About Mobile VPN with IPSec on the Firebox
When you configure Mobile VPN with IPSec for a user group, an Any policy is automatically added to the Mobile VPN with IPSec Policies list to allow all traffic to pass to and from the authenticated Mobile VPN users in the group and your private networks. To restrict Mobile VPN client access, delete the Any policy and add other Mobile VPN policies that allow access to specific resources.
To make a Mobile VPN with IPSec connection, a mobile user must be a member of a Mobile VPN group and must have a Mobile VPN end-user profile for that group. After you configure Mobile VPN with IPSec for a group, you can generate the end-user profile that you distribute to mobile users.
The WatchGuard Mobile VPN with IPSec client can have multiple profiles. For example, if you plan to migrate mobile VPN users to a different authentication method, you can configure the WatchGuard Mobile VPN with IPSec client with two different profiles so users can authenticate with either authentication method during the transition.
For information about how to configure the Mobile VPN profile for a group of users, see Configure the Firebox for Mobile VPN with IPSec.
For information about how to generate the end-user profile from Fireware Web UI see Generate Mobile VPN with IPSec Configuration Files.
If you use Policy Manager to configure Mobile VPN with IPSec, Policy Manager automatically generates and saves an end-user profile on the management computer. The user must have this end-user profile file to configure the Mobile VPN client. If you use a certificate for authentication, .p12 and cacert.pem files are automatically generated and saved in the same location as the end-user profile.
You can configure Mobile VPN with IPSec from Fireware Web UI, but if you use a certificate for authentication, you must use Policy Manager to generate the .p12 and cacert.pem files. These files are located in the same directory as the end-user profile generated by Policy Manager.
We recommend Mobile VPN with IKEv2 as an alternative to Mobile VPN with IPSec. The IKEv1 Aggressive Mode vulnerability described in CVE-2002-1623 affects Mobile VPN with IPSec. This vulnerability does not affect Mobile VPN with IKEv2 or L2TP. If you configure Mobile VPN with IPSec, we recommend that you configure a certificate instead of a pre-shared key if you have a WSM Management Server. If you do not have a Management Server, we recommend that you specify a strong pre-shared key and change it on a regular basis. We also recommend that you specify a strong hashing algorithm such as SHA-256.
Mobile VPN with IPSec Client
After you configure Mobile VPN with IPSec on the Firebox, you must:
- Install a supported VPN client on each client computer
- Import the end-user profile
When the VPN client is correctly configured, the user starts the Mobile VPN connection. If the credentials the user specifies are found in the authentication server database, and if the user is included in the Mobile VPN group you created, the Firebox starts the Mobile VPN session.
You can install the WatchGuard IPSec client on supported operating systems. Or, you can configure the native IPSec client on supported operating systems.
For compatibility information, see the Operating System Compatibility Matrix in the Fireware Release Notes.
Installation and Configuration
For information about how to install the WatchGuard IPSec VPN client and import the end-user profile, see Install the IPSec Mobile VPN Client Software.
For information about how to configure the native macOS or iOS IPSec VPN client, see Use the macOS or iOS Native IPSec VPN Client.
For information about how to configure the native IPSec VPN client on Android devices, see Use Mobile VPN with IPSec with an Android Device.