When you configure each type of mobile VPN on the XTM device, you define a pool of virtual IP addresses. The XTM device assigns an IP address from the virtual IP address pool to each Mobile VPN user, until all of the addresses are in use. When a user closes a VPN session, the IP address used by that session becomes available again.
If you configure Mobile VPN with SSL to bridge to a local network, the virtual IP addresses must be on the same subnet as the interface you want to bridge to. For all other Mobile VPN types, it is not necessary for the virtual IP addresses to be on the same subnet as the trusted network. For all types of Mobile VPNs, the IP addresses in the virtual IP address pool cannot be used for anything else on your network.
If FireCluster is configured, you must add two virtual IP addresses for each Mobile VPN user, and you must make sure the virtual IP address pool is not on the same subnet as a primary cluster IP address.
To enable the maximum number of VPN connections, make sure that the virtual IP address pool contains the same number of concurrent VPN users as the maximum number of VPN connections your XTM device supports. The maximum number of supported VPN connection for each VPN type is different for each type of VPN and for each XTM device model.
For more information about VPN tunnel licensing, see VPN Tunnel Capacity and Licensing
If the virtual IP address pool in the mobile VPN configuration contains fewer IP addresses than the maximum number of mobile VPN connections supported by the device, the maximum number of VPN connections is limited by the number of IP addresses in the virtual IP address pool.
DNS and Mobile VPNs
About Feature Keys