Configure Mobile VPN with IKEv2 for a Cloud-Managed Firebox

Applies To: Cloud-managed Fireboxes

This topic explains how to:

Before You Begin

Before you enable Mobile VPN with IKEv2, make sure to configure authentication settings:

  • Add an authentication domain to WatchGuard Cloud.
  • Add groups and users.
  • Add the authentication domain to the Firebox.

Mobile VPN with IKEv2 supports authentication through the local Firebox authentication database (Firebox-DB), RADIUS, and AuthPoint.

For information about how to configure authentication settings, see Authentication Methods for Mobile VPN.

Enable Mobile VPN with IKEv2

To enable Mobile VPN with IKEv2, from WatchGuard Cloud:

  1. Select Configure > Devices.
  2. Select the cloud-managed Firebox.
  3. Click Device Configuration.
  4. In the VPN section, click the Mobile VPN tile.
    The Select VPN page opens.

Screen shot of the Select VPN page

  1. Click IKEv2.
    The Mobile VPN with IKEv2 configuration page opens.

Screen shot of the Mobile VPN with IKEv2 page

  1. In the Name text box, type the VPN connection name.
    This name appears as the VPN connection name on the client.

Select a Certificate

In the Firebox Addresses and Certificates section, select a certificate. VPN clients use the certificate to authenticate the VPN server, which is the Firebox. You can select the default certificate signed by the Firebox or a third-party certificate. To use a third-party certificate, you must first add it to the device or to your WatchGuard account.

For more information about Mobile VPN certificates, see Mobile VPN and Certificates and Manage Certificates.

To select a certificate, from WatchGuard Cloud:

  1. Open the Mobile VPN with IKEv2 settings for the Firebox.
  2. In the Firebox Addresses and Certificates section, select a certificate from the drop-down list.

Screen shot of a third-party certificate

Example third-party certificate

Screen shot of the Certificates setting

Default Firebox certificate

If you select a third-party certificate, the domain and IP address information in the certificate controls which names and addresses clients can connect to. If you select the default certificate signed by the Firebox, you must enter the IP address or fully-qualified domain name (FQDN) for connections from IKEv2 VPN clients to the Firebox.

Add a Domain Name or IP Address

To configure a domain name or IP address, from WatchGuard Cloud:

  1. Open the Mobile VPN with IKEv2 settings for the Firebox.

Screen shot of the Mobile VPN with IKEv2 certificate and client connection settings

  1. If you selected Default certificate signed by the Firebox, Click Add Domain Name or IP Address.
    The Add Domain Name or IP Address dialog box opens.

Screen shot of the Add Domain Name or IP Address dialog box

  1. From the Type drop-down list, select the IP address type.
    • Host IPv4 — Specify an IP address for connections from IKEv2 VPN clients to the Firebox .
    • FQDN — Specify a fully qualified domain name for connections from IKEv2 VPN clients to the Firebox.
  2. Type the host IPv4 address or domain name.

If your Firebox is behind a NAT device, specify the public IP address or domain name of the NAT device.

  1. Click Add.

Screen shot of the Firebox Address section of the Mobile VPN configuration

Add Allowed Resources

By default, all traffic from IKEv2 VPN clients destined for the Internet and your local network goes through the VPN tunnel and your Firebox policies. This provides consistent security but reduced performance. This option is also known as full tunneling or default route. This is the default setting.

On Fireboxes that run Fireware v12.9 or higher, you can select an option to route all traffic from the VPN client to the Internet and your local network through the tunnel. This option is also known as split tunneling. A split tunnel offers better performance than a full tunnel because the Firebox processes less traffic. However, a split tunnel can affect security because the Firebox does not inspect traffic sent to the Internet from VPN clients or traffic sent to the remote VPN client network.

To add allowed resources for split tunneling:

  1. In the Networking section, select Specify Allowed Resources for VPN Traffic.
  2. Click Add Network.
    The Add Network page opens.
  3. Select one or more networks configured on your Firebox.
  4. Click Add.
    The network appears in the list.

