Configure the IPSec Mobile VPN Client for Mobile VPN with IKEv2

Applies To: Locally-managed Fireboxes This topic applies to Fireboxes you configure in Policy Manager or Fireware Web UI.

In Fireware v12.11.1 and higher, you can import an IKEv2 VPN profile and configuration to the WatchGuard IPSec Mobile VPN client for Windows. To do so, you must download a .TGZ file from the Firebox and extract the contents. You then use the extracted files to import an IKEv2 VPN profile and configuration to the client. The WatchGuard IPSec Mobile VPN client for macOS does not support IKEv2.

This IKEv2 import feature requires the WatchGuard IPSec Mobile VPN Client for Windows v15.19 or higher.

To use the IPSec Mobile VPN client with IKEv2, you must:

1. Verify system requirements.
2. Download the client software.
3. Install the IPSec Mobile VPN client.
4. Import an IKEv2 VPN profile.
5. Connect to your private network.

WatchGuard IPSec Mobile VPN Client System Requirements

Before you install the WatchGuard IPSec Mobile VPN client for Windows, make sure you understand these requirements and recommendations.

• You can install the IPSec Mobile VPN client software on any computer with a supported version of Windows. For information about which operating systems are compatible, go to the Operating System Compatibility list in the Fireware Release Notes. You can find the Release Notes for your version of Fireware on the Fireware Release Notes page of the WatchGuard website.
• Before you install the client software, make sure the remote computer does not have any other IKEv2 VPN client software installed. You must also uninstall any desktop firewall software (other than Microsoft firewall software) from each remote computer.
• We recommend that you install all available service packs for your Windows operating system before you install the IPSec Mobile VPN client software.
• We recommend that you keep all default IPSec Mobile VPN client settings unless this documentation directs you to change a setting.

Download the WatchGuard IPSec Mobile VPN Client for Windows Software

You can download the WatchGuard IPSec Mobile VPN client for Windows from the Software Downloads section of the WatchGuard website. This VPN client, powered by NCP, is compatible with all versions of Fireware, and supports IKEv2 configuration settings. The client includes a free 30-day trial license. To use the client after the initial 30 day trial period, you must purchase an IPSec Mobile VPN client license.

Install the WatchGuard IPSec Mobile VPN Client for Windows Software

The installation process consists of two parts:

• Install the IPSec Mobile VPN client software on the remote computer
• Import the IKEv2 profile into the client

Before you start the installation, make sure you have these installation components:

• The WatchGuard IPSec Mobile VPN client for Windows installation file. The client has different installers for Windows 32-bit and 64-bit platforms.
• .INI file that includes IKEv2 profile to import.
  The .TGZ file you download from the Firebox includes this file.
• .PEM certificate file.
  The .TGZ file you download from the Firebox includes this file.
  

Install the Client

To install the IPSec Mobile VPN client on a Windows computer:

1. Copy the IPSec Mobile VPN client installation file (.ZIP) for the client OS to the remote computer and extract the contents of the file. Do not run the installation software from an external drive.
2. Double-click the .EXE file you extracted in Step 1. This starts the IPSec Mobile VPN client Installation wizard. You must restart your computer when the installation wizard completes.

The IPSec Mobile VPN client can have multiple profiles. For example, if you plan to migrate mobile VPN users to a different authentication method, you can configure the client with two different profiles so users can authenticate with either authentication method while they migrate.

Import the IKEv2 VPN Profile

To import the IKEv2 profile and configuration to the IPSec Mobile VPN client, you must first download a .TGZ file from the Firebox and extract the contents to your Windows computer. This compressed file includes a README.txt instruction file, an .INI profile configuration file, and a .PEM certificate file. You use these files with the IPSec Mobile VPN client to create an IKEv2 profile and configuration. For information about how to download the .TGZ file, go to Configure Client Devices for Mobile VPN with IKEv2.

IKEv2 configurations that include AES-GCM (192-bit) encryption are not supported.

To import and configure a new IKEv2 VPN profile from Windows:

1. From the unpacked .TGZ file, copy the WatchGuard IPSec Mobile VPN directory to the Windows computer. This directory contains the IKEv2 profile configuration file and the required certificate for the profile.

The WatchGuard IPSec Mobile VPN directory is available in Fireware v12.11.1 and higher.

2. From the WatchGuard IPSec Mobile VPN folder, copy the .PEM file to this location on your Windows computer:
   C:\ProgramData\WatchGuard\Mobile VPN\cacerts
3. From your Windows computer, select Start > WatchGuard Mobile VPN > Mobile VPN Monitor.

