Apple iOS devices (iPhone, iPad, and iPod Touch) and Mac OSX 10.6 and higher devices include a native Cisco IPSec VPN client. You can use this client to make an IPSec VPN connection to an XTM device. To do this, you must configure the VPN settings on your XTM device to match those on the iOS or Mac OSX device. For IPSec VPN connections from a Mac OSX device, you can also use the WatchGuard IPSec VPN Client for Mac OSX.
For more information, see. For an iOS device, you can install the WatchGuard Mobile VPN app for iOS. This app can import a Mobile VPN with IPSec profile into the native VPN client on the iOS device.
For a Mac OSX device, you must manually configure the settings in the native VPN client. You can use the same Mobile VPN with IPSec profile for VPN connections from iOS and Android devices.
For information about how to configure the VPN client on an Android device, see. In the Mobile VPN with IPSec settings on the XTM device, do not use SHA2 in the Phase 1 and Phase 2 settings. SHA2 is not supported on the VPN client on iOS devices. You cannot use a certificate for VPN tunnel authentication between the native VPN client and an XTM device.
This does not work because the VPN client uses main mode, and the XTM device uses aggressive mode for Phase 1 VPN negotiations. Configure the XTM Device This section is meant for QUBYTE IT Support personnel, or your own IT technician, who can configure the WatchGuard Firewall accordingly. If you are an end-user, please scroll down to the iOS and OSX configurations. Many of the VPN tunnel configuration settings in the VPN client on the Mac OSX or iOS device are not configurable by the user. It is very important to configure the settings on your XTM device to match the settings required by the VPN client on the Mac OSX or iOS device. Select VPN Mobile VPN with IPSec.
The Mobile VPN with IPSec page appears. The Mobile VPN with IPSec Settings page appears.
The IKEv2 VPN offers the highest level of security of the mobile VPNs available on the Watchguard firewall. This VPN option includes multi-layer security, and supports certificate-based client authentication instead of a pre-shared key. The watchguard vpn client for mac os x WatchGuard Mobile VPN with SSL icon appears in the system tray (Windows)) or on the right side of the menu bar (Mac OS X)). To disconnect, the VPN connection status is shown by the icon s magnifying glass.
In the Name text box, type the name of the authentication group your Mac OSX or iOS VPN users belong to. You can type the name of an existing group, or the name for a new Mobile VPN group. Make sure the name is unique among VPN group names, as well as all interface and VPN tunnel names.
From the Authentication Server drop-down list, select an authentication server. You can authenticate users to the XTM device (Firebox-DB) or to a RADIUS, VASCO, SecureID, LDAP, or Active Directory server. Make sure that this method of authentication is enabled. If you create a Mobile VPN user group that authenticates to an external authentication server, make sure you create a group on the server that has the same name as the name you added in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with IPSec. For more information, see.
Type and confirm the Passphrase to use for this tunnel. In the Firebox IP Addresses section, type the primary external IP address or domain name to which Mobile VPN users in this group can connect. Select the IPSec Tunnel tab. The IPSec Tunnel settings appear. Select Use the passphrase of the end user profile as the pre-shared key. This is the default setting. From the Authentication drop-down list, select either SHA-1 or MD5.
From the Encryption drop-down list, select one of these options:. 3DES. AES (128 bit). AES (256 bit). In the Phase 1 Settings section, click Advanced.
The Phase 1 Advanced Settings appear. Set the SA Life to 1 hours. The VPN client on the Mac OSX or iOS device is configured to rekey after 1 hour. If this profile is only used for connections by VPN client on Mac OSX or iOS devices, set the SA Life to 1 hour to match the client setting. If you plan to use this VPN profile for all supported VPN clients, set the SA Life to 8 hours. When the SA Life is set to 8 hours, the Shrew Soft VPN and WatchGuard XTM IPSec Mobile VPN clients rekey after 8 hours, but the VPN client on the OSX or iOS device uses the smaller rekey value of 1 hour.
From the Key Group drop-down list, select Diffie-Hellman Group 2. Do not change any of the other Phase 1 advanced settings. In the Phase 2 Settings section, clear the PFS check box. In the Phase 2 Settings section, click Advanced.
The Phase 2 Advanced settings appear. From the Authentication drop-down list, select SHA1 or MD5. From the Encryption drop-down list, select 3DES, AES (128-bit), or AES (256-bit).
