Use the Mac OS X or iOS Native IPSec VPN Client

Apple iOS devices (iPhone, iPad, and iPod Touch) and Mac OS X 10.6 and higher devices include a native Cisco IPSec VPN client. You can use this client to make an IPSec VPN connection to an XTM device. To do this, you must configure the VPN settings on your XTM device to match those on the iOS or Mac OS X device.

For IPSec VPN connections from a Mac OS X device, you can also use the WatchGuard IPSec VPN Client for Mac OS X. For more information, see Install the IPSec Mobile VPN Client Software.

For an iOS device, you can install the WatchGuard Mobile VPN app for iOS. This app can import a Mobile VPN with IPSec profile into the native VPN client on the iOS device. For a Mac OS X device, you must manually configure the settings in the native VPN client.

You can use the same Mobile VPN with IPSec profile for VPN connections from iOS and Android devices. For information about how to configure the VPN client on an Android device, see Use Mobile VPN with IPSec with an Android Device.

In the Mobile VPN with IPSec settings on the XTM device, do not use SHA2 in the Phase 1 and Phase 2 settings. SHA2 is not supported on the VPN client on iOS devices.

You cannot use a certificate for VPN tunnel authentication between the native VPN client and an XTM device. This does not work because the VPN client uses main mode, and the XTM device uses aggressive mode for Phase 1 VPN negotiations.

Configure the XTM Device

Many of the VPN tunnel configuration settings in the VPN client on the Mac OS X or iOS device are not configurable by the user. It is very important to configure the settings on your XTM device to match the settings required by the VPN client on the Mac OS X or iOS device.

  1. Select VPN > Mobile VPN with IPSec.
    The Mobile VPN with IPSec page appears.
  2. Click Add.
    The Mobile VPN with IPSec Settings page appears.

Screen shot of the Mobile VPn with IPSec Settings, General tab

  1. In the Name text box, type the name of the authentication group your Mac OS X or iOS VPN users belong to.

You can type the name of an existing group, or the name for a new Mobile VPN group. Make sure the name is unique among VPN group names, as well as all interface and VPN tunnel names.

  1. From the Authentication Server drop-down list, , select an authentication server.

You can authenticate users to the XTM device (Firebox-DB) or to a RADIUS, VASCO, SecurID, LDAP, or Active Directory server. Make sure that this method of authentication is enabled.

If you create a Mobile VPN user group that authenticates to an external authentication server, make sure you create a group on the server that has the same name as the name you added in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with IPSec. For more information, see Configure the External Authentication Server.

  1. Type and confirm the Passphrase to use for this tunnel.
  2. In the Firebox IP Addresses section, type the primary external IP address or domain name to which Mobile VPN users in this group can connect.
  3. Select the IPSec Tunnel tab .
    The IPSec Tunnel settings appear.

Screen shot of the mobile VPN with IPSec Settings - IPSec Tunnel tab

  1. Select Use the passphrase of the end user profile as the pre-shared key.
    This is the default setting.
  2. From the Authentication drop-down list, select either SHA-1 or MD5.
  3. From the Encryption drop-down list, select one of these options:
  4. In the Phase 1 Settings section, click Advanced.
    The Phase 1 Advanced Settings appear.

Screen shot of the Mobile VPn with IPSec Settings

  1. Set the SA Life to 1 hours.

The VPN client on the Mac OS X or iOS device is configured to rekey after 1 hour. If this profile is only used for connections by VPN client on Mac OS X or iOS devices, set the SA Life to 1 hour to match the client setting.

If you plan to use this VPN profile for all supported VPN clients, set the SA Life to 8 hours. When the SA Life is set to 8 hours, the Shrew Soft VPN and WatchGuard XTM IPSec Mobile VPN clients rekey after 8 hours, but the VPN client on the OS X or iOS device uses the smaller rekey value of 1 hour.

  1. From the Key Group drop-down list, select Diffie-Hellman Group 2.
  2. Do not change any of the other Phase 1 advanced settings.
  3. Click OK.
  4. In the Phase 2 Settings section, clear the PFS check box.

Screen shot of the Phase 2 Settings PFS check box

  1. In the Phase 2 Settings section, click Advanced.
    The Phase 2 Advanced settings appear.

  1. From the Authentication drop-down list, select SHA1 or MD5.
  2. From the Encryption drop-down list, select 3DES, AES (128-bit), or AES (256-bit).
  3. In the Force Key Expiration settings, set the expiration Time to 1 hours.
  4. In the Force Key Expiration settings, clear the Traffic check box.
  5. Click OK.
  6. Select the Resources tab.
  7. Select the Allow All Traffic Through Tunnel check box.
    This configures the tunnel for default-route VPN. The VPN client on the Mac OS X or iOS device does not support split tunneling.
  8. In the Virtual IP Address Pool list, add the internal IP addresses that are used by Mobile VPN users over the tunnel.
    To add an IP address or a network IP address to the virtual IP address pool, select Host IP or Network IP, type the address, and click Add.

The number of IP addresses should be the same as the number of Mobile VPN users. The virtual IP addresses do not need to be on the same subnet as the trusted network. If FireCluster is configured, you must add two virtual IP addresses for each Mobile VPN user.

The IP addresses in the virtual IP address pool cannot be used for anything else on your network.

  1. Click Save.

Make sure that you add all VPN users to the authentication group you selected.

For information about how to add users to a Firebox user group, see Define a New User for Firebox Authentication.

Configure the VPN Client on an iOS Device

There are two methods you can use to configure the VPN client on an iOS device. You can use the WatchGuard Mobile VPN app for iOS to import a .wgm end-user profile to the VPN client on the iOS device. This is the easiest way to configure the iOS device. If you do not install the WatchGuard mobile VPN app on the iOS device, you can manually configure the VPN client with the correct settings to connect.

To use the WatchGuard Mobile VPN app to import the IPSec VPN settings to the native iOS VPN client:

  1. Generate the .wgm profile for the Mobile VPN with IPSec group.

For instructions, see Generate Mobile VPN with IPSec Configuration Files.

  1. Send the .wgm profile to the mobile users as an email attachment.
  2. Use a secure method to give the passphrase to the mobile users
  3. On the iOS device, install the free WatchGuard Mobile VPN app from the Apple App Store.
  4. In the email client on the iOS device, open the email that contains the .wgm file attachment.
  5. Open the .wgm file attachment.
    The WatchGuard Mobile VPN app launches.
  6. Type the passphrase received from the administrator to decrypt the file.
    The WatchGuard Mobile VPN app imports the configuration and creates an IPSec VPN configuration profile in the iOS VPN client.

To manually configure the VPN client settings on the iOS device:

  1. Select Settings > General > Network > VPN > Add VPN Configuration.
  2. Configure these settings in the VPN client:

After you add the VPN configuration, a VPN switch appears in the Settings menu on the iOS device. Click the VPN switch to enable or disable the VPN client. When a VPN connection is established, the VPN icon appears in the status bar.

The VPN client on the iOS device stays connected to the VPN only while the iOS device is in use. If the iOS device locks itself, the VPN client might disconnect. Users can manually reconnect their VPN clients. If users save their passwords, they do not need to retype the password each time the VPN client reconnects. Otherwise, they must type the password each time the client reconnects.

Configure the VPN Client on a Mac OS X Device

The XTM device does not generate a client configuration file for the VPN client on the Mac OS X device. The user must manually configure the VPN client settings to match the settings configured on the XTM device.

To configure the VPN settings on the Mac OS X device:

  1. Open System Preferences and select Network.
  2. Click + at the bottom of the list to add a new interface. Configure these settings:
  3. Click Create.
    The new VPN interface appears in the list of network interfaces.
  4. Select the new interface in the list. Edit these settings:
  5. Click Authentication Settings. Set these settings:
  6. Select the Show VPN status in menu bar check box to add the VPN status icon to the OS X menu bar.
  7. Click Connect to start the VPN tunnel.

After you apply these settings, a VPN status icon appears in the menu bar of the Mac OS X device. Click the VPN status icon to start or stop the VPN client connection.

See Also

About Mobile VPN with IPSec

Define Advanced Phase 1 Settings

Define Advanced Phase 2 Settings

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base