If the IPSec Mobile VPN client prompts you to manually configure a profile, click No.

4. Select Configuration > Profiles.
   The Profiles page opens.

5. Click Add / Import.
   The New Profile Wizard starts.

6. From the Connection Type page, select Profile Import.
7. Click Next.
   The Select User Profile page opens.

8. From File Name, browse to the WatchGuard IPSec Mobile VPN folder and select the .INI configuration file. To view the .INI file, you must select All Files from the Windows file format drop-down list.
9. Click Next.
   The Overwrite or Add Profile page opens.

10. Select the profile to import.
11. Click Next, and click Finish.
    The new profile is now available as a connection profile .

After you install the client software, reinstall any original desktop firewall software or configure the firewall that is part of the client software. If you use a third-party desktop firewall, make sure you configure it to allow traffic to establish the VPN tunnel and the traffic that goes through the tunnel. Contact your network administrator for further instructions.

Import an IKEv2 VPN Profile with Client Install

You can use the IKEv2 files from the .TGZ file to import and create an IKEv2 profile whenyou install the WatchGuard IPSec Mobile VPN client for Windows. For information about how to download the .TGZ file, go to Configure Client Devices for Mobile VPN with IKEv2.

With this method, a silent installation takes place. It requires no user interaction, and the Windows host computer restarts automatically. This method assumes the client is not already installed on the Windows computer.

To import an IKEv2 profile at the same time that you install the IPSec Mobile VPN client, you must:

• Create a directory structure that contains the IKEv2 files and the WatchGuard IPSec Mobile VPN for Windows client .EXE
• Run a Windows command prompt in administrator mode
• Install the IPSec Mobile VPN client from the command line

You can only import one IKEv2 profile with this method.

To import an IKEv2 profile when you install the IPSec Mobile VPN client:

1. From the Windows host computer, create a directory for the installation files. In this example, we create the directory at the root of the C: drive and name it WatchGuard IKEv2 Mobile VPN.
2. Download the WatchGuard IPSec Mobile VPN client for Windows and copy it to the WatchGuard IKEv2 Mobile VPN directory. In this example, we use the WG-Mobile-VPN_Windows_x86-64_1519_29720.exe client installation file.
3. Create a subdirectory in the WatchGuard IKEv2 Mobile VPN directory named IMPORTDIR.
4. Create a subdirectory in the IMPORTDIR directory named CACERTS.
5. Create a subdirectory in the IMPORTDIR directory named DATA.
6. Copy the .PEM certificate file from the WatchGuard IPSec Mobile VPN profile directory to the CACERTS directory.
7. Copy the .INI file that includes IKEv2 profile to the DATA directory.
8. Rename the .INI file to import.ini.

9. From the Windows Start menu, right-click Command Prompt and select Run as Administrator.
   A Windows Command Prompt window opens.
10. Change directory to the location of the WatchGuard IKEv2 Mobile VPN directory.
11. To run the IPSec Mobile VPN client installer and import the IKEv2 profile, in the Command Prompt window, type:
    "C:\WatchGuard IKEv2 Mobile VPN\WG-Mobile-VPN_Windows_x86-64_1519_29720.exe" /S /v/qn

A silent installation runs, and the Windows host computer restarts automatically.

Connect and Disconnect the IPSec Mobile VPN Client

The WatchGuard IPSec Mobile VPN client makes a secure connection from a remote computer to your protected network over the Internet. To start this connection, you must connect to the Internet and use the IPSec Mobile VPN client to connect to the protected network.

The Connection Mode in your IPSec Mobile VPN connection profile might be configured so that the client automatically starts the VPN connection. For more information about connection modes, go to Control Connection Behavior.

Manually Start the IPSec Mobile VPN Client

To manually start the VPN connection.

1. Make sure your Windows computer has a connection to the Internet.
2. Start the WatchGuard IPSec Mobile VPN client.
3. From the Connection Profile drop-down list, select the name of the profile you created for your mobile VPN connections to the Firebox.

4. To manually start the connection, enable the Connection toggle .

Manually Disconnect the IPSec Mobile VPN Client

To disconnect, in the Mobile VPN Monitor dialog box, disable the Connection toggle .

To connect, disconnect, or select the connection profile, you can also right-click the IPSec Mobile VPN icon in the Windows system tray.

Related Topics

Configure Android Devices for Mobile VPN with IKEv2

Configure Windows Devices for Mobile VPN with IKEv2

Troubleshoot Mobile VPN with IKEv2