Mobile users

Some How To's will guide you step by step in the configuration of a secure connection between your sites. Click on one of the the links to access to these How To's:

• IKEv1 mobile IPsec VPN - Authentication by pre-shared key,
• IKEv2 mobile IPsec VPN - Authentication by pre-shared key.

The IPsec VPN has two endpoints: the tunnel endpoint and the traffic endpoint. For anonymous or mobile users, the IP address of the tunnel’s endpoint is not known in advance.

As for the IP address of the traffic endpoint, it can either be chosen by the peer (“classic” case) or given by the gateway (“Config mode”).

Do note that from version 3.8.0 onwards, mobile IPsec policies containing several peers can be built as long as they use the same IKE encryption profile. In certificate-based authentication, the certificates of the various peers must be issued by the same CA,

Add

Select the VPN policy in which you wish to set up a tunnel. Policy creation wizards will guide you in this configuration. If you wish to create the mobile peer through the wizard, please refer to the section “Creating a mobile peer” below.

It is possible to define VPN client settings (Config mode) for mobile users through the Config mode policy creation wizard.

New Policy

This policy makes local networks accessible to authorized users via an IPsec tunnel. In this configuration, remote users log on with their own IP addresses.

Enter the details of the mobile peer to be used. Then add the accessible local resources to the list.

New Config mode policy

This policy with Config mode makes a single local network accessible to authorized users through an IPsec tunnel. With Config mode, remote users log on with an IP address assigned in a set defined as a “Mobile network”.

Once it is created, the cell corresponding to the Config mode column will contain a Modify button, allowing you to enter the parameters of the IPsec Config mode, described in the section The table.

You can enter a particular DNS server and specify the domains that this server uses. These indications are indispensable if an Apple^® (iPhone, iPad) mobile client is used for example. This feature is paired with Config mode, and is not used by all VPN clients on the market.

Creating a mobile peer

The procedure for creating a peer through these wizards is described below. You can also create it directly from the Peer tab.

1. Click on the button “Add” a “New policy” (VPN), then on “Create a mobile peer” via the mobile IPsec VPN policy wizard.
2. Name your mobile configuration, and click on Next.
3. Select the authentication method of the peer.

Certificate	If you select this authentication method, you will need to select the Certificate (server) to be presented to the peer, from the list of those you have already created previously (Certificates and PKI module). You can also enter details about the Certification authority (CA) that signed your peer’s certificate so that it is automatically added to the list of trusted authorities.
Hybrid	If you select this hybrid method, you will need to provide the Certificate (server) to be presented to the peer and probably its CA. The server is authenticated by certificate in Phase 1, and the client by XAuth immediately after Phase 1.
Certificate and XAuth (iPhone)	This option allows mobile users (roadwarriors) to connect to your company’s VPN gateway via their mobile phones, using a certificate in Phase 1. The server is also authenticated by certificate during this Phase 1. Additional authentication of the client is carried out by XAuth after Phase 1. NOTE This is the only mode compatible with iPhones.
Pre-shared key (PSK)	If you have chosen this authentication method, you will need to edit your key in a table, by providing its ID and its value to be confirmed. To do so, click on Add. The ID may be in an IP address (X.Y.Z.W), FQDN (myserver.domain.com), or e-mail address format (firstname.lastname@domain.com). It will then occupy the “Identity” column in the table and the pre-shared key will occupy a column of the same name with its value displayed in hexadecimal. NOTE To define an ASCII pre-shared key that is sufficiently secure, you must follow the same rules for user passwords set out in the section Welcome, under the section User awareness, sub-section User password management.

4. Click on Next.
5. Check the summary of you mobile configuration and click on Finish.
6. Next, enter the local resource, or “local network" to which the mobile user will have access.

Other operations can also be performed:

Search	Searches will be performed on the name of the object and its various properties, unless you have specified in the preferences of the application that you would like to restrict this search to object names only.
Delete	Select the IPsec VPN tunnel to be removed from the table and click on this button.
Move up	Places the selected line before the line just above it.
Move down	Places the selected line after the line just below it.

The table

Line	This column indicates the number of the line processed in order of appearance on the screen.
Status	This column shows the status On/ Off of the tunnel. When you create tunnels, they are active by default. Click twice to disable them.
	To ease the configuration of the tunnel with a remote device (gateway or mobile client), click on this icon to view information on the IPsec policy: Tunnel endpoints: local object / remote object Traffic endpoints: local object / destination object Authentication: Mode / Type / Certificate / Pre-shared key Encryption profiles (phase 1 & 2): algorithms, Diffie Hellman group, lifetime This information can be selected, and can therefore be copied.
Local network	Select the host, host group, address range, network or network group that will be accessible via the IPsec VPN tunnel, from the drop-down list of objects.
Peer	Configuration of the peer, which can be viewed in the tab of the same name in the IPsec VPN module.
Mobile network	Select from the drop-down list of objects, the host, host group, address range, network or network group accessible through the IPsec tunnel with the peer. NOTE When creating a new mobile IPsec VPN policy via the wizard, you will be asked to enter details about the local network, and not the remote network, since the IP address is unknown. The object “Any” will therefore be selected by default.
Domain (directory)	This option makes it possible to specify the domain (directory) on which the mobile peer must be authenticated. The same user can therefore simultaneously set up several IPsec VPN tunnels and access separate resources by authenticating on several directories.
Group	This option makes it possible to specify the user’s group on the authentication domain. The same user can therefore simultaneously set up several IPsec VPN tunnels by authenticating on one or several directories, and accessing separate resources by obtaining the specific privileges for the group in question. For this option, you will need to specify the Domain (Directory).
Encryption profile	This option makes it possible to select the protection model associated with your VPN policy, from three preconfigured profiles: StrongEncryption, GoodEncryption and Mobile. Other profiles can be created or modified in the tab Encryption profiles.
Config mode	This column makes it possible to activate “Config mode”, which is disabled by default. This allows the traffic endpoint IP address to be distributed to the peer NOTES If you choose to activate this mode, you will need to select an object other than “Any” as the remote network. With config mode, only one policy can be applied per profile. The Edit button allows you to enter the parameters of the IPsec Config mode: DNS server: this field determines the host (DNS server) that will be used by mobile clients, for DNS resolutions. You can select it or create it in the object database. This field is empty by default. List of domains used in Config mode: the client will use the DNS server selected earlier, only for domains specified in this table. For other domains, the client will continue to use its DNS server(s). Therefore generally internal domain names are involved. EXAMPLE In the case of the domain "company.com", if an iPhone attempts to connect to "www.company.com" or "intranet.company.com" it will use the DNS server specified above. However, if it attempts to contact "www.google.fr", it will continue to use its older DNS servers.
Comments	Description given of the VPN policy.
Keep alive	To enable this option, assign a value other than 0, corresponding to the interval in seconds, between each UDP packet sent.

NOTE
You can only use and create a single mobile (roadwarrior) configuration per IPsec profile. Peers can be applied to all profiles. As a result, only one authentication type can be used at a time for the mobile configuration.

Checking the policy in real time

The window for editing IPsec policy rules has a “Check policy” field (located below the table), which warns the administrator whenever there are inconsistencies or errors in the rules created.