Apple iOS devices (iPhone, iPad, and iPod Touch) and Mac OS X 10.6 and higher devices include a native Cisco IPSec VPN client. You can use this client to make an IPSec VPN connection to an XTM device. To do this, you must configure the VPN settings on your XTM device to match those on the iOS or Mac OS X device.
For IPSec VPN connections from a Mac OS X device, you can also use the WatchGuard IPSec VPN Client for Mac OS X. For more information, see Install the IPSec Mobile VPN Client Software.
For an iOS device, you can install the WatchGuard Mobile VPN app for iOS. This app can import a Mobile VPN with IPSec profile into the native VPN client on the iOS device. For a Mac OS X device, you must manually configure the settings in the native VPN client.
You can use the same Mobile VPN with IPSec profile for VPN connections from iOS and Android devices. For information about how to configure the VPN client on an Android device, see Use Mobile VPN with IPSec with an Android Device.
In the Mobile VPN with IPSec settings on the XTM device, do not use SHA2 in the Phase 1 and Phase 2 settings. SHA2 is not supported on the VPN client on iOS devices.
You cannot use a certificate for VPN tunnel authentication between the native VPN client and an XTM device. This does not work because the VPN client uses main mode, and the XTM device uses aggressive mode for Phase 1 VPN negotiations.
Many of the VPN tunnel configuration settings in the VPN client on the Mac OS X or iOS device are not configurable by the user. It is very important to configure the settings on your XTM device to match the settings required by the VPN client on the Mac OS X or iOS device.
You can type the name of an existing group, or the name for a new Mobile VPN group. Make sure the name is unique among VPN group names, as well as all interface and VPN tunnel names.
You can authenticate users to the XTM device (Firebox-DB) or to a RADIUS, VASCO, SecurID, LDAP, or Active Directory server. Make sure that this method of authentication is enabled.
If you create a Mobile VPN user group that authenticates to an external authentication server, make sure you create a group on the server that has the same name as the name you added in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with IPSec.
The VPN client on the Mac OS X or iOS device is configured to rekey after 1 hour. If this profile is only used for connections by VPN client on Mac OS X or iOS devices, set the SA Life to 1 hour to match the client setting.
If you plan to use this VPN profile for all supported VPN clients, set the SA Life to 8 hours. When the SA Life is set to 8 hours, the Shrew Soft VPN and WatchGuard XTM IPSec Mobile VPN clients rekey after 8 hours, but the VPN client on the OS X or iOS device uses the smaller rekey value of 1 hour.
The number of IP addresses should be the same as the number of Mobile VPN users. The virtual IP addresses do not need to be on the same subnet as the trusted network. If FireCluster is configured, you must add two virtual IP addresses for each Mobile VPN user.
The IP addresses in the virtual IP address pool cannot be used for anything else on your network.
Make sure that you add all VPN users to the authentication group you selected.
For information about how to add users to a Firebox user group, see Define a New User for Firebox Authentication.
There are two methods you can use to configure the VPN client on an iOS device. You can use the WatchGuard Mobile VPN app for iOS to import a .wgm end-user profile to the VPN client on the iOS device. This is the easiest way to configure the iOS device. If you do not install the WatchGuard mobile VPN app on the iOS device, you can manually configure the VPN client with the correct settings to connect.
To use the WatchGuard Mobile VPN app to import the IPSec VPN settings to the native iOS VPN client:
For instructions, see Generate Mobile VPN with IPSec Configuration Files.
To manually configure the VPN client settings on the iOS device:
After you add the VPN configuration, a VPN switch appears in the Settings menu on the iOS device. Click the VPN switch to enable or disable the VPN client. When a VPN connection is established, the VPN icon appears in the status bar.
The VPN client on the iOS device stays connected to the VPN only while the iOS device is in use. If the iOS device locks itself, the VPN client might disconnect. Users can manually reconnect their VPN clients. If users save their passwords, they do not need to retype the password each time the VPN client reconnects. Otherwise, they must type the password each time the client reconnects.
The XTM device does not generate a client configuration file for the VPN client on the Mac OS X device. The user must manually configure the VPN client settings to match the settings configured on the XTM device.
To configure the VPN settings on the Mac OS X device:
After you apply these settings, a VPN status icon appears in the menu bar of the Mac OS X device. Click the VPN status icon to start or stop the VPN client connection.
About Mobile VPN with IPSec
Define Advanced Phase 1 Settings
Define Advanced Phase 2 Settings