Watchguard Mobile Vpn Client Mac

Hey, I saw your post and was wondering if you kept on with Big Sur and got Watch Guard Mobile VPN to work. I currently use Watch Guard for remote work, however, I am itching to upgrade to Big Sur. Thanks in advance! WatchGuard IPSec VPN Client for Mac In order to use your client software, you need a serial number and a license key. The license is released by the activation code sent via by us to the client on the endpoint. Dec 07, 2018 On a Win 7 computer, all I have to do is run the SSLVPN client while logged in as a local or domain admin. On a Win 10 computer logged in as a local or domain admin, I have to right-click the SSLVPN client installer and 'Run as administrator' or else it fails to install the TAP driver.

Apple iOS devices (iPhone, iPad, and iPod Touch) and macOS 10.6 and higher devices include a native Cisco IPSec VPN client. You can use this client to make an IPSec VPN connection to a Firebox. To use the native IPSec VPN client to make a connection to your Firebox, you must configure the VPN settings on your Firebox to match those on the iOS or macOS device.

For IPSec VPN connections from a macOS device, you can also use the WatchGuard IPSec VPN Client for macOS. For more information, see Install the IPSec Mobile VPN Client Software.

Supported Phase 1 and 2 Settings

For devices with iOS 9.3 and higher or macOS 10.11.4 and higher, these combinations of Phase 1 and 2 settings are supported.

If Diffie-Hellman Group 14 is selected in the Phase 1 settings:

• Phase 1 Authentication — MD5, SHA1, SHA2-256, SHA2-512
• Phase 1 Encryption — AES256
• Phase 2 Authentication — MD5, SHA1
• Phase 2 Encryption — 3DES, AES128, AES256
• Perfect Forward Secrecy — No

If Diffie-Hellman Group 2 is selected in the Phase 1 settings:

• Phase 1 Authentication — MD5, SHA1
• Phase 1 Encryption — DES, 3DES, AES128, AES256
• Phase 2 Authentication — SHA1, MD5
• Phase 2 Encryption — 3DES, AES128, AES256
• Phase 2 PFS — No

For devices with versions of iOS lower than 9.3, these Phase 1 and 2 settings are supported.

• Diffie-Hellman Group 2
• Phase 1 Authentication — MD5 , SHA1
  
• Phase 1 Encryption — DES, 3DES, AES128, AES256
• Phase 2 Authentication — MD5 , SHA1
• Phase 2 Encryption — 3DES, AES128, AES256
• Phase 2 PFS — No

Diffie-Hellman Group 5 is not supported on Apple devices for aggressive mode. Mobile VPN with IPSec only supports aggressive mode.

Configure the Firebox

Many of the VPN tunnel configuration settings in the VPN client on the macOS or iOS device are not configurable by the user. It is very important to configure the settings on your Firebox to match the settings required by the VPN client on the macOS or iOS device.

1. (Fireware v12.3 or higher) Select VPN > Mobile VPN.
2. In the IPSec section, select Configure.
   The Mobile VPN with IPSec page appears.
3. (Fireware v12.2.1 or lower) Select VPN > Mobile VPN with IPSec.
   The Mobile VPN with IPSec page appears.
4. Click Add.
   The Mobile VPN with IPSec Settings page appears.

1. In the Name text box, type the name of the authentication group your macOS or iOS VPN users belong to.

You can type the name of an existing group, or the name for a new Mobile VPN group. Make sure the name is unique among VPN group names, as well as all interface and VPN tunnel names.

1. From the Authentication Server drop-down list, select an authentication server.

You can authenticate users to the Firebox (Firebox-DB) or to a RADIUS, VASCO, SecurID, LDAP, or Active Directory server. Make sure that the method of authentication you select is enabled.

If you create a Mobile VPN user group that authenticates to an external authentication server, make sure you create a group on the server with the same name you specified in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with IPSec. For more information, see Configure the External Authentication Server.

1. Type and confirm the Passphrase to use for this tunnel.
2. In the Firebox IP Addresses section, type the primary external IP address or domain name to which Mobile VPN users in this group can connect.
3. Select the IPSec Tunnel tab.
   The IPSec Tunnel settings appear.

1. Select Use the passphrase of the end user profile as the pre-shared key.
   This is the default setting.
2. From the Authentication drop-down list, select an authentication method.
3. From the Encryption drop-down list, select an encryption method.
4. In the Phase 1 Settings section, click Advanced.
   The Phase 1 Advanced Settings appear.

1. Set the SA Life to 1 hour.

The VPN client on the macOS or iOS device is configured to rekey after 1 hour. If this profile is only used for connections by VPN clients on macOS or iOS devices, set the SA Life to 1 hour to match the client setting.

To use this VPN profile for all supported VPN clients, set the SA Life to 8 hours. When the SA Life is set to 8 hours, WatchGuard IPSec Mobile VPN clients rekey after 8 hours, but the VPN client on the macOS or iOS device uses the smaller rekey value of 1 hour.

1. From the Key Group drop-down list, select Diffie-Hellman Group 14 or Diffie-Hellman Group 2.Tip!Only Diffie-Hellman Groups 2 and 14 are supported.
2. Do not change any of the other Phase 1 advanced settings.
3. Click OK.
4. In the Phase 2 Settings section, clear the PFS check box.

1. In the Phase 2 Settings section, click Advanced.
   The Phase 2 Advanced settings appear.

1. From the Authentication drop-down list, select SHA1.
   SHA2 is not supported for Phase 2 for Mobile VPN with IPSec connections from macOS and iOS devices.
2. From the Encryption drop-down list, select an encryption method.
3. In the Force Key Expiration settings, set the expiration Time to 1 hours.
4. In the Force Key Expiration settings, clear the Traffic check box.
5. Click OK.
6. Select the Resources tab.
7. Select the Allow All Traffic Through Tunnel check box.
   This configures the tunnel for default-route VPN. The VPN client on the macOS or iOS device does not support split tunneling.
8. In the Virtual IP Address Pool list, add the internal IP addresses that are used by Mobile VPN users over the tunnel.
   To add an IP address or a network IP address to the virtual IP address pool, select Host IP or Network IP, type the address, and click Add.

