Define Advanced Phase 1 Settings

You can define the advanced Phase 1 settings for your Mobile VPN user profile.

Phase 1 Options

SA Life

Select a SA (security association) lifetime duration and select Hour or Minute in the drop-down list. When the SA expires, a new Phase 1 negotiation starts. A shorter SA life is more secure but the SA negotiation can cause existing connections to fail.

Key Group

Select a Diffie-Hellman group supported by the IPSec VPN client you use.

  • The WatchGuard IPSec Mobile VPN client supports groups 1, 2, 5, and 14.
  • The native IPSec VPN client on macOS and iOS devices supports groups 2 and 14 for connections to a Firebox.
  • The native Android IPSec VPN client uses group 2 by default.

Diffie-Hellman groups determine the strength of the master key used in the key exchange process. Higher group numbers are more secure, but require additional time to compute the key.

NAT Traversal

Select this check box to build a Mobile VPN tunnel between the Firebox and a VPN client that is behind a NAT device. NAT Traversal, or UDP Encapsulation, allows traffic to route to the correct destinations. NAT Traversal is enabled by default. Do not disable it unless you do not want to build tunnels between the Firebox and VPN clients behind a NAT device.

IKE Keep-alive

Select this check box only if this group connects to an older Firebox that does not support Dead Peer Detection. All Fireboxes with Fireware v9.x or lower, Edge v8.x or lower, and all versions of WFS do not support Dead Peer Detection. For these devices, select this check box to enable the Firebox to send messages to its IKE peer to keep the VPN tunnel open. Do not select both IKE Keep-alive and Dead Peer Detection.

Message interval

Select the number of seconds for the IKE keep-alive message interval.

Max failures

Set the maximum number of times the Firebox waits for a response to the IKE keep-alive messages before it terminates the VPN connection and starts a new Phase 1 negotiation.

Dead Peer Detection

Select this check box to enable Dead Peer Detection (DPD). Both endpoints must support DPD. All Firebox or XTM devices with Fireware v10.x or higher and Edge v10.x or higher support DPD. Do not select both IKE Keep-alive and Dead Peer Detection.

DPD is based on RFC 3706 and uses IPSec traffic patterns to determine whether a connection is available before a packet is sent. When you select DPD, a message is sent to the peer when no traffic has been received from the peer within the selected time period. If DPD determines a peer is unavailable, additional connection attempts are not made.

Traffic idle timeout

Set the number of seconds the Firebox waits before it checks to see if the other device is active.

Max retries

Set the maximum number of times the Firebox tries to connect before it determines the peer is unavailable, terminates the VPN connection, and starts a new Phase 1 negotiation.

See Also

Mobile VPN with IPSec

Define Advanced Phase 2 Settings

Troubleshoot Mobile VPN with IPSec