Screen shot of the Networking section with an internal network added

Add Authentication Domains

By default, Mobile VPN with IKEv2 uses the Firebox database for user authentication. You can also use a RADIUS server or AuthPoint for authentication.

Before you can configure Mobile VPN with IKEv2 to use an authentication domain, you must add the authentication domain to WatchGuard Cloud, add groups and users, and add the authentication domain to the Firebox. For more information, see Authentication Methods for Mobile VPN.

To use AuthPoint for Mobile VPN user authentication on a cloud-managed Firebox, you must first add the Firebox as an AuthPoint resource, which requires Fireware v12.7 or higher.

To add an authentication domain:

  1. Open the Mobile VPN with IKEv2 settings for the Firebox.

Screen shot of the Authentication Domains section of the Mobile VPN configuration

  1. Click Add Authentication Domains.
    The Add Authentication Domains page opens.

  1. Select the authentication domains you want to use for Mobile VPN with IKEv2 user authentication.
  2. The first server in the list is the default authentication server. To change the server order, click the move handle for an authentication server and drag it up or down in the list.

  1. Click Add.

Add Users and Groups

After you specify the authentication domains, select users and groups that can use a IKEv2 VPN client to connect to network resources protected by the Firebox.

When you add users and groups, you select from a list of users or groups on the authentication servers you added in the previous step. Users and groups you select are automatically added to the IKEv2-Users group.

To add users and groups to the Mobile VPN with IKEv2 configuration:

  1. Open the Mobile VPN with IKEv2 settings for the Firebox.

  1. To add groups to the Mobile VPN with IKEv2 configuration:
    1. Click Add Groups.

    1. Select the check box for each group to add.
    2. Click Add.
      The selected groups are added to the groups list.
  2. To add users to the Mobile VPN with IKEv2 configuration:
    1. Click Add Users.

    1. Select the check box for each user to add to Mobile VPN with IKEv2.
    2. Click Add.
      The selected users are added to the Users list.

Screen shot of the Users and Groups settings with users and groups added

  1. To remove a user or group from the Mobile VPN with IKEv2 configuration, in the row for that user or group, click .

Edit the Virtual IP Address Pool

The virtual IP address pool is the group of private IP address the Firebox assigns to Mobile VPN with IKEv2 users. The default is 192.168.114.0/24. You can add other addresses to the pool and remove the default address.

Make sure the network IP addresses in the virtual IP address pool do not conflict with the IP addresses assigned to a Firebox network.

To update the virtual IP address pool:

  1. Open the Mobile VPN with IKEv2 settings for the Firebox.

  1. To add IP addresses to the pool:
    1. Click Add Virtual IP Address Pool.
      The Add Virtual IP Address Pool dialog box opens.

    Screen shot of the Add Virtual IP Address Pool dialog box

    1. Type an IP address and netmask.
    2. Click Add.
  2. To remove IP address from the pool, click .

Use an Internal DNS Server

By default, Mobile VPN with IKEv2 clients use the DNS server specified on the client. If you configure an internal DNS server for your Firebox at Device Configuration > DNS > Internal DNS, you can select to use it for mobile VPN DNS resolution.

For Fireboxes with Fireware v12.9.2 or higher, the WatchGuard Mobile VPN with IKEv2 client profile includes the domain name suffix you enter in the internal DNS configuration. Clients use the domain name suffix to resolve local host names on your network through the VPN.

The Use Internal DNS setting appears only if your Firebox configuration includes an internal DNS server. For information about how to add an internal DNS server to the Firebox configuration, see Configure Firebox DNS Settings.

To configure mobile VPN connections to use an internal DNS server:

  1. Select the Use Internal DNS check box.

Screen shot of the Use Internal DNS setting in the Mobile VPN configuration

  1. From the Internal DNS Server drop-down list, select the IP address of an internal DNS server.

Next Steps

After you finish the Mobile VPN with IKEv2 configuration, click the Download tab and download the Mobile VPN with IKEv2 client profile, which contains information and setup files for IKEv2 VPN clients. For more information, see Download the Mobile VPN with IKEv2 Client Profile.

Related Topics

Add a Cloud-Managed Firebox to WatchGuard Cloud

Manage Device Configuration Deployment