The number of IP addresses should be the same as the number of Mobile VPN users. The virtual IP addresses do not need to be on the same subnet as the trusted network. If FireCluster is configured, you must add two virtual IP addresses for each Mobile VPN user.

The IP addresses in the virtual IP address pool cannot be used for anything else on your network.

1. Select the Advanced tab.
2. (Fireware v12.2.1 or higher) Configure the DNS settings:

Assign the network DNS/WINS settings to mobile clients

If you select this option, mobile clients receive the DNS and WINS settings you specify at Network > Interfaces > DNS/WINS. For example, if you specify the DNS server 10.0.2.53in the Network DNS/WINS settings, mobile VPN clients use 10.0.2.53as a DNS server.

By default, the Assign the Network DNS/WINS Server settings to mobile clients setting is selected for new mobile VPN configurations.

Do not assign DNS or WINS settings to mobile clients

If you select this option, clients do not receive DNS or WINS settings from the Firebox.

Assign these settings to mobile clients

If you select this option, mobile clients receive the domain name, DNS server, and WINS server settings you specify in this section. For example, if you specify example.com as the domain name and 10.0.2.53 as the DNS server, mobile clients use example.com for unqualified domain names and 10.0.2.53 as the DNS server.

You can specify one domain name, up to two DNS server IP addresses, and up to two WINS server IP addresses.

For more information about DNS and WINS server settings for Mobile VPN with IPSec users, see Configure DNS and WINS Servers for Mobile VPN with IPSec.

1. Click Save.

Make sure that you add all VPN users to the authentication group you selected.

For information about how to add users to a Firebox user group, see Define a New User for Firebox Authentication.

First, use the Mobile VPN with IPSec Wizard to configure the basic settings:

1. Select VPN > Mobile VPN > IPSec.
   The Mobile VPN with IPSec Configuration dialog box appears.
2. Click Add.
   The Add Mobile VPN with IPSec Wizard appears.
3. Click Next.
   The Select a user authentication server page appears.

1. From the Authentication Server drop-down list, select an authentication server.

You can authenticate users to the Firebox (Firebox-DB) or to a RADIUS, VASCO, SecurID, LDAP, or Active Directory server. Make sure that the method of authentication you select is enabled.

1. In the Group Name text box, type the name of the authentication group your macOS or iOS device users belong to.

You can type the name of a Mobile VPN group you have already created, or type a group name for a new Mobile VPN group. Make sure the name is unique among VPN group names, as well as all interface and tunnel names.

If you create a Mobile VPN user group that authenticates to an external authentication server, make sure you create a group on the server with the same name you specified in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with IPSec. For more information, see Configure the External Authentication Server.

1. Click Next.
   The Select a tunnel authentication method page appears.

1. Select Use this passphrase. Type and confirm the passphrase.
2. Click Next.
   The Direct the flow of Internet traffic page appears.

1. Select Yes, force all Internet traffic to flow through the tunnel..
   This configures the tunnel for default-route VPN. The VPN client on the macOS or iOS device does not support split tunneling.
   
2. Click Next.
   The Identify the resources accessible through the tunnel page appears.

For a default-route VPN configuration, the configuration automatically allows access to all network IP addresses and the Any-External alias.

1. Click Next.
   The Create the virtual IP address pool page appears.

1. To add one IP address or an IP address range, click Add.
   To add more virtual IP addresses, repeat this step.

Mobile VPN users are assigned an IP address from the virtual IP address pool when they connect to your network. The number of IP addresses in the virtual IP address pool should be the same as the number of Mobile VPN users. If a FireCluster is configured, you must add two virtual IP addresses for each Mobile VPN user.

The virtual IP addresses must be on a different subnet than the local networks. The virtual IP addresses cannot be used for anything else on your network.

1. Click Next.
2. To add users to the new Mobile VPN with IPSec group, select the Add users check box.
3. Click Finish.
   The Mobile VPN configuration you created appears in the Mobile VPN with IPSec Configuration dialog box.

Next, you must edit the VPN Phase 1 and Phase 2 settings to match the settings for the VPN client on the macOS or iOS device.

1. In the Mobile VPN with IPSec Configuration dialog box, select the configuration you just added.
2. Click Edit.
   The Edit Mobile VPN with IPSec dialog box appears.
3. Select the IPsec Tunnel tab.

1. From the Authentication drop-down list, select an authentication method.
2. From the Encryption drop-down list, select an encryption method.
3. Click the Advanced button in the Phase 1 Settings section.
   The Phase1 Advanced Settings dialog box appears.

1. Set the SA Life to 1 hour.
   

The VPN client on the macOS or iOS device is configured to rekey after 1 hour. If this profile is only used for connections by VPN clients on macOS or iOS devices, set the SA Life to 1 hour to match the client setting.

To use this VPN profile for all supported VPN clients, set the SA Life to 8 hours. When the SA Life is set to 8 hours, WatchGuard IPSec Mobile VPN clients rekey after 8 hours, but the VPN client on the macOS or iOS device uses the smaller rekey value of 1 hour.

1. From the Key Group drop-down list, select Diffie-Hellman Group 14 or Diffie-Hellman Group 2.
2. Do not change any of the other Phase 1 Advanced Settings.
3. Click OK.
4. In the Phase 2 Settings section, click Proposal.

1. From the Authentication drop-down list, select MD5 or SHA1.
   SHA2 is not supported for Phase 2 for Mobile VPN with IPSec connections from macOS and iOS devices.
2. From the Encryption drop-down list, select an encryption method.
   
3. Set the Force Key Expiration to 1 hour and 0 kilobytes.
4. In the Force Key Expiration settings, set the expiration Time to 1 hours.
5. In the Force Key Expiration settings, clear the Traffic check box.
6. Click OK.
7. In the Edit Mobile VPN with IPSec dialog box, clear the PFS check box.
   Perfect Forward Secrecy is not supported by the VPN client on the iOS device.

1. Click the Advanced tab.
2. (Fireware v12.2.1 or higher) Configure the DNS settings:

Assign the network DNS/WINS settings to mobile clients

If you select this option, mobile clients receive the DNS and WINS settings you specify at Network > Interfaces > DNS/WINS. For example, if you specify the DNS server 10.0.2.53in the Network DNS/WINS settings, mobile VPN clients use 10.0.2.53as a DNS server.

