After you create a Mobile VPN with IPSec group, you can edit the profile to:
Select the authentication server to use for this Mobile VPN group. You can authenticate users to the XTM device (Firebox-DB) or to a RADIUS, VASCO, SecurID, LDAP, or Active Directory server. Make sure that this method of authentication is enabled.
To change the passphrase that encrypts the .wgx file, type a new passphrase. The shared key can use only standard ASCII characters. If you use a certificate for authentication, this is the PIN for the certificate.
Type the new passphrase again.
Type the primary external IP address or domain to which Mobile VPN users in this group can connect. This can be an external IP address, secondary external IP address, or external VLAN. For a device is drop-in mode, use the IP address assigned to all interfaces.
Type a backup external IP address or domain to which Mobile VPN users in this group can connect. This backup IP address is optional. If you add a backup IP address, make sure it is an IP address assigned to a XTM device external interface or VLAN.
Select the maximum time in minutes that a Mobile VPN session can be active.
Select the time in minutes before the XTM device closes an idle Mobile VPN session. The session and idle timeout values are the default timeouts if the authentication server does not return specific timeout values. If you use the XTM device as the authentication server, the timeouts for the Mobile VPN group are always ignored because you set timeouts in each XTM device user account.
The session and idle timeouts cannot be longer than the value in the SA Life text box.
To set this value, select the IPSec Tunnel tab. In the Phase 1 Settings section, click Advanced. The default value is 8 hours.
IPSec Tunnel Settings
You can use a preshared key or a certificate for tunnel authentication.
Select Use the passphrase of the end-user profile as the pre-shared key to use the passphrase of the end-user profile as the pre-shared key for tunnel authentication. The passphrase is set on the General tab in the Passphrase section. You must use the same shared key on the remote device, and this shared key can use only standard ASCII characters.
Select Use a certificate to use a certificate for tunnel authentication.
For more information, see Certificates for Mobile VPN With IPSec Tunnel Authentication.
If you use a certificate, you must also specify the CA IP Address, and Timeout. In the CA IP Address text box, type the IP address of the Management Server that is configured as the certificate authority. In the Timeout text box, type the time, in seconds, before the Mobile VPN with IPSec client no longer attempts to connect to the certificate authority without a response. We recommend you use the default setting.
Phase 1 Settings
Select the authentication and encryption methods for the Phase 1 transform for the Mobile VPN tunnel. For more information about these settings, see About IPSec Algorithms and Protocols.
From the Authentication drop-down list, select MD5, SHA1, SHA2-256, SHA2-384, or SHA2-512 as the authentication method.
SHA2 is not supported on XTM 510, 520, 530, 515, 525, 535, 545, 810, 820, 830, 1050, and 2050 devices. The hardware cryptographic acceleration in those models does not support SHA2.
SHA2 is supported for VPN connections from the Shrew Soft VPN client v2.2.1 or higher, or the WatchGuard IPSec Mobile VPN client v11.32. SHA2 is not supported for VPN connections from Android or iOS devices, and is not supported by older versions of the Shrew Soft or WatchGuard IPSec VPN clients.
From the Encryption drop-down list, select AES (128-bit), AES (192-bit), AES (256-bit), DES, or 3DES as the encryption method.
To configure advanced settings, such as NAT Traversal or the key group, click Advanced. For more information, see Define Advanced Phase 1 Settings.
Phase 2 Settings
To change the proposal and key expiration settings, click the Proposal button. For more information, see Define Advanced Phase 2 Settings.
To enable Perfect Forward Secrecy (PFS), select the PFS check box. If you enable PFS, select the Diffie-Hellman group.
Perfect Forward Secrecy gives more protection to keys that are created in a session. Keys made with PFS are not made from a previous key. If a previous key is compromised after a session, your new session keys are secure. For more information, see About Diffie-Hellman Groups.
Allow All Traffic Through Tunnel
To send all Mobile VPN user Internet traffic through the VPN tunnel, select this check box.
If you select this check box, the Mobile VPN user Internet traffic is sent through the VPN. This is more secure, but web site access can be slow.
If you do not select this check box, Mobile VPN user Internet traffic is sent directly to the Internet. This is less secure, but users can browse the Internet more quickly.
This list includes the network resources that are available to users in the Mobile VPN group.
To add an IP address or a network IP address to the network resources list, select Host IP or Network IP, type the address, and click Add.
To delete an IP address or network IP address from the resources list, select a resource and click Remove.
If you edit the allowed resources, the resource list is automatically updated only in the default Mobile VPN with IPSec policy for this group. The resources are not automatically updated for any other Mobile VPN with IPSec policies for group. You must edit the allowed resources in the Mobile VPN with IPSec policies and update if necessary. For more information, see Configure Policies to Filter Mobile VPN Traffic.
Virtual IP Address Pool
The internal IP addresses that are used by Mobile VPN users over the tunnel appear in this list. These addresses cannot be used by any network devices or other Mobile VPN group.
To add an IP address or a network IP address to the virtual IP address pool, select Host IP or Network IP, type the address, and click Add.
To delete a host or network IP address from the virtual IP address pool, select the host or IP address and click Remove.
For more information about virtual IP addresses, see Virtual IP Addresses and Mobile VPNs.
Manual — In this mode, the client does not try to restart the VPN tunnel automatically if the VPN tunnel goes down. This is the default setting.
To restart the VPN tunnel, you must click Connect in Connection Monitor, or right-click the Mobile VPN icon on your Windows desktop toolbar and select Connect.
Automatic — In this mode, the client tries to start the connection when your computer sends traffic to a destination that you can reach through the VPN. The client also tries to restart the VPN tunnel automatically if the VPN tunnel becomes unavailable.
Variable — In this mode, the client tries to restart the VPN tunnel automatically until you click Disconnect. After you disconnect, the client does not try to restart the VPN tunnel again until after the next time you click Connect.
If you set the Connection Mode to Automatic or Variable, the Mobile VPN with IPSec client software does not try to renegotiate the VPN connection for the duration you specify. The inactivity timeout can have a maximum value of 65,535 seconds.
The default Line Management settings are Manual and 0 seconds. If you change either setting, you must use the .ini file to configure the client software.
Users that are members of the group you edit are not able to connect until they import the correct configuration file in their WatchGuard IPSec Mobile VPN Client software. You must generate the configuration file and then provide it to the end users.
To generate the end user profiles for the group you edited:
Fireware XTM Web UI can only generate the .ini or .vpn mobile user configuration file. If you want to generate the .wgx file, you must use Policy Manager.
Generate Mobile VPN with IPSec Configuration Files