There are two VPN clients that you can use to make Mobile VPN with IPSec connections from an Android device to an XTM device.
Android native VPN client
Mobile devices that run Android version 4.x and later include a VPN client. You can use the Android VPN client to make an IPSec VPN connection to a WatchGuard XTM device that runs Fireware XTM v11.5.1 or later. To do this, you must configure the VPN settings on your XTM device to match those on the Android device. Then, manually configure the VPN client settings on the Android device to match the settings on the XTM device. We recommend you use Android version 4.0.4 or later for IPSec VPN connections to a WatchGuard XTM device.
WatchGuard Mobile VPN app for Android
The WatchGuard Mobile VPN app for Android is a VPN app that can use to import a Mobile VPN with IPSec profile and then use those settings to connect to your network. You can use the WatchGuard Android VPN client to make an IPSec VPN connection to a WatchGuard XTM device that runs Fireware XTM v11.7 or later. The WatchGuard Mobile VPN app is supported on Android 4.0.x or 4.1.x.
For more information, see About the WatchGuard Mobile VPN App.
WatchGuard has tested the IPSec VPN configuration described here on these Android devices:
You can use the same Mobile VPN with IPSec settings for VPN connections from the native Android VPN client and for the WatchGuard Mobile VPN app for Android. You can use the same generated profile for VPN connections from the Mac OS X or iOS devices.
For information about how to configure the VPN client on an iOS device, see Use the Mac OS X or iOS Native IPSec VPN Client.
In the Mobile VPN with IPSec settings on the XTM device, do not use SHA2 in the Phase 1 and Phase 2 settings. SHA2 is not supported on the VPN clients on Android devices.
You cannot use a certificate for VPN tunnel authentication between the native VPN client and an XTM device. This does not work because the VPN client uses main mode, and the XTM device uses aggressive mode for Phase 1 VPN negotiations.
You use the same Mobile VPN with IPSec configuration settings for the native Android VPN client and for the WatchGuard Mobile VPN app for Android.
Use these steps to configure the required settings:
You can type the name of an existing group, or the name for a new Mobile VPN group. Make sure the name is unique among VPN group names, as well as all interface and VPN tunnel names.
Make sure that this method of authentication is enabled.
If you create a Mobile VPN user group that authenticates to an external authentication server, make sure you create a group on the server that has the same name as the name you added in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with IPSec.
For more information, see Configure the External Authentication Server.
The Android VPN client is configured to rekey after 1 hour. If this profile is only used for connections by the Android VPN, set the SA Life to 1 hour to match the client setting.
If you plan to use this VPN profile for all supported VPN clients, set the SA Life to 8 hours. When the SA Life is set to 8 hours, the Shrew Soft VPN and WatchGuard XTM IPSec Mobile VPN clients rekey after 8 hours, but the Android VPN client uses the smaller rekey value of 1 hour.
Mobile VPN users are assigned an IP address from the virtual IP address pool when they connect to your network. The number of IP addresses in the virtual IP address pool should be the same as the number of Mobile VPN users. The virtual IP addresses do not have to be on the same subnet as the trusted network.
The IP addresses in the virtual IP address pool cannot be used for anything else on your network.
To authenticate from the Android VPN client, Android VPN users must be members of the authentication group you specified in the Add Mobile VPN with IPSec Wizard.
If your mobile users use the WatchGuard Mobile VPN app for Android, you can generate a VPN profile and send it to the Mobile VPN user. This configures the WatchGuard Mobile VPN app to connect with Mobile VPN with IPSec.
To configure the WatchGuard Mobile VPN app for Android:
For instructions, see Generate Mobile VPN with IPSec Configuration Files.
You can also use the native Android VPN client to connect. To use the native Android VPN client, the user must manually configure the VPN client settings to match the settings configured on the XTM device.
To manually configure the native VPN client on the Android device:
To verify your connection was successful and that the VPN tunnel is active, browse to a web site that shows your IP address, such as www.whatismyip.com. If your Android device is connected through the VPN, your IP address is the external IP address of the XTM device.
About Mobile VPN with IPSec
Define Advanced Phase 1 Settings
Define Advanced Phase 2 Settings