By default, the Assign the Network DNS/WINS Server settings to mobile clients setting is selected for new mobile VPN configurations.

Do not assign DNS or WINS settings to mobile clients

If you select this option, clients do not receive DNS or WINS settings from the Firebox.

Assign these settings to mobile clients

If you select this option, mobile clients receive the domain name, DNS server, and WINS server settings you specify in this section. For example, if you specify example.com as the domain name and 10.0.2.53 as the DNS server, mobile clients use example.com for unqualified domain names and 10.0.2.53 as the DNS server.

You can specify one domain name, up to two DNS server IP addresses, and up to two WINS server IP addresses.

For more information about DNS and WINS server settings for Mobile VPN with IPSec users, see Configure DNS and WINS Servers for Mobile VPN with IPSec.

1. Click OK.
2. Save the configuration file to your Firebox.

Make sure that the macOS or iOS users are members of the authentication group you selected.

Next, you add the settings you configured on your Firebox to the VPN client settings on the macOS or iOS device.

Configure the VPN Client on an iOS Device

To manually configure the VPN client settings on the iOS device:

1. Select Settings > General > VPN > Add VPN Configuration.
2. Configure these settings in the VPN client:
   • Type — IPSec
   • Server — The external IP address of the Firebox
   • Account — The user name on the authentication server
     Specify the user name only. Do not preface the user name with a domain name and do not specify an email address.
   • Password — The password for the user on the authentication server
   • Use Certificate — Set this option to OFF
   • Group Name — The group name you chose in the Firebox Mobile VPN with IPSec configuration
   • Secret — The tunnel passphrase you set in the Firebox Mobile VPN with IPSec configuration

After you add the VPN configuration, a VPN switch appears in the Settings menu on the iOS device.

To enable or disable the VPN client, click the VPN switch. When a VPN connection is established, the VPN icon appears in the status bar.

The VPN client on the iOS device stays connected to the VPN only while the iOS device is in use. If the iOS device locks itself, the VPN client might disconnect. Users can manually reconnect their VPN clients. If users save their passwords, they do not have to retype the password each time the VPN client reconnects. If users do not save their passwords, they must type the password each time the client reconnects.

The WatchGuard Mobile VPN app for iOS is no longer available in the Apple Store.

Configure the VPN Client on a macOS Device

The Firebox does not generate a client configuration file for the VPN client on the macOS device. The user must manually configure the VPN client settings to match the settings configured on the Firebox.

To configure the VPN settings on the macOS device:

1. Open System Preferences and select Network.
2. Click + at the bottom of the list to add a new interface. Configure these settings:
   • Interface — VPN
   • VPN Type — Cisco IPSec
   • Service Name — Type the name to use for this connection
3. Click Create.
   The new VPN interface appears in the list of network interfaces.
4. Select the new interface in the list. Edit these settings:
   • Server Address — The external IP address of the Firebox
   • Account Name — The user name on the authentication server
     Specify the user name only. Do not preface the user name with a domain name and do not specify an email address.
   • Password — The password for the user on the authentication server
5. Click Authentication Settings. Configure these settings:
   • Shared Secret — The tunnel passphrase you set in the Firebox Mobile VPN with IPSec configuration
   • Group Name — The group name you chose in the Firebox Mobile VPN with IPSec configuration
6. To add the VPN status icon to the macOS menu bar, select the Show VPN status in menu bar check box .
7. Click Connect to start the VPN tunnel.
   

After you apply these settings, a VPN status icon appears in the menu bar of the macOS device.

To start or stop the VPN client connection, click the VPN status icon.

See Also

This topic describes common problems and solutions for Mobile VPN with SSL:

Download Issues

If users cannot download the Mobile VPN with SSL client from the Firebox:

• Make sure users connect to your Firebox with the correct URL and port number. In the Mobile VPN with SSL configuration, the Configuration Channel setting specifies the port number for client downloads. If you keep the default port number (443), make sure users connect tohttps://[Firebox IP address]/sslvpn.html to download the Mobile VPN with SSL client.
• If you specify a configuration channel port other then 443, make sure that users connect to https://[Firebox IP address]:[port]/sslvpn.html to download the Mobile VPN with SSL client.
• Make sure you have not disabled the Mobile VPN with SSL software downloads page hosted by the Firebox. If you disable this page, users cannot download the Mobile VPN with SSL client from the Firebox. For more information about the CLI command that disables the download page, see Plan Your Mobile VPN with SSL Configuration.

If users still cannot download the Mobile VPN with SSL client from the Firebox:

• Users can download the client from the WatchGuard software downloads page.
• You can manually distribute the client software and updated configuration file to users. For more information, see Manually Distribute and Install the Mobile VPN with SSL Client Software and Configuration File.

If users have installed the Mobile VPN with SSL client but cannot download an updated configuration:

• If the error 'Could not download the configuration from the server. Do you want to try to connect using the most recent configuration?' appears, tell users to click Yes to make a VPN connection unless you have changed the Mobile VPN with SSL settings in your Firebox configuration. If users click Yes, the client does not automatically receive configuration changes. If you change the Mobile VPN with SSL configuration on the Firebox, you must manually distribute the update to users who cannot download it from the Firebox.

In Fireware versions lower than v11.x, the authentication and client configuration port is 4100.

Installation Issues

For information about which operating systems are compatible with each mobile VPN type, see the Operating System Compatibility list in the Fireware Release Notes. You can find the Release Notes for your version of Fireware OS on the Fireware Release Notes page of the WatchGuard website.

The Firebox has version requirements for TLS connections:

SSL VPN client connections

In Fireware v12.5.4 or higher, the Firebox requires the SSL VPN client to support TLS 1.2 or higher.

In earlier Fireware v12 releases, the Firebox requires the SSL VPN client to support TLS 1.1 or higher.

SSL VPN client download page

In Fireware v12.5.5 or higher, to download the client from the Firebox, your browser must support TLS 1.2 or higher. In earlier Fireware v12 releases, to download the client from the Firebox, your browser must support TLS 1.1 or higher.

