEv2 IPSec traffic is not allowed on the remote network.

The WatchGuard Mobile VPN app for Android is no longer available in the Google Play store. The WatchGuard Mobile VPN app for iOS is no longer available in the Apple Store. We no longer support these legacy apps.

Protocol Details

Each type of mobile VPN uses different ports, protocols, and encryption algorithms to establish a connection. The required ports and protocols must be open between the mobile device and your Firebox for the mobile VPN to function.

See Also

Mobile VPN with IKEv2

Mobile VPN with L2TP

About Mobile VPN with SSL

Mobile VPN with IPSec