Defining a network object that contains IP addresses assigned to mobile peers

The network assigned to clients must not already be known to the firewall. It must not be:

• A directly connected network,
  
• A network known through routing,
  
• A network involved in the configuration of another IPsec tunnel.

In Configuration > Objects > Network:

1. Click on Add.
2. Select Network.
3. Assign a Name to this object (IKEv2_EAP_CERT_Clients_Network in the example).
4. Enter the Network IP address field in the form of a network/mask.
   This network must contain at least as many IP addresses as the number of users likely to connect simultaneously via an IPsec VPN tunnel.
   Examples:
   192.168.9.0/24 or 192.168.9.0/255.255.255.0 : 254 addresses, so 254 simultaneously in Phase 2.
   192.168.9.0/23 or 192.168.9.0/255.255.254.0 : 510 addresses, so 510 simultaneously in Phase 2.
   
5. Click on Create.