To install the Mobile VPN with SSL client on macOS, you must have administrator privileges.

In macOS 10.15 (Catalina) or higher, you must install v12.5.2 or higher of the WatchGuard Mobile VPN with SSL client. For more compatibility information, see the Fireware Release Notes.

Upgrade Issues

To upgrade the Mobile VPN with SSL Windows client, you must have administrator privileges.

• If a minor version update is available, but you cannot update the client version, you can still connect to the VPN tunnel.
• If a major version update is available, but you cannot update the client version, you cannot connect to the VPN tunnel.

In Fireware v12.5.3 or higher, if the client automatically detects that an upgrade is available, but you do not have administrator privileges, a message appears that tells you to contact your system administrator for assistance. If a minor version update is available, you can select the Don't show this message again check box. This check box does not appear if a major version update is available.

In Fireware v12.5.2 or lower, if the client automatically detects that an upgrade is available, a message appears that asks you to upgrade. However, if you do not have administrator privileges, you cannot upgrade the client.

Connection Issues

This log message indicates that the client cannot make an HTTPS connection to the IP address specified in the Server text box in the Mobile VPN with SSL client. Confirm that the policy configuration on the Firebox allows connections from Any-External to Firebox, and that no other policy handles traffic from the IP addresses you configured as the virtual IP address pool for Mobile VPN with SSL.

If you specify a TCP port other than 443 as the Configuration Channel in the Mobile VPN with SSL settings, mobile users must specify the port number as part of the address in the Server text box in the Mobile VPN with SSL client. For example, if the port is TCP 444, specify 203.0.113.2:444 on the client.

In Fireware v12.1.x, settings shared by the Access Portal and Mobile VPN over SSL appear on a page named VPN Portal. The Configuration Data Channel for Mobile VPN with SSL was renamed as the VPN Portal port and appears in the VPN Portal settings. In Fireware v12.2, the VPN Portal settings moved to the Access Portal and Mobile VPN with SSL configurations. For configuration instructions that apply to Fireware v12.1.x, see Configure the VPN Portal settings in Fireware v12.1.x in the WatchGuard Knowledge Base.

If the operating system on your computer does not support TLS 1.2, or TLS 1.2 or higher is not enabled, you might see this error message. In Fireware v12.5.4 or higher, Mobile VPN with SSL requires TLS 1.2 or higher. To avoid security vulnerabilities in TLS 1.1 or lower, we recommend that you disable TLS 1.1 or lower and only enable TLS 1.2 or higher.

Some older operating systems do not support TLS 1.2 or higher. For more information about TLS in older operating systems, see Mobile VPN with SSL connections fail from some versions of Windows and macOS in the WatchGuard Knowledge Base.

This problem can be caused by a static NAT (SNAT) action for inbound HTTPS traffic, or it can be a problem with client authentication.

When the Firebox receives an HTTPS request, it could forward that request to an internal server if your configuration includes an HTTPS policy with a static NAT action. If this occurs for traffic from the Mobile VPN with SSL client, the client fails to connect and an authentication failure message appears:

(SSLVPN authentication failed) Could not download the configuration from the server. Do you want to try to connect using the most recent configuration?

Check your configuration to make sure that a policy does not forward HTTPS requests on the port used by the Mobile VPN with SSL client to another server.

This authentication error message could also indicate a problem with authentication.

1. From the Authentication drop-down list, select SHA1.
   SHA2 is not supported for Phase 2 for Mobile VPN with IPSec connections from macOS and iOS devices.
2. From the Encryption drop-down list, select an encryption method.
3. In the Force Key Expiration settings, set the expiration Time to 1 hours.
4. In the Force Key Expiration settings, clear the Traffic check box.
5. Click OK.
6. Select the Resources tab.
7. Select the Allow All Traffic Through Tunnel check box.
   This configures the tunnel for default-route VPN. The VPN client on the macOS or iOS device does not support split tunneling.
8. In the Virtual IP Address Pool list, add the internal IP addresses that are used by Mobile VPN users over the tunnel.
   To add an IP address or a network IP address to the virtual IP address pool, select Host IP or Network IP, type the address, and click Add.

The number of IP addresses should be the same as the number of Mobile VPN users. The virtual IP addresses do not need to be on the same subnet as the trusted network. If FireCluster is configured, you must add two virtual IP addresses for each Mobile VPN user.

The IP addresses in the virtual IP address pool cannot be used for anything else on your network.

1. Select the Advanced tab.
2. (Fireware v12.2.1 or higher) Configure the DNS settings:

Assign the network DNS/WINS settings to mobile clients

If you select this option, mobile clients receive the DNS and WINS settings you specify at Network > Interfaces > DNS/WINS. For example, if you specify the DNS server 10.0.2.53in the Network DNS/WINS settings, mobile VPN clients use 10.0.2.53as a DNS server.

By default, the Assign the Network DNS/WINS Server settings to mobile clients setting is selected for new mobile VPN configurations.

Do not assign DNS or WINS settings to mobile clients

If you select this option, clients do not receive DNS or WINS settings from the Firebox.

Assign these settings to mobile clients

If you select this option, mobile clients receive the domain name, DNS server, and WINS server settings you specify in this section. For example, if you specify example.com as the domain name and 10.0.2.53 as the DNS server, mobile clients use example.com for unqualified domain names and 10.0.2.53 as the DNS server.

You can specify one domain name, up to two DNS server IP addresses, and up to two WINS server IP addresses.

For more information about DNS and WINS server settings for Mobile VPN with IPSec users, see Configure DNS and WINS Servers for Mobile VPN with IPSec.

1. Click Save.

Make sure that you add all VPN users to the authentication group you selected.

For information about how to add users to a Firebox user group, see Define a New User for Firebox Authentication.

First, use the Mobile VPN with IPSec Wizard to configure the basic settings:

1. Select VPN > Mobile VPN > IPSec.
   The Mobile VPN with IPSec Configuration dialog box appears.
2. Click Add.
   The Add Mobile VPN with IPSec Wizard appears.
3. Click Next.
   The Select a user authentication server page appears.

