Allowing mobile users to set up IPsec VPN tunnels

The suggested method consists of creating a group that contains all the mobile users allowed to set up IPsec VPN tunnels, then assigning the appropriate privilege to this group.

Creating a group that contains all the users allowed to set up IPsec VPN tunnels

For an internal LDAP directory, go to Configuration > Users > Users :

  1. Click on Add group.
  2. In the Group name field, enter a representative name (e.g.: Mobile_Users).
    You can add a description.
  3. Click on Add.
    A row will be added to the grid of group members.
  4. Type the first few letters of the name of the user to be added to the group and select the desired user from the list that the firewall suggests.
  5. Repeat steps 3 and 4 to add all the users that must belong to this group.
  6. When all members have been added, click on Apply.
  7. Confirm by clicking on Save.

For an external directory (Microsoft Active Directory, LDAP or Posix LDAP), such groups must be created directly on one of the workstations that hosts the directory.

Checking whether the authentication method for mobile users is LDAP-based

Go to Configuration > Users > Authentication > Authentication policy tab.

If no authentication rules are found in the grid

Check whether the Method to use if no rules match field has been set to “LDAP”:

If there are already authentication rules in the grid

Add an LDAP authentication rule for users from the IPsec VPN:

  1. Click on New rule and select Standard rule.
  2. In the User or group field, select the group created earlier (Mobile_Users in the example).
  3. In the menu on the left side of this window, select Source.
  4. Click on Add an interface and select IPsec VPN.
  5. In the menu on the left side of this window, select Authentication methods.
  6. Select the row in the grid that contains the Default method and click on Remove.
  7. Click on Authorize a method and select LDAP.
  8. Click OK.
  9. Double-click on the cell corresponding to the Status column to enable this rule.
    Its status will switch to Enabled.
  10. Click on Apply then on Save.

The authentication rule configured is therefore:

Allowing mobile users to set up IPsec VPN tunnels

In Configuration > Users > Access privileges > Detailed access tab:

  1. Click on Add.
    A row will be added to the grid.
  2. Click on the cell in this row in the User - user group column.
  3. Type the first few letters of the name of the group and select it from the list that the firewall suggests.
  4. Click on the cell in this row in the IPsec column and select Allow.
  5. Double-click on the cell in this row in the Status column to show the status Enabled.
  6. Click on Apply.

The users in this group are now allowed to set up IPsec tunnels: