Use Mobile VPN with IPSec with an Android Device

There are two VPN clients that you can use to make Mobile VPN with IPSec connections from an Android device to an XTM device.

Android native VPN client

Mobile devices that run Android version 4.x and later include a VPN client. You can use the Android VPN client to make an IPSec VPN connection to a WatchGuard XTM device that runs Fireware XTM v11.5.1 or later. To do this, you must configure the VPN settings on your XTM device to match those on the Android device. Then, manually configure the VPN client settings on the Android device to match the settings on the XTM device. We recommend you use Android version 4.0.4 or later for IPSec VPN connections to a WatchGuard XTM device.

WatchGuard Mobile VPN app for Android

The WatchGuard Mobile VPN app for Android is a VPN app that can use to import a Mobile VPN with IPSec profile and then use those settings to connect to your network. You can use the WatchGuard Android VPN client to make an IPSec VPN connection to a WatchGuard XTM device that runs Fireware XTM v11.7 or later. The WatchGuard Mobile VPN app is supported on Android 4.0.x or 4.1.x.

For more information, see About the WatchGuard Mobile VPN App.

WatchGuard has tested the IPSec VPN configuration described here on these Android devices:

You can use the same Mobile VPN with IPSec settings for VPN connections from the native Android VPN client and for the WatchGuard Mobile VPN app for Android. You can use the same generated profile for VPN connections from the Mac OS X or iOS devices.

For information about how to configure the VPN client on an iOS device, see Use the Mac OS X or iOS Native IPSec VPN Client.

In the Mobile VPN with IPSec settings on the XTM device, do not use SHA2 in the Phase 1 and Phase 2 settings. SHA2 is not supported on the VPN clients on Android devices.

You cannot use a certificate for VPN tunnel authentication between the native VPN client and an XTM device. This does not work because the VPN client uses main mode, and the XTM device uses aggressive mode for Phase 1 VPN negotiations.

Configure the XTM Device

You use the same Mobile VPN with IPSec configuration settings for the native Android VPN client and for the WatchGuard Mobile VPN app for Android.

Use these steps to configure the required settings:

  1. Select VPN > Mobile VPN with IPSec.
    The Mobile VPN with IPSec page appears.
  2. Click Add.
    The Mobile VPN with IPSec Settings page appears.

Screen shot of the Mobile VPn with IPSec Settings, General tab

  1. In the Group name text box, type the name of the authentication group your Android VPN users belong to.

You can type the name of an existing group, or the name for a new Mobile VPN group. Make sure the name is unique among VPN group names, as well as all interface and VPN tunnel names.

  1. From the Authentication Server drop-down list, , select an authentication server.

Make sure that this method of authentication is enabled.

If you create a Mobile VPN user group that authenticates to an external authentication server, make sure you create a group on the server that has the same name as the name you added in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with IPSec.
For more information, see Configure the External Authentication Server.

  1. Type and confirm the Passphrase to use for this tunnel.
  2. In the Firebox IP Addresses section, type the primary external IP address or domain name to which Mobile VPN users in this group can connect.
  3. Select the IPSec Tunnel tab .
    The IPSec Tunnel settings appear.

Screen shot of the mobile VPN with IPSec Settings - IPSec Tunnel tab

  1. Select Use the passphrase of the end user profile as the pre-shared key.
    This is the default setting.
  2. From the Authentication drop-down list, select either SHA-1 or MD5.
  3. From the Encryption drop-down list, select one of these options:
  4. In the Phase 1 Settings section, click Advanced.
    The Phase 1 Advanced Settings dialog box appears.

Screen shot of the Mobile VPn with IPSec Settings

  1. Set the SA Life to 1 hours.

The Android VPN client is configured to rekey after 1 hour. If this profile is only used for connections by the Android VPN, set the SA Life to 1 hour to match the client setting.

