Mobile users

The IPsec VPN has two endpoints: the tunnel endpoint and the traffic endpoint. For anonymous or mobile users, the IP address of the tunnel’s endpoint is not known in advance.

As for the IP address of the traffic endpoint, it can either be chosen by the peer (“classic” case) or given by the gateway (“Config mode”).

Mobile IPsec policies containing several peers can be built as long as they use the same IKE encryption profile. In certificate-based authentication, the certificates of the various peers must be issued by the same CA,


Select the VPN policy in which you wish to set up a tunnel. Policy creation wizards will guide you in this configuration. If you wish to create the mobile peer through the wizard, please refer to the section “Creating a mobile peer” below.

VPN client settings (Config mode) can be defined for mobile users through the Config mode policy creation wizard.

New standard mobile policy

This policy makes local networks accessible to authorized users via an IPsec tunnel. In this configuration, remote users log on with their own IP addresses.

Enter the details of the mobile peer to be used. Then add the accessible local resources to the list.

New Config mode policy

This policy with Config mode makes a single local network accessible to authorized users through an IPsec tunnel. With Config mode, remote users log on with an IP address assigned in a set defined as a “Mobile network”.

Once it is created, the cell corresponding to the Config mode column will contain an Edit Config mode (selection) button, allowing you to enter the parameters of the IPsec Config mode, described in the section The table.

You can enter a particular DNS server and specify the domains that this server uses. These indications are indispensable if an Apple® (iPhone, iPad) mobile client is used for example. This feature is paired with Config mode, and is not used by all VPN clients on the market.

Creating a mobile peer

The procedure for creating a peer through these wizards is described below. You can also create it directly from the Peer tab.

  1. Click on “Add” a “New policy” (VPN), then on “Create a mobile peer” via the mobile IPsec VPN policy wizard.
  2. Name your mobile configuration.
  3. Select the IKE version of the protocol that the peer uses.
  4. Click on Next.
  5. Select the authentication method of the peer.
Certificate If you select this authentication method, you will need to select the Certificate (server) to be presented to the peer, from the list of those you have already created previously (Certificates and PKI module).
You can also enter details about the Certification authority (CA) that signed your peer’s certificate so that it is automatically added to the list of trusted authorities.
Hybrid If you select this hybrid method, you will need to provide the Certificate (server) to be presented to the peer and probably its CA.
The server is authenticated by certificate in Phase 1, and the client by XAuth immediately after Phase 1.
Certificate and XAuth (iPhone) This option allows mobile users (roadwarriors) to connect to your company’s VPN gateway via their mobile phones, using a certificate in Phase 1. The server is also authenticated by certificate during this Phase 1. Additional authentication of the client is carried out by XAuth after Phase 1.

This is the only mode compatible with iPhones.

Pre-shared key (PSK) If you have chosen this authentication method, you will need to edit your key in a table, by providing its ID and its value to be confirmed. To do so, click on Add.

The ID may be in an IP address (X.Y.Z.W), FQDN (, or e-mail address format ( It will then occupy the “Identity” column in the table and the pre-shared key will occupy a column of the same name with its value displayed in hexadecimal.

To define an ASCII pre-shared key that is sufficiently secure, you must follow the same rules for user passwords set out in the section Welcome, under the section User awareness, sub-section User password management.

  1. Click on Next.
  2. Check the summary of you mobile configuration and click on Finish.
  3. Next, enter the local resource, or “local network" to which the mobile user will have access.

Other operations can also be performed:

Search Searches will be performed on the name of the object and its various properties, unless you have specified in the preferences of the application that you would like to restrict this search to object names only.
Delete Select the IPsec VPN tunnel to be removed from the table and click on this button.
Move up Places the selected line before the line just above it.
Move down Places the selected line after the line just below it.
Cut Cuts the selected line to paste it.
Copy Copies the selected line to duplicate it.
Paste Duplicates the selected line after it is copied.
Show details To ease the configuration of the tunnel with a remote device (gateway or mobile client), click on this icon to view information on the IPsec policy:
  • Summary: rule type, IKE version, peer, remote gateway, traffic endpoints (local network, remote network).
  • Authentication: Mode/Type (Certificate/Pre-shared key)
  • Encryption profiles (phase 1 & 2): algorithms, Diffie-Hellman group, lifetime

Search in logs When a name is assigned to the IPsec rule, clicking on this button will run a search by the name of the rule in the IPsec VPN log and show the results.
Search in monitoring Clicking on this button will open the screen to monitor IPsec tunnels (Monitoring tab > Monitoring module > IPsec VPN tunnels).

Right-clicking anywhere in the grid will display a pop-up menu offering the following actions:

  • Add,
  • Copy,
  • Cut,
  • Paste,
  • Show details
  • Delete,
  • Search in logs,
  • Search in monitoring.