Configure the XTM Device for Mobile VPN with IPSec

You can enable Mobile VPN with IPSec for a group of users you have already created, or you can create a new user group. The users in the group can authenticate either to the XTM device or to a third-party authentication server included in your XTM device configuration.

Configure a Mobile VPN with IPSec Group

  1. Select VPN > Mobile VPN with IPSec.
    The Mobile VPN with IPSec page appears.

Screen shot of the Mobile VPN with IPSec configuration page

  1. Click Add.
    The Mobile User VPN with IPSec Settings page appears.

Screen shot of the Mobile VPN with IPSec Settings page, General tab

  1. In the Name text box, type a name for this Mobile VPN group.
    You can type the name of an existing group, or the name for a new Mobile VPN group. Make sure the name is unique among VPN group names, as well as all interface and VPN tunnel names.

If you create a Mobile VPN user group that authenticates to an external authentication server, make sure you create a group on the server that has the same name as the name you added in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with IPSec. For more information, see Configure the External Authentication Server.

  1. Configure these settings to edit the group profile:

Authentication Server

Select the authentication server to use for this Mobile VPN group. You can authenticate users with the internal XTM device database (Firebox-DB) or with a RADIUS, VASCO, SecurID, LDAP, or Active Directory server. Make sure that the method of authentication you choose is enabled.

Passphrase

Type a passphrase to encrypt the Mobile VPN profile (.wgx file) that you distribute to users in this group. The shared key can use only standard ASCII characters. If you use a certificate for authentication, this is the PIN for the certificate.

Confirm

Type the passphrase again.

Primary

Type the primary external IP address to which Mobile VPN users in this group can connect. This can be an external IP address, secondary external IP address, or external VLAN. For a device is drop-in mode, use the IP address assigned to all interfaces.

Backup

Type a backup external IP address to which Mobile VPN users in this group can connect. This backup IP address is optional. If you add a backup IP address, make sure it is an IP address assigned to an XTM device external interface or VLAN.

Session Timeout

Select the maximum time in minutes that a Mobile VPN session can be active.

Idle Timeout

Select the time in minutes before the XTM device closes an idle Mobile VPN session. The session and idle timeout values are the default timeout values if the authentication server does not have its own timeout values. If you use the XTM device as the authentication server, the timeouts for the Mobile VPN group are always ignored because you set timeouts for each XTM device user account.

The session and idle timeouts cannot be longer than the value in the SA Life field.
To set this value, in the Mobile VPN with IPSec Settings dialog box, click the IPSec Tunnel tab, and click Advanced for Phase 1 Settings. The default value is 8 hours.

  1. Select the IPSec Tunnel tab.
    The IPSec Tunnel page opens.

Screen shot of the Mobile VPN with IPSec Settings, IPSec Tunnel tab

  1. Configure these settings:

Use the passphrase of the end user profile as the pre-shared key

Select this option to use the passphrase of the end user profile as the pre-shared key for tunnel authentication. You must use the same shared key on the remote device. This shared key can use only standard ASCII characters.

Use a certificate

Select this option to use a certificate for tunnel authentication.
For more information, see Certificates for Mobile VPN With IPSec Tunnel Authentication.

CA IP address

If you use a certificate, type the IP address of the Management Server that has been configured as a certificate authority.

Timeout

If you use a certificate, type the time in seconds before the Mobile VPN with IPSec client stops an attempt to connect if there is no response from the certificate authority. We recommend you keep the default value.

Phase 1 Settings

Select the authentication and encryption methods for the VPN tunnel. To configure advanced settings, such as NAT Traversal or the key group, click Advanced, and see Define Advanced Phase 1 Settings.

The Encryption options are listed from the most simple and least secure, to the most complex and most secure:

DES

3DES

AES (128 bit)

AES (192 bit)

AES (256 bit)

Phase 2 Settings

Select PFS (Perfect Forward Secrecy) to enable PFS and set the Diffie-Hellman group.

To change other proposal settings, click Advanced and see Define Advanced Phase 2 Settings.

  1. Select the Resources tab.
    The Resources page appears.

Screen shot of the Mobile VPN with IPSec Settings page, Resources tab

  1. Configure these settings:

Allow All Traffic Through Tunnel

To send all Mobile VPN user Internet traffic through the VPN tunnel, select this check box.
If you select this check box, the Mobile VPN user Internet traffic is sent through the VPN. This is more secure, but network performance decreases.
If you do not select this check box, Mobile VPN user Internet traffic is sent directly to the Internet. This is less secure, but users can browse the Internet more quickly.

Allowed Resources

This list includes the resources that users in the Mobile VPN authentication group can get access to on the network.

To add an IP address or a network IP address to the network resources list, click Add. Select Host IPv4 or Network IPv4, type the address, and click OK.

To delete the selected IP address or network IP address from the resources list, select a resource and click Remove.

Virtual IP Address Pool

This list includes the internal IP addresses that are used by Mobile VPN users over the tunnel.

To add an IP address or a network IP address to the virtual IP address pool, click Add. Select Host IPv4 or Network IPv4, type the address, and click OK.

To remove it from the virtual IP address pool, select a host or network IP address and click Remove.

The IP addresses in the virtual IP address pool cannot be used for anything else on your network.

For more information about virtual IP addresses, see Virtual IP Addresses and Mobile VPNs.

  1. Select the Advanced tab.
    The Advanced page appears.

Screen shot of the Mobile VPN with IPSec Settings, Advanced tab

  1. Configure the Line Management settings:

Connection mode

Manual — In this mode, the client does not try to restart the VPN tunnel automatically if the VPN tunnel goes down. This is the default setting.

To restart the VPN tunnel, you must click the Connect button in Connection Monitor, or right-click the Mobile VPN icon on your Windows desktop toolbar and click Connect.

Automatic — In this mode, the client tries to start the connection when your computer sends traffic to a destination that you can reach through the VPN. The client also tries to restart the VPN tunnel automatically if the VPN tunnel becomes unavailable.

Variable — In this mode, the client tries to restart the VPN tunnel automatically until you click Disconnect. After you disconnect, the client does not try to restart the VPN tunnel again until you click Connect.

Inactivity timeout

If the Connect Mode is set to Automatic or Variable, the Mobile VPN with IPSec client software does not try to renegotiate the VPN connection until there has not been traffic from the network resources available through the tunnel for the length of time you enter for Inactivity timeout.

The default Line Management settings are Manual and 0 seconds. If you change either setting, you must use the .ini file to configure the client software.

  1. Click Save.
    The Mobile VPN with IPSec page opens and the new IPSec group appears in the Groups list.
  2. Click Save.

Users that are members of the group you create are not able to connect until they import the correct configuration file in their WatchGuard XTM IPSec Mobile VPN Client software. You must generate the configuration file and then provide it to the end users. 

To generate the end user profiles for the group you edited:

  1. Select VPN > Mobile VPN with IPSec.
    The Mobile VPN with IPSec page appears.
  2. From the Client drop-down list, select the VPN client.
  3. Click Generate.
  4. Select the browser option to save the file.

Fireware XTM Web UI can generate only the .ini, .vpn, and .wgm mobile user configuration files. If you want to generate the .wgx file, you must use Policy Manager.

See Also

Generate Mobile VPN with IPSec Configuration Files

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base