You can enable Mobile VPN with IPSec for a group of users you have already created, or you can create a new user group. The users in the group can authenticate either to the XTM device or to a third-party authentication server included in your XTM device configuration.
If you create a Mobile VPN user group that authenticates to an external authentication server, make sure you create a group on the server that has the same name as the name you added in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with IPSec.
Select the authentication server to use for this Mobile VPN group. You can authenticate users with the internal XTM device database (Firebox-DB) or with a RADIUS, VASCO, SecurID, LDAP, or Active Directory server. Make sure that the method of authentication you choose is enabled.
Type a passphrase to encrypt the Mobile VPN profile (.wgx file) that you distribute to users in this group. The shared key can use only standard ASCII characters. If you use a certificate for authentication, this is the PIN for the certificate.
Type the passphrase again.
Type the primary external IP address to which Mobile VPN users in this group can connect. This can be an external IP address, secondary external IP address, or external VLAN. For a device is drop-in mode, use the IP address assigned to all interfaces.
Type a backup external IP address to which Mobile VPN users in this group can connect. This backup IP address is optional. If you add a backup IP address, make sure it is an IP address assigned to an XTM device external interface or VLAN.
Select the maximum time in minutes that a Mobile VPN session can be active.
Select the time in minutes before the XTM device closes an idle Mobile VPN session. The session and idle timeout values are the default timeout values if the authentication server does not have its own timeout values. If you use the XTM device as the authentication server, the timeouts for the Mobile VPN group are always ignored because you set timeouts for each XTM device user account.
The session and idle timeouts cannot be longer than the value in the SA Life field.
To set this value, in the Mobile VPN with IPSec Settings dialog box, click the IPSec Tunnel tab, and click Advanced for Phase 1 Settings. The default value is 8 hours.
Use the passphrase of the end user profile as the pre-shared key
Select this option to use the passphrase of the end user profile as the pre-shared key for tunnel authentication. You must use the same shared key on the remote device. This shared key can use only standard ASCII characters.
Use a certificate
Select this option to use a certificate for tunnel authentication.
For more information, see Certificates for Mobile VPN With IPSec Tunnel Authentication.
CA IP address
If you use a certificate, type the IP address of the Management Server that has been configured as a certificate authority.
If you use a certificate, type the time in seconds before the Mobile VPN with IPSec client stops an attempt to connect if there is no response from the certificate authority. We recommend you keep the default value.
Phase 1 Settings
Select the authentication and encryption methods for the VPN tunnel. To configure advanced settings, such as NAT Traversal or the key group, click Advanced, and see Define Advanced Phase 1 Settings.
The Encryption options are listed from the most simple and least secure, to the most complex and most secure:
AES (128 bit)
AES (192 bit)
AES (256 bit)
Phase 2 Settings
Select PFS (Perfect Forward Secrecy) to enable PFS and set the Diffie-Hellman group.
To change other proposal settings, click Advanced and see Define Advanced Phase 2 Settings.
Allow All Traffic Through Tunnel
To send all Mobile VPN user Internet traffic through the VPN tunnel, select this check box.
If you select this check box, the Mobile VPN user Internet traffic is sent through the VPN. This is more secure, but network performance decreases.
If you do not select this check box, Mobile VPN user Internet traffic is sent directly to the Internet. This is less secure, but users can browse the Internet more quickly.
This list includes the resources that users in the Mobile VPN authentication group can get access to on the network.
To add an IP address or a network IP address to the network resources list, click Add. Select Host IPv4 or Network IPv4, type the address, and click OK.
To delete the selected IP address or network IP address from the resources list, select a resource and click Remove.
Virtual IP Address Pool
This list includes the internal IP addresses that are used by Mobile VPN users over the tunnel.
To add an IP address or a network IP address to the virtual IP address pool, click Add. Select Host IPv4 or Network IPv4, type the address, and click OK.
To remove it from the virtual IP address pool, select a host or network IP address and click Remove.
The IP addresses in the virtual IP address pool cannot be used for anything else on your network.
For more information about virtual IP addresses, see Virtual IP Addresses and Mobile VPNs.
Manual — In this mode, the client does not try to restart the VPN tunnel automatically if the VPN tunnel goes down. This is the default setting.
To restart the VPN tunnel, you must click the Connect button in Connection Monitor, or right-click the Mobile VPN icon on your Windows desktop toolbar and click Connect.
Automatic — In this mode, the client tries to start the connection when your computer sends traffic to a destination that you can reach through the VPN. The client also tries to restart the VPN tunnel automatically if the VPN tunnel becomes unavailable.
Variable — In this mode, the client tries to restart the VPN tunnel automatically until you click Disconnect. After you disconnect, the client does not try to restart the VPN tunnel again until you click Connect.
If the Connect Mode is set to Automatic or Variable, the Mobile VPN with IPSec client software does not try to renegotiate the VPN connection until there has not been traffic from the network resources available through the tunnel for the length of time you enter for Inactivity timeout.
The default Line Management settings are Manual and 0 seconds. If you change either setting, you must use the .ini file to configure the client software.
Users that are members of the group you create are not able to connect until they import the correct configuration file in their WatchGuard XTM IPSec Mobile VPN Client software. You must generate the configuration file and then provide it to the end users.
To generate the end user profiles for the group you edited:
Fireware XTM Web UI can generate only the .ini, .vpn, and .wgm mobile user configuration files. If you want to generate the .wgx file, you must use Policy Manager.
Generate Mobile VPN with IPSec Configuration Files