1. From the Authentication Server drop-down list, select an authentication server.

You can authenticate users to the Firebox (Firebox-DB) or to a RADIUS, VASCO, SecurID, LDAP, or Active Directory server. Make sure that the method of authentication you select is enabled.

1. In the Group Name text box, type the name of the authentication group your macOS or iOS device users belong to.

You can type the name of a Mobile VPN group you have already created, or type a group name for a new Mobile VPN group. Make sure the name is unique among VPN group names, as well as all interface and tunnel names.

If you create a Mobile VPN user group that authenticates to an external authentication server, make sure you create a group on the server with the same name you specified in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with IPSec. For more information, see Configure the External Authentication Server.

1. Click Next.
   The Select a tunnel authentication method page appears.

1. Select Use this passphrase. Type and confirm the passphrase.
2. Click Next.
   The Direct the flow of Internet traffic page appears.

1. Select Yes, force all Internet traffic to flow through the tunnel..
   This configures the tunnel for default-route VPN. The VPN client on the macOS or iOS device does not support split tunneling.
   
2. Click Next.
   The Identify the resources accessible through the tunnel page appears.

For a default-route VPN configuration, the configuration automatically allows access to all network IP addresses and the Any-External alias.

1. Click Next.
   The Create the virtual IP address pool page appears.

1. To add one IP address or an IP address range, click Add.
   To add more virtual IP addresses, repeat this step.

Mobile VPN users are assigned an IP address from the virtual IP address pool when they connect to your network. The number of IP addresses in the virtual IP address pool should be the same as the number of Mobile VPN users. If a FireCluster is configured, you must add two virtual IP addresses for each Mobile VPN user.

The virtual IP addresses must be on a different subnet than the local networks. The virtual IP addresses cannot be used for anything else on your network.

1. Click Next.
2. To add users to the new Mobile VPN with IPSec group, select the Add users check box.
3. Click Finish.
   The Mobile VPN configuration you created appears in the Mobile VPN with IPSec Configuration dialog box.

Next, you must edit the VPN Phase 1 and Phase 2 settings to match the settings for the VPN client on the macOS or iOS device.

1. In the Mobile VPN with IPSec Configuration dialog box, select the configuration you just added.
2. Click Edit.
   The Edit Mobile VPN with IPSec dialog box appears.
3. Select the IPsec Tunnel tab.

1. From the Authentication drop-down list, select an authentication method.
2. From the Encryption drop-down list, select an encryption method.
3. Click the Advanced button in the Phase 1 Settings section.
   The Phase1 Advanced Settings dialog box appears.

1. Set the SA Life to 1 hour.
   

The VPN client on the macOS or iOS device is configured to rekey after 1 hour. If this profile is only used for connections by VPN clients on macOS or iOS devices, set the SA Life to 1 hour to match the client setting.

To use this VPN profile for all supported VPN clients, set the SA Life to 8 hours. When the SA Life is set to 8 hours, WatchGuard IPSec Mobile VPN clients rekey after 8 hours, but the VPN client on the macOS or iOS device uses the smaller rekey value of 1 hour.

1. From the Key Group drop-down list, select Diffie-Hellman Group 14 or Diffie-Hellman Group 2.
2. Do not change any of the other Phase 1 Advanced Settings.
3. Click OK.
4. In the Phase 2 Settings section, click Proposal.

1. From the Authentication drop-down list, select MD5 or SHA1.
   SHA2 is not supported for Phase 2 for Mobile VPN with IPSec connections from macOS and iOS devices.
2. From the Encryption drop-down list, select an encryption method.
   
3. Set the Force Key Expiration to 1 hour and 0 kilobytes.
4. In the Force Key Expiration settings, set the expiration Time to 1 hours.
5. In the Force Key Expiration settings, clear the Traffic check box.
6. Click OK.
7. In the Edit Mobile VPN with IPSec dialog box, clear the PFS check box.
   Perfect Forward Secrecy is not supported by the VPN client on the iOS device.

1. Click the Advanced tab.
2. (Fireware v12.2.1 or higher) Configure the DNS settings:

Assign the network DNS/WINS settings to mobile clients

If you select this option, mobile clients receive the DNS and WINS settings you specify at Network > Interfaces > DNS/WINS. For example, if you specify the DNS server 10.0.2.53in the Network DNS/WINS settings, mobile VPN clients use 10.0.2.53as a DNS server.

By default, the Assign the Network DNS/WINS Server settings to mobile clients setting is selected for new mobile VPN configurations.

Do not assign DNS or WINS settings to mobile clients

If you select this option, clients do not receive DNS or WINS settings from the Firebox.

Assign these settings to mobile clients

If you select this option, mobile clients receive the domain name, DNS server, and WINS server settings you specify in this section. For example, if you specify example.com as the domain name and 10.0.2.53 as the DNS server, mobile clients use example.com for unqualified domain names and 10.0.2.53 as the DNS server.

You can specify one domain name, up to two DNS server IP addresses, and up to two WINS server IP addresses.

For more information about DNS and WINS server settings for Mobile VPN with IPSec users, see Configure DNS and WINS Servers for Mobile VPN with IPSec.

1. Click OK.
2. Save the configuration file to your Firebox.

Make sure that the macOS or iOS users are members of the authentication group you selected.

Next, you add the settings you configured on your Firebox to the VPN client settings on the macOS or iOS device.

Configure the VPN Client on an iOS Device

To manually configure the VPN client settings on the iOS device:

1. Select Settings > General > VPN > Add VPN Configuration.
2. Configure these settings in the VPN client:
   • Type — IPSec
   • Server — The external IP address of the Firebox
   • Account — The user name on the authentication server
     Specify the user name only. Do not preface the user name with a domain name and do not specify an email address.
   • Password — The password for the user on the authentication server
   • Use Certificate — Set this option to OFF
   • Group Name — The group name you chose in the Firebox Mobile VPN with IPSec configuration
   • Secret — The tunnel passphrase you set in the Firebox Mobile VPN with IPSec configuration

After you add the VPN configuration, a VPN switch appears in the Settings menu on the iOS device.

To enable or disable the VPN client, click the VPN switch. When a VPN connection is established, the VPN icon appears in the status bar.

The VPN client on the iOS device stays connected to the VPN only while the iOS device is in use. If the iOS device locks itself, the VPN client might disconnect. Users can manually reconnect their VPN clients. If users save their passwords, they do not have to retype the password each time the VPN client reconnects. If users do not save their passwords, they must type the password each time the client reconnects.

The WatchGuard Mobile VPN app for iOS is no longer available in the Apple Store.

Configure the VPN Client on a macOS Device

The Firebox does not generate a client configuration file for the VPN client on the macOS device. The user must manually configure the VPN client settings to match the settings configured on the Firebox.

To configure the VPN settings on the macOS device:

1. Open System Preferences and select Network.
2. Click + at the bottom of the list to add a new interface. Configure these settings:
   • Interface — VPN
   • VPN Type — Cisco IPSec
   • Service Name — Type the name to use for this connection
3. Click Create.
   The new VPN interface appears in the list of network interfaces.
4. Select the new interface in the list. Edit these settings:
   • Server Address — The external IP address of the Firebox
   • Account Name — The user name on the authentication server
     Specify the user name only. Do not preface the user name with a domain name and do not specify an email address.
   • Password — The password for the user on the authentication server
5. Click Authentication Settings. Configure these settings:
   • Shared Secret — The tunnel passphrase you set in the Firebox Mobile VPN with IPSec configuration
   • Group Name — The group name you chose in the Firebox Mobile VPN with IPSec configuration
6. To add the VPN status icon to the macOS menu bar, select the Show VPN status in menu bar check box .
7. Click Connect to start the VPN tunnel.
   

After you apply these settings, a VPN status icon appears in the menu bar of the macOS device.

To start or stop the VPN client connection, click the VPN status icon.

See Also

This topic describes common problems and solutions for Mobile VPN with SSL:

Download Issues

If users cannot download the Mobile VPN with SSL client from the Firebox:

• Make sure users connect to your Firebox with the correct URL and port number. In the Mobile VPN with SSL configuration, the Configuration Channel setting specifies the port number for client downloads. If you keep the default port number (443), make sure users connect tohttps://[Firebox IP address]/sslvpn.html to download the Mobile VPN with SSL client.
• If you specify a configuration channel port other then 443, make sure that users connect to https://[Firebox IP address]:[port]/sslvpn.html to download the Mobile VPN with SSL client.
• Make sure you have not disabled the Mobile VPN with SSL software downloads page hosted by the Firebox. If you disable this page, users cannot download the Mobile VPN with SSL client from the Firebox. For more information about the CLI command that disables the download page, see Plan Your Mobile VPN with SSL Configuration.

If users still cannot download the Mobile VPN with SSL client from the Firebox:

• Users can download the client from the WatchGuard software downloads page.
• You can manually distribute the client software and updated configuration file to users. For more information, see Manually Distribute and Install the Mobile VPN with SSL Client Software and Configuration File.

If users have installed the Mobile VPN with SSL client but cannot download an updated configuration:

• If the error 'Could not download the configuration from the server. Do you want to try to connect using the most recent configuration?' appears, tell users to click Yes to make a VPN connection unless you have changed the Mobile VPN with SSL settings in your Firebox configuration. If users click Yes, the client does not automatically receive configuration changes. If you change the Mobile VPN with SSL configuration on the Firebox, you must manually distribute the update to users who cannot download it from the Firebox.

In Fireware versions lower than v11.x, the authentication and client configuration port is 4100.

Installation Issues

For information about which operating systems are compatible with each mobile VPN type, see the Operating System Compatibility list in the Fireware Release Notes. You can find the Release Notes for your version of Fireware OS on the Fireware Release Notes page of the WatchGuard website.

The Firebox has version requirements for TLS connections:

SSL VPN client connections

In Fireware v12.5.4 or higher, the Firebox requires the SSL VPN client to support TLS 1.2 or higher.

In earlier Fireware v12 releases, the Firebox requires the SSL VPN client to support TLS 1.1 or higher.

SSL VPN client download page

In Fireware v12.5.5 or higher, to download the client from the Firebox, your browser must support TLS 1.2 or higher. In earlier Fireware v12 releases, to download the client from the Firebox, your browser must support TLS 1.1 or higher.

To install the Mobile VPN with SSL client on macOS, you must have administrator privileges.

In macOS 10.15 (Catalina) or higher, you must install v12.5.2 or higher of the WatchGuard Mobile VPN with SSL client. For more compatibility information, see the Fireware Release Notes.

Upgrade Issues

To upgrade the Mobile VPN with SSL Windows client, you must have administrator privileges.

• If a minor version update is available, but you cannot update the client version, you can still connect to the VPN tunnel.
• If a major version update is available, but you cannot update the client version, you cannot connect to the VPN tunnel.

In Fireware v12.5.3 or higher, if the client automatically detects that an upgrade is available, but you do not have administrator privileges, a message appears that tells you to contact your system administrator for assistance. If a minor version update is available, you can select the Don't show this message again check box. This check box does not appear if a major version update is available.

In Fireware v12.5.2 or lower, if the client automatically detects that an upgrade is available, a message appears that asks you to upgrade. However, if you do not have administrator privileges, you cannot upgrade the client.

Connection Issues

This log message indicates that the client cannot make an HTTPS connection to the IP address specified in the Server text box in the Mobile VPN with SSL client. Confirm that the policy configuration on the Firebox allows connections from Any-External to Firebox, and that no other policy handles traffic from the IP addresses you configured as the virtual IP address pool for Mobile VPN with SSL.

If you specify a TCP port other than 443 as the Configuration Channel in the Mobile VPN with SSL settings, mobile users must specify the port number as part of the address in the Server text box in the Mobile VPN with SSL client. For example, if the port is TCP 444, specify 203.0.113.2:444 on the client.

In Fireware v12.1.x, settings shared by the Access Portal and Mobile VPN over SSL appear on a page named VPN Portal. The Configuration Data Channel for Mobile VPN with SSL was renamed as the VPN Portal port and appears in the VPN Portal settings. In Fireware v12.2, the VPN Portal settings moved to the Access Portal and Mobile VPN with SSL configurations. For configuration instructions that apply to Fireware v12.1.x, see Configure the VPN Portal settings in Fireware v12.1.x in the WatchGuard Knowledge Base.

