WatchGuard®Mobile VPN with IPSec Administrator Guide WatchGuard Mobile VPN v10.
Notice to Users Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Copyright, Trademark, and Patent Information Copyright© 1998 - 2007 WatchGuard Technologies, Inc. All rights reserved.
1 Configure the Firebox X Edge to use Mobile VPN with IPSec The WatchGuard® Mobile VPN with IPSec client is a software application that is installed on a remote computer. The client makes a secure connection from the remote computer to your protected network through an unsecured network. The Mobile VPN client uses Internet Protocol Security (IPSec) to secure the connection.
Enabling Mobile VPN for a Firebox User Account The Firebox X Edge creates a .wgx file for a user when a Firebox user’s account is configured for Mobile VPN, as described in this chapter. If you want to lock the profiles for mobile users by making them read-only, see “Configuring Global Mobile VPN Client Settings” on page 3.
Configuring Global Mobile VPN Client Settings 10 Set MUVPN key expiration in kilobytes and/or hours. The default values are 8192 KB and 24 hours. To remove a size and/or time expiration, set the value to zero (0). 11 Make sure the VPN Client Type drop-down list is set to Mobile User. This is true whether you use a Windows desktop, laptop, or handheld PC. 12 Select the All traffic uses tunnel (0.0.0.
Distributing the Software and Profiles 1 You can choose to make the .wgx file read-only so that the user cannot change the security policy file. To do this, select the Make the MUVPN client security policy read-only check box. 2 Mobile VPN clients use shared Windows Internet Naming Service (WINS) and Domain Name System (DNS) server addresses. DNS changes host names into IP addresses, while WINS changes NetBIOS names to IP addresses. The trusted interface of the Edge must have access to these servers.
Distributing the Software and Profiles • The end-user profile This file contains the user name, shared key, and settings that enable a remote computer to connect securely over the Internet to a protected, private computer network. For information on how to get the profile from the Edge, see “Get the user’s .wgx file” on page 3.
Distributing the Software and Profiles 6 Mobile User VPN
2 Using Fireware Policy Manager to Configure Mobile VPN with IPSec The WatchGuard® Mobile VPN with IPSec client is a software application that is installed on a remote computer. The client makes a secure connection from the remote computer to your protected network through an unsecured network. The Mobile VPN client uses Internet Protocol Security (IPSec) to secure the connection.
About Mobile VPN Client Configuration Files About Mobile VPN Client Configuration Files With Mobile VPN with IPSec, the network security administrator controls end-user profiles. Policy Manager is used to set the name of the end user and create a client configuration file, or profile, with the file extension .wgx. The .wgx file contains the shared key, user identification, IP addresses, and settings that are used to create a secure tunnel between the remote computer and the Firebox®.
Configuring the Firebox for Mobile VPN 3 Use the instructions provided here to go through each screen of the wizard. Click Next after each step. 4 Select a user authentication server Select an authentication server from the Authentication Server drop-down list. You can authenticate users with the internal Firebox database (Firebox-DB) or with a RADIUS, SecurID, LDAP, or Active Directory server.
Configuring the Firebox for Mobile VPN 10 6 Direct the flow of Internet traffic: Select an option for Internet traffic. You can allow all Internet traffic between the Mobile VPN client and the Internet to use the ISP of the client, or you can make all Internet traffic use the VPN tunnel. If you choose to force all Internet traffic to go through the tunnel, more processing power and bandwidth on the Firebox is used. However, the configuration is more secure.
Configuring the Firebox for Mobile VPN 8 Create the virtual IP address pool: Click Add to add one IP address or an IP address range. Repeat this step to add more virtual IP addresses. Mobile VPN users will be assigned one of these IP addresses when they connect to your network. The number of IP addresses should be the same as the number of Mobile VPN users. If High Availability is configured, you must add two virtual IP addresses for each Mobile VPN user.
Modifying an Existing Mobile VPN Profile Adding Users to a Firebox Mobile VPN Group To create an Mobile VPN tunnel with the Firebox, remote users type their user name and password to authenticate. WatchGuard® System Manager software uses this information to authenticate the user to the Firebox®. To authenticate, users must be part of the group entered in the Add Mobile User VPN Wizard. If you use Firebox authentication, use the instructions below.