If you plan to use this VPN profile for all supported VPN clients, set the SA Life to 8 hours. When the SA Life is set to 8 hours, the Shrew Soft VPN and WatchGuard XTM IPSec Mobile VPN clients rekey after 8 hours, but the Android VPN client uses the smaller rekey value of 1 hour.

  1. From the Key Group drop-down list, select Diffie-Hellman Group 2.
  2. Do not change any of the other Phase 1 advanced settings.
  3. Click Return to General Settings.
  4. In the Phase 2 Settings section, clear the PFS check box.

Screen shot of the Phase 2 Settings PFS check box

  1. In the Phase 2 Settings section, click Advanced.
    The Phase 2 Advanced Settings dialog box appears.

  1. From the Authentication drop-down list, select SHA1 or MD5.
    Do not select a SHA2 authentication method for a Mobile VPN with IPSec profile you want to use with the WatchGuard Mobile VPN app.
  2. From the Encryption drop-down list, select 3DES, AES (128-bit), or AES (256-bit).
  3. In the Force Key Expiration settings, set the expiration Time to 1 hours and clear the Traffic check box.
  4. Click OK.
  5. Select the Resources tab.
  6. Select the Allow All Traffic Through Tunnel check box.
    This configures the tunnel for default-route VPN. The Android VPN client does not support split tunneling.
  7. In the Virtual IP Address Pool list, add the internal IP addresses that are used by Mobile VPN users over the tunnel.
    To add an IP address or a network IP address to the virtual IP address pool, select Host IP or Network IP, type the address, and click Add.

Mobile VPN users are assigned an IP address from the virtual IP address pool when they connect to your network. The number of IP addresses in the virtual IP address pool should be the same as the number of Mobile VPN users. The virtual IP addresses do not have to be on the same subnet as the trusted network.

The IP addresses in the virtual IP address pool cannot be used for anything else on your network.

  1. Click Save.

To authenticate from the Android VPN client, Android VPN users must be members of the authentication group you specified in the Add Mobile VPN with IPSec Wizard.

Configure the WatchGuard Mobile VPN App

If your mobile users use the WatchGuard Mobile VPN app for Android, you can generate a VPN profile and send it to the Mobile VPN user. This configures the WatchGuard Mobile VPN app to connect with Mobile VPN with IPSec.

To configure the WatchGuard Mobile VPN app for Android:

  1. Generate the .wgm profile for the Mobile VPN with IPSec group.

For instructions, see Generate Mobile VPN with IPSec Configuration Files.

  1. Send the .wgm profile to the mobile users as an email attachment.
  2. Use a secure method to give the passphrase to the mobile users
  3. On the Android device, install the free WatchGuard Mobile VPN app from the Google Play app store.
  4. In the email client on the Android device, open the email that contains the .wgm file attachment.
  5. Open the .wgm file attachment.
    The WatchGuard Mobile VPN app launches.
  6. Type the passphrase received from the administrator to decrypt the file.
    The WatchGuard Mobile VPN app imports the configuration and creates a VPN connection profile.
  7. Click the VPN connection profile in the WatchGuard Mobile VPN app to start the VPN connection.

Configure the Native Android 4.x VPN Client

You can also use the native Android VPN client to connect. To use the native Android VPN client, the user must manually configure the VPN client settings to match the settings configured on the XTM device.

To manually configure the native VPN client on the Android device:

  1. On the Settings page, in the Wireless &  Networks section. select More > VPN.

  1. Click Add VPN Network.
    The Edit VPN network page appears.

  1. Configure these settings:
  2. Save the connection.
  3. Open the connection and type the Username and Password for a user in the specified authentication group.

Screen shot of the Android VPN client Connect page

  1. Click Connect.

To verify your connection was successful and that the VPN tunnel is active, browse to a web site that shows your IP address, such as www.whatismyip.com. If your Android device is connected through the VPN, your IP address is the external IP address of the XTM device.

See Also

About Mobile VPN with IPSec

Define Advanced Phase 1 Settings

Define Advanced Phase 2 Settings

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base