Jan 16, 2018 OS X 10.6 and above has a built in Cisco IPSEC VPN Client that can be used to connect to the Georgia Tech VPN rather than using the Cisco IPSEC or AnyConnect clients. See the step by step instructions below: 1. Open System Preferences and click on 'Network'. Click on the '+' sign in the lower left to add a new service. WatchGuard VPN Tracker is the leading Apple Mac VPN client and compatible with almost all IPSec VPN, L2TP VPN and PPTP VPN gateways (Try VPN Tracker for free). Please refer to the following table to find out if the VPN Tracker team has already successfully tested VPN Tracker with your WatchGuard VPN gateway.
These instructions are written for WatchGuard IPSec Mobile VPN Client end users. These instructions tell users to contact their network administrator for information about how to install a desktop firewall or configure the firewall that is part of the client software, and for the settings to control the connection behavior if they do not use a .ini file. You can print these instructions or use them to create a set of instructions for your end users.
The WatchGuard IPSec Mobile VPN Client creates an encrypted connection between your computer and the Firebox with a standard Internet connection. The IPSec Mobile VPN Client enables you to get access to protected network resources from any remote location with an Internet connection.
Before you install the WatchGuard IPSec Mobile VPN Client, make sure you understand these requirements and recommendations.
You must use the client software installation file that matches your Windows OS system type (64-bit or 32-bit). To see your system type in Windows 10, type About in the Cortana search box and select About Your PC. For instructions for other Windows operating systems, see your network administrator or the Microsoft documentation.
Before you start the installation, make sure you have the following installation components:
Install the Client Software for Windows
To install the client on a Windows computer:
There is no profile for the VPN dial-up!
Do you want to use the configuration wizard for creating a profile now?
To start the WatchGuard Mobile VPN client in Windows 10:
From your Windows desktop, select Start and then select WatchGuard Mobile VPN > Mobile VPN Monitor. For instructions for other Windows operating systems, see your network administrator.
To configure the client, import the end user profile that configures the IPSec Mobile VPN client with the settings required to create a VPN tunnel. For this procedure, you need the profile passphrase set by the administrator.
To import a Mobile VPN configuration .wgx or .ini file:
To type your credentials each time you connect to the VPN, keep the User name and Password text boxes empty. This method provides the greatest security.
To connect to the VPN with saved credentials, type your user name and password. The Firebox stores this information so you do not have to type your user name and password each time you connect. This is the least secure method. You can also type your user name and keep the Password text box empty.
After you install the client software, reinstall the original desktop firewall software or configure the firewall that is part of the client software. If you use a third-party desktop firewall, make sure you configure it to allow traffic to establish the VPN tunnel and the traffic that goes through the tunnel. Contact your network administrator for instructions.
Install the Client