If the operating system on your computer does not support TLS 1.2, or TLS 1.2 or higher is not enabled, you might see this error message. In Fireware v12.5.4 or higher, Mobile VPN with SSL requires TLS 1.2 or higher. To avoid security vulnerabilities in TLS 1.1 or lower, we recommend that you disable TLS 1.1 or lower and only enable TLS 1.2 or higher.

Some older operating systems do not support TLS 1.2 or higher. For more information about TLS in older operating systems, see Mobile VPN with SSL connections fail from some versions of Windows and macOS in the WatchGuard Knowledge Base.

This problem can be caused by a static NAT (SNAT) action for inbound HTTPS traffic, or it can be a problem with client authentication.

When the Firebox receives an HTTPS request, it could forward that request to an internal server if your configuration includes an HTTPS policy with a static NAT action. If this occurs for traffic from the Mobile VPN with SSL client, the client fails to connect and an authentication failure message appears:

(SSLVPN authentication failed) Could not download the configuration from the server. Do you want to try to connect using the most recent configuration?

Check your configuration to make sure that a policy does not forward HTTPS requests on the port used by the Mobile VPN with SSL client to another server.

This authentication error message could also indicate a problem with authentication.

To troubleshoot client authentication:

1. Connect to the Firebox.
2. Review the configuration for Mobile VPN with SSL.
3. Record the configured Primary and Backup IP addresses.
   The address can also be a domain name. If it is a domain name, confirm which IP address the domain name resolves to.
4. Record the configured Configuration channel TCP port.
   In Fireware v12.1.x, select Authentication > Configure and record the configured VPN Portal port. In Fireware v12.1.x, the configuration channel setting was named as the VPN Portal port.
5. In your web browser, type https:///sslvpn.html where is the Primary IP address in the Mobile VPN with SSL configuration. If the Configuration channel TCP port is not 443, add the port number to the address, separated by a colon. For example, if the Configuration channel is TCP port 444, in the browser type https://:444/sslvpn.html.
   • If the WatchGuard Authentication Portal page for your Firebox appears, continue to Step 6.
   • If a page other than the WatchGuard Authentication Portal page appears, review your Firebox configuration to identify why the traffic was forwarded to this location. Consider a change to the configured IP address for the VPN.
6. On the WatchGuard Authentication Portal page, log in with client credentials.
   If more than one type of authentication is configured, or if your authentication server is not the default option, select the authentication server from the drop-down list.
   • If user authentication succeeds, continue to Step 7.
   • If user authentication fails, verify the user credentials on the Firebox, or the external authentication server. For users on an external authentication server, verify whether other users who use that server are able to log in. There may be a problem with authentication in general.
7. In your web browser, type https:///sslvpn.html. If the Configuration channel TCP port is not 443, add the port number to the address, separated by a colon.
   For example, if the Configuration channel is TCP port 444, type https://:444/sslvpn.html.
   The WatchGuard Authentication Portal appears.
8. Log in with the client credentials you used in Step 5.

If the user authentication fails on the Mobile VPN with SSL-specific authentication page, but the same credentials worked on the WatchGuard Authentication Portal page, the issue is almost certainly group membership. Confirm that the user is part of the configured group for Mobile VPN with SSL. By default, this group is SSLVPN-Users.

This message indicates an issue on the client computer. To troubleshoot on the client computer, verify that:

• The SSL VPN service is started
• The TAP driver is installed properly
• Another VPN client on the computer has not installed drivers that caused a conflict
• Security software such as anti-virus or firewall software does not block the TAP driver
• In Internet Explorer, in the Internet Options > Advanced settings, SSL 3.0 is not selected.

This issue can occur if a router or modem on the user's local network prevents return communication from the Firebox to the VPN client.

In Windows Device Manager, verify the status of the virtual adapter to make sure a local router or modem does not inspect, filter, or proxy the VPN traffic. You might have to adjust security settings on the local router or modem.

In Fireware v12.5 or higher, you must configure a RADIUS domain name. How much data does teamviewer use. If your Firebox configuration includes a RADIUS server, and you upgrade from Fireware v12.4.1 or lower to Fireware v12.5 or higher, the Firebox automatically uses RADIUS as the domain name for that server. To authenticate to that server, users must type RADIUS as the domain name. In this case, if users type a domain name other than RADIUS, authentication fails. For more information, see Download, Install, and Connect the Mobile VPN with SSL Client.

To troubleshoot mobile VPN connection issues related to TDR Host Sensor Enforcement, see Troubleshoot TDR Host Sensor Enforcement.

Issues After Connection

If the VPN client can connect to a resource by IP address but not by name, you must provide the client with the IP addresses of valid DNS or WINS servers that can resolve the destination name. When the client connects and receives a virtual IP address from the Firebox, it also receives the IP addresses for the DNS and WINS servers configured globally on the Firebox or in the Mobile VPN with SSL configuration.

When you configure Mobile VPN with SSL in Fireware v12.2.1 or higher, you can select to:

• Assign the client device the WINS server, DNS server, and DNS suffix configured in the Mobile VPN with SSL settings on the Firebox
• Assign the client device the WINS server, DNS server, and DNS suffix configured in the Network (global) DNS/WINS settings on the Firebox
• Assign no DNS or WINS settings to the client device

For information about how to configure WINS and DNS IP addresses, see Name Resolution for Mobile VPN with SSL.

For more information about global DNS settings on the Firebox, see Configure Network DNS and WINS Servers.

If users cannot use a single-part host name to connect to internal network resources, but can use a Fully Qualified Domain Name (FQDN) to connect, this indicates that the DNS suffix is not defined on the client. When you configure Mobile VPN with SSL in Fireware v12.2.1 or higher, you can select to:

• Assign the client device the WINS server, DNS server, and DNS suffix configured in the Mobile VPN with SSL settings on the Firebox
• Assign the client device the WINS server, DNS server, and DNS suffix configured in the Network (global) DNS/WINS settings on the Firebox
• Assign no DNS or WINS settings to the client device

A client without a DNS suffix assigned must use the entire DNS name to resolve the name to an IP address. For example, if your terminal server has a DNS name of RDP.example.net, users cannot type the address RDP to connect with their terminal server clients. Users must also type the DNS suffix example.net.

