Allowing mobile users to set up IPsec VPN tunnels

The suggested method consists of creating a group that contains all the mobile users allowed to set up IPsec VPN tunnels, then assigning the appropriate privilege to this group. This group will also be used in the configuration of the mobile peer's profile.

Creating a group that contains all the users allowed to set up IPsec VPN tunnels

NOTE
For an external directory, such groups must be created directly on one of the workstations that hosts the directory.

  1. Go to to Configuration > Users > Users:
  2. Click on Add group.
  3. In the Group name field, enter a representative name (e.g.: EAP-GTC-CERT Users).
    You can add a Description.
  4. Click on Add.
    A row will be added to the grid of group members.
  5. Type the first few letters of the name of the user to be added to the group and select the desired user from the list that the firewall suggests.
  6. Repeat steps 3 and 4 to add all the users to include in this group.
  7. When all members have been added, click on Apply.
  8. Confirm by clicking on Save.

Setting LDAP as the authentication method for mobile users

Go to the Configuration > Users > Authentication > Authentication policy tab.

If no rules are found in the authentication policy

Ensure that:

  • The Default action to apply field is set to Allow.
  • The Method to use if no rules match field is set to LDAP.

If the authentication policy contains rules other than the one required for IPsec VPN users

Add an authentication rule:

  1. Click on New rule and select Standard rule.
    A rule configuration window opens.
  2. In the menu on the left side of this window, click on Action.
  3. In the Action to apply for this rule field, select allow.
  4. In the menu on the left, click on User.
  5. In the User or group field, select the group created earlier (EAP-GTC-CERT Users in the example).
  6. In the menu on the left, click on Source.
  7. Click on Add an interface and select IPsec.
  8. In the menu on the left, select Authentication methods.
  9. Select the row in the grid that contains the Default method and click on Delete.
  10. Click on Enable a method and select LDAP.
  11. Click on OK.
  12. Double-click on the cell corresponding to the Status column to enable this rule.
    Its status will switch to ON.
  13. Click on Apply then on Save.

The authentication rule configured is:

Allowing mobile users to set up IPsec VPN tunnels

In Configuration > Users > Access privileges > Detailed access tab:

  1. Click on Add.
  2. In the User - Group field: select the user group from the list suggested by the firewall (EAP-GTC-CERT Users in this example).
  3. Click on OK.
    A row will be added to the grid.
  4. Click on the cell in this row in the IPsec column and select Allow.
  5. Double-click on the cell in this row in the Status column to show the status Enabled.
  6. Click on Apply then on Save.

The users in this group are now allowed to set up IPsec tunnels: