Applies To: Cloud-managed Fireboxes
Mobile Virtual Private Networking (Mobile VPN) creates a secure connection between a remote computer and network resources behind the Firebox.
This topic explains:
- Mobile VPN types
- Clients
- Certificates
- Authentication
- Policies
- How to configure a Mobile VPN
- How to monitor a Mobile VPN
Mobile VPN Types
Cloud-managed Fireboxes support two Mobile VPN types:
Mobile VPN with IKEv2
Mobile VPN with IKEv2 provides the best security, performance, and ease of deployment. This VPN type uses IPSec for strong encryption and authentication. Users connect with native Windows, macOS, or iOS VPN clients, or with the strongSwan app for Android.
To authenticate users, you can configure local authentication on the Firebox (Firebox-DB), RADIUS, and AuthPoint. If your users authenticate with Active Directory, we recommend that you configure RADIUS authentication so the Mobile VPN with IKEv2 can pass through Active Directory credentials.
To authenticate the VPN server, IKEv2 VPN clients use the certificate that you select in Mobile VPN with IKEv2 configuration. You can use the default certificate signed by the Firebox or a third-party certificate.
We recommend Mobile VPN with IKEv2 in most cases.
Mobile VPN with SSL
Mobile VPN with SSL provides good security and performance, and uses a default port (TCP 443) that is usually open on most networks. Mobile VPN with SSL uses Transport Layer Security (TLS) to secure the connection. Windows and macOS users can download a client from software.watchguard.com or from the Firebox that automatically receives a configuration. Administrators can download a client from WatchGuard Cloud. Android and iOS users can download an OpenVPN client from an app store.
To authenticate users, you can configure local authentication on the Firebox (Firebox-DB), Active Directory, RADIUS, and AuthPoint.
We recommend Mobile VPN with SSL when remote networks do not allow IKEv2 IPSec traffic.
Your Firebox can support Mobile VPN with IKEv2 and Mobile VPN with SSL simultaneously.
Mobile VPN Clients
For information about which operating systems are compatible with Mobile VPN with SSL, see the Operating System Compatibility list in the Fireware Release Notes. For information about changes to the WatchGuard Mobile VPN with SSL client, see the Enhancements and Resolved Issues section in the Release Notes. You can find the Release Notes for your version of Fireware OS on the Fireware Release Notes page.
You can configure a client computer to use more than one mobile VPN type.
Mobile VPN Certificates
In the Mobile VPN with IKEv2 configuration, you must select a certificate for VPN server authentication. You can select the default Firebox certificate or a third-party certificate.
For more information, see Mobile VPN and Certificates and Manage Certificates.
Mobile VPN Authentication
In the Mobile VPN with IKEv2 configuration, you must select one or more authentication domains for Mobile VPN users. You can select any authentication domain configured in the Firebox authentication settings.
For more information, see Authentication Methods for Mobile VPN.
Mobile VPN Policies
When you configure Mobile VPN with IKEv2 or Mobile VPN with SSL, the Firebox automatically creates a system policy to allow VPN traffic from external networks to the Firebox. You can add other policies that apply to mobile VPN users.
For more information, see Mobile VPN and Firewall Policies.
Configure Mobile VPN
To configure Mobile VPN with IKEv2, see:
- Configure Mobile VPN with IKEv2 for a Cloud-Managed Firebox
- Download the Mobile VPN with IKEv2 Client Profile
To configure Mobile VPN with SSL, see:
- Configure Mobile VPN with SSL for a Cloud-Managed Firebox
- Download, Install, and Connect the Mobile VPN with SSL Client
Monitor Mobile VPN
For cloud-managed Fireboxes, and for locally-managed Fireboxes with cloud reporting enabled, you can view live status information for Mobile VPN with IKEv2 and Mobile VPN with SSL.
For more information, see Monitor VPNs on Fireboxes and FireClusters.