For more information about DNS for Mobile VPN with SSL, see Name Resolution for Mobile VPN with SSL.

For more information about global DNS settings on the Firebox, see Configure Network DNS and WINS Servers.

In Fireware v12.2 or lower, if you do not configure WINS and DNS settings in the Mobile VPN with SSL configuration, the SSL VPN client is assigned the Network (global) DNS/WINS settings. This includes the DNS server, WINS server, and domain suffix. If you specify a DNS suffix in the Network (global) WINS/DNS settings for the Firebox, but do not specify a DNS suffix in the Mobile VPN with SSL settings, the VPN client does not receive the DNS suffix unless all other DNS and WINS settings in the Mobile VPN with SSL configuration are also not configured.

If client traffic through the Mobile VPN with SSL connection is denied as unhandled, the problem is almost always related to group membership. By default, Mobile VPN with SSL requires that a user be a member of a group called SSLVPN-Users. If you use a RADIUS, SecurID, or VASCO server, the group membership must be returned as the Filter-ID attribute.

For more information about how to configure external authentication servers, see Configure the External Authentication Server.

If you configure Mobile VPN with SSL to send all traffic through the tunnel, but Office 365 traffic does not go through the tunnel, you have these options:

Watchguard Vpn Client

• Enable the default-route-client option in the Fireware CLI (Fireware v12.5.3 or higher)
• Manually configure a default gateway on the client
• Use a different Fireware mobile VPN method

For more information, and to configure the first two solutions, see Office 365 fails for Mobile VPN with SSL users in the WatchGuard Knowledge Base.

If you select Routed VPN traffic in the Mobile VPN with SSL network settings, the Firebox routes traffic from Mobile VPN with SSL clients to allowed networks and resources.

Make sure that users have v11.10 or higher of the Mobile VPN with SSL client. The Mobile VPN with SSL client v11.10 and higher supports more than 24 routes. Previous versions of the Mobile VPN with SSL client support a maximum of 24 routes.

For users with Mobile VPN with SSL client v11.9.x and lower, your configuration must include fewer than 24 routes to resources for the Mobile VPN with SSL client. If the total number of networks or allowed resources exceeds 24, the VPN client cannot route traffic to all of the allowed resources. For users with Mobile VPN with SSL client v11.9.x and lower, your Mobile VPN with SSL configuration might include too many routes if:

• In the Mobile VPN with SSL configuration, you select Allow access to networks connected through Trusted, Optional, and VLANs, and you have more than 24 resources in the Allowed Resources list.
• In the Mobile VPN with SSL configuration, you selected Specify allowed resources, and added more than 24 resources.

Watchguard Mobile Vpn

The WINS and DNS settings can also add up to five additional routes to the total if two DNS servers, two WINS servers, and a domain suffix are all configured. This further reduces the number of allowed resources the client can route to.

To reduce the number of routes, you can specify allowed resources in a way that generates fewer routes. To do this, select Specify allowed resources and then use supernets to specify the allowed resources as fewer entries. For example, if your Allowed Resources list includes the resources 192.168.1.0/24, 192.168.25.0/24, and 192.168.26.0/24, you can express this as a single resource, 192.168.0.0/22, which includes all addresses from 192.168.1.0 to 192.168.31.255.

Watchguard Ipsec Mobile Vpn Client For Macos

For more information about how to specify resources for Mobile VPN with SSL, see Manually Configure the Firebox for Mobile VPN with SSL.

When you enable Mobile VPN with SSL, the Allow SSLVPN-Users policy is automatically created to allow traffic from the clients to internal or external network resources. If you disable or remove this policy, clients cannot send traffic to internal or external networks.

To solve this problem, make sure that the policy exists and allows traffic to network resources.

For more information about the this policy, see Manually Configure the Firebox for Mobile VPN with SSL and Options for Internet Access Through a Mobile VPN with SSL Tunnel.

If your VPN clients can connect to some but not all parts of the network, or traffic otherwise fails when log messages show traffic is allowed, this can indicate a routing problem. Confirm that each of these items is true:

• The virtual IP address pool for Mobile VPN with SSL clients does not overlap with any IP addresses assigned to internal network users.
• The virtual IP address pool does not overlap or conflict with any other routed or VPN networks configured on the Firebox.
• If the Mobile VPN with SSL users must access a routed or VPN network, the hosts in that routed or VPN network must have a valid route to the virtual IP address pool, or the Firebox must be the default route to the Internet for those hosts.

For more information about how to configure the IP address pool, see Manually Configure the Firebox for Mobile VPN with SSL.

We recommend that you do not use the private network ranges 192.168.0.0/24 or 192.168.1.0/24 on your corporate or guest networks. These ranges are commonly used on home networks. If a mobile VPN user has a home network range that overlaps with your corporate network range, traffic from the user does not go through the VPN tunnel. To resolve this issue, we recommend that you Migrate to a New Local Network Range.

Watchguard Vpn Download Mac

Determine whether the issue affects some or all VPN users. If the issue affects only some of your VPN users or affects users at a specific location:

Watchguard Mobile Vpn Client Mac Os

• Make sure any firewalls at the user's location allow the VPN connection.
• Determine whether affected users have an uncommon subnet that overlaps with the network behind your Firebox.

If the issue affects most or all of your users, determine whether the network behind your Firebox has a subnet commonly used for home networks.

We recommend that you do not use the private network ranges 192.168.0.0/24 or 192.168.1.0/24 on your corporate or guest networks. These ranges are commonly used on home networks. If a mobile VPN user has a home network range that overlaps with your corporate network range, traffic from the user does not go through the VPN tunnel. To resolve this issue, we recommend that you Migrate to a New Local Network Range.

If you cannot connect to network resources through an established VPN tunnel, see Troubleshoot Network Connectivity for information about other steps you can take to identify and resolve the issue.

Watchguard Ipsec Mobile Vpn Client For Mac

See Also