In the Force Key Expiration settings, set the expiration Time to 1 hours. In the Force Key Expiration settings, clear the Traffic check box. Select the Resources tab. Select the “Allow All Traffic Through Tunnel” check box. This configures the tunnel for default-route VPN. The VPN client on the Mac OSX or iOS device does not support split tunneling.
In the Virtual IP Address Pool list, add the internal IP addresses that are used by Mobile VPN users over the tunnel. To add an IP address or a network IP address to the virtual IP address pool, select Host IP or Network IP, type the address, and click Add.
The number of IP addresses should be the same as the number of Mobile VPN users. The virtual IP addresses do not need to be on the same subnet as the trusted network. If FireCluster is configured, you must add two virtual IP addresses for each Mobile VPN user. The IP addresses in the virtual IP address pool cannot be used for anything else on your network. Click Save.
Make sure that you add all VPN users to the authentication group you selected. Configure the VPN Client on an iOS Device There are two methods you can use to configure the VPN client on an iOS device. You can use the WatchGuard Mobile VPN app for iOS to import a.wgm end-user profile to the VPN client on the iOS device. This is the easiest way to configure the iOS device. If you do not install the WatchGuard mobile VPN app on the iOS device, you can manually configure the VPN client with the correct settings to connect. To use the WatchGuard Mobile VPN app to import the IPSec VPN settings to the native iOS VPN client:. Generate the.wgm profile for the Mobile VPN with IPSec group.
For instructions, see. Your IT support technician can assist you with this. The.wgm profile can be sent to the mobile end-users as an email attachment. Use a secure method to give the passphrase to the mobile users, the passphrase can be provided over the phone.
On the iOS device, install the free WatchGuard Mobile VPN app from the Apple App Store. In the email client on the iOS device, open the email that contains the.wgm file attachment. Open the.wgm file attachment. The WatchGuard Mobile VPN app launches.
Type the passphrase received from the administrator to decrypt the file. The WatchGuard Mobile VPN app imports the configuration and creates an IPSec VPN configuration profile in the iOS VPN client. To manually configure the VPN client settings on the iOS device:. Select Settings General Network VPN Add VPN Configuration. Configure these settings in the VPN client:. Server — The external IP address of the XTM device. Account — The user name on the authentication server.
Use Certificate — Set this option to OFF. Group Name — The group name you chose in the XTM device Mobile VPN with IPSec configuration. Secret — The tunnel passphrase you set in the XTM device Mobile VPN with IPSec configuration. User’s Password — The password for the user on the authentication server After you add the VPN configuration, a VPN switch appears in the Settings menu on the iOS device.
Click the VPN switch to enable or disable the VPN client. When a VPN connection is established, the VPN icon appears in the status bar.
The VPN client on the iOS device stays connected to the VPN only while the iOS device is in use. If the iOS device locks itself, the VPN client might disconnect.
Users can manually reconnect their VPN clients. If users save their passwords, they do not need to retype the password each time the VPN client reconnects.
Otherwise, they must type the password each time the client reconnects. Configuring the VPN Client on Mac OSX (10.6 or above) The XTM device does not generate a client configuration file for the VPN client on the Mac OSX device. The user must manually configure the VPN client settings to match the settings configured on the XTM device. To configure the VPN settings on the Mac OSX device:.
Open System Preferences and select Network. Click + at the bottom of the list to add a new interface. Configure these settings:. Interface — VPN. VPN Type — Cisco IPSec.
Service Name — type the name you want to use for this connection. Click Create. The new VPN interface appears in the list of network interfaces.
Select the new interface in the list. Edit these settings:. Server Address — The external IP address of the XTM device.
Account Name — The user name on the authentication server. Password — The password for the user on the authentication server. Click Authentication Settings. Set these settings:. Shared Secret — The tunnel passphrase you set in the XTM device Mobile VPN with IPSec configuration. Group Name — The group name you chose in the XTM device Mobile VPN with IPSec configuration.
Select the Show VPN status in menu bar check box to add the VPN status icon to the OSX menu bar. Click Connect to start the VPN tunnel.
After you apply these settings, a VPN status icon appears in the menu bar of the Mac OSX device. Click the VPN status icon to start or stop the VPN client connection.