Modifying an Existing Mobile VPN Profile 3 Click Edit. The Edit MUVPN Extended Authentication Group dialog box appears. Use the following fields to edit the group profile: Authentication Server Select the authentication server to use for this Mobile VPN group. To configure your authentication server, select Setup > Authentication > Authentication Servers from the menu bar in Policy Manager. Passphrase Type a passphrase to encrypt the Mobile VPN profile (.
Modifying an Existing Mobile VPN Profile timeouts for the Mobile VPN group are always ignored because you set timeouts in the individual Firebox user accounts. The session and idle timeouts cannot be longer than the value in the SA Life field. To set this field, from the IPSec Tunnel tab of the Edit MUVPN Extended Authentication Group dialog box, click Advanced. The default value is 8 hours. 4 Click the IPSec Tunnel tab.
Modifying an Existing Mobile VPN Profile Phase2 Settings Select the proposal and key expiration settings for the Mobile VPN tunnel. You can also enable Perfect Forward Secrecy (PFS) or set the Diffie-Hellman group. To change other proposal settings, click the Proposal button, and see the procedure described in “Defining advanced Phase 2 settings” on page 16. 6 Click the Resources tab.
Modifying an Existing Mobile VPN Profile Defining advanced Phase 1 settings To define advanced Phase 1 settings for an Mobile VPN user profile: 1 From the IPSec Tunnel tab of the Edit MUVPN Extended Authentication Group dialog box, select Advanced. The Phase1 Advanced Settings dialog box appears.
Configuring WINS and DNS Servers 2 From the Type drop-down list, select ESP or AH as the proposal method. Only ESP is supported at this time. 3 From the Authentication drop-down list, select SHA1 or MD5 for the authentication method. 4 From the Encryption drop-down list, select the encryption method. The options are None, DES, 3DES, and AES 128, 192, or 256 bit, which appear in the list from the most simple and least secure to most complex and most secure.
Locking Down an End-User Profile Locking Down an End-User Profile You can use the advanced settings to lock down the end-user profile so that users can see some settings but not change them, and hide other settings so that users cannot change them. We recommend that you lock down all profiles so that users cannot make changes to their profile. 1 On the Mobile User VPN tab, click Advanced. The Advanced Export File Preferences dialog box appears.
Configuring Policies to Filter Mobile VPN Traffic Configuring Policies to Filter Mobile VPN Traffic In a default configuration, Mobile VPN with IPSec users have full access privileges through a Firebox®, with the Any policy. To put limits on Mobile VPN users, you must add policies to the MUVPN tab in Policy Manager. Add individual policies 1 In Policy Manager, click the MUVPN tab. 2 From the Show drop-down list, select the name of the Mobile VPN group for which you are adding a policy.
Re-creating End-User Profiles Under MUVPN Group, Policy Manager displays the authentication server, in parentheses, for the Mobile VPN group. Using the Any Policy The Any policy is added to all Mobile VPN user groups by default. The Any policy allows traffic on all ports and protocols between the Mobile VPN user and the Remote Networks available through the Mobile VPN tunnel.
Distributing the Software and Profiles Distributing the Software and Profiles WatchGuard® recommends distributing end-user profiles by encrypted email or with some other secure method. Each client computer must have: • Software installation package The packages are located on the WatchGuard LiveSecurity® Service web site at: http://www.watchguard.com/support Log in to the site using your LiveSecurity Service user name and password.
Additional Mobile VPN Topics Terminating IPSec connections To fully stop VPN connections, the Firebox must be restarted. Removing the IPSec policy does not stop current connections. Global VPN settings Global VPN settings on your Firebox apply to all manual BOVPN tunnels, managed tunnels, and Mobile VPN tunnels. You can use these settings to: • Enable IPSec pass-through. • Clear or maintain the settings of packets with Type of Service (TOS) bits set. • Use an LDAP server to verify certificates.
3 Mobile VPN Client Installation and Connection The WatchGuard® Mobile VPN with IPSec client is installed on an employee computer, whether the employee travels or works from home. The employee uses a standard Internet connection and activates the Mobile VPN client. The Mobile VPN client then creates an encrypted tunnel to your trusted and optional networks, which are protected by a WatchGuard Firebox®.
Installing the Mobile VPN with IPSec Client > Windows Firewall > Change Settings > Exceptions) for UDP port 4500. This will enable Mobile VPN keep-alive packets from the Firebox® to reach your client and keep the VPN tunnel up. • We recommend that you check to make sure all available service packs are installed before you install the Mobile VPN client software. • WINS and DNS settings for the Mobile VPN client are obtained in the client profile you import when you set up your Mobile VPN client.
Installing the Mobile VPN with IPSec Client Importing the end-user profile When the computer restarts, the WatchGuard Mobile VPN Connection Monitor dialog box opens. When the software starts for the first time after you install it, you get this message: There is no profile for the VPN dial-up! Do you want to use the Configuration Assistant for generating a profile now? Click No. See the next section for instructions on how to import a client profile.
Connecting the Mobile VPN Client If the password you use is your password on an Active Directory or LDAP server and you choose to store it, the password becomes invalid when it changes on the authentication server. 7 Click Finish. The computer is now ready to use Mobile VPN with IPSec. Selecting a certificate and entering the PIN If you are use certificates for authentication, you must select the correct certificate for the connection. 1 Select Configuration > Certificates.
Connecting the Mobile VPN Client Start your connection to the Internet through a Dial-Up Networking connection or LAN connection. Then, use the instructions below or select your profile, connect, and disconnect by right-clicking the Mobile VPN icon on your Windows toolbar. 1 From your Windows desktop, select Start > All Programs > WatchGuard Mobile VPN > Mobile VPN Monitor. 2 From the Profile drop-down list, select the name of the profile you created for your Mobile VPN connections to the Firebox.
Seeing Mobile VPN Log Messages 4 Use the Connection Mode drop-down list to set the connection behavior you want for this profile. - Manual - When you select manual connection mode, the client does not try to restart the VPN tunnel automatically if the VPN tunnel goes down. To restart the VPN tunnel, you must click the Connect button in Connection Monitor or right-click the Mobile VPN icon on your Windows desktop toolbar and click Connect.
Securing Your Computer with the Mobile VPN Firewall Securing Your Computer with the Mobile VPN Firewall The WatchGuard® Mobile VPN with IPSec client includes two firewall components: Link firewall The link firewall is not enabled by default. When the link firewall is enabled, your computer will discard any packets received from other computers. You can choose to enable the link firewall only when a Mobile VPN tunnel is active, or enable it all the time.
Securing Your Computer with the Mobile VPN Firewall 4 From the Stateful Inspection drop-down list, select when connected or always. If you select when connected, the link firewall operates only when the VPN tunnel is active for this profile. If you select always, the link firewall is always active, whether the VPN tunnel is active or not. 5 Click OK. About the desktop firewall When you enable a rule in your firewalls, you must specify what type of network the rule applies to.
Securing Your Computer with the Mobile VPN Firewall 3 Define friendly networks and create firewall rules as described in the subsequent sections. Defining friendly networks Use the Friendly Networks tab to define specific known networks for which you want to generate a firewall rule set.
Securing Your Computer with the Mobile VPN Firewall To create a rule, click New. Use the four tabs in the Firewall Rule Entry dialog box to define the traffic you want to control. Each tab is described below. General tab On the General tab, you define the basic properties of your rule. Rule Name Type a descriptive name for this rule. For example, you might create a rule called “Web surfing” that includes traffic on TCP ports 80 (HTTP), 8080 (alternate HTTP), and 443 (HTTPS).
Securing Your Computer with the Mobile VPN Firewall Local tab Use the Local tab to define the local IP address and ports that are controlled by this rule, if any. We recommend that, in any rule, you configure the Local IP Addresses setting to enable the Any IP address radio button. If you are configuring an incoming policy, you can add the ports to control with this policy in the Local Ports settings. If you want to control more than one port in the same policy, select Several Ports or Ranges.
Securing Your Computer with the Mobile VPN Firewall Remote tab Use the Remote tab to define the remote IP address or addresses and ports that are controlled by this rule, if any. For example, if your firewall is set to deny all traffic and you want to create a rule to allow outgoing POP3 connections, you would add the IP address of your POP3 server as an Explicit IP Address in the Remote IP Addresses section. Then, in the Remote Ports section, specify port 110 as an Explicit Port for this rule.
Securing Your Computer with the Mobile VPN Firewall Administrator Guide 35
Securing Your Computer with the Mobile VPN Firewall 36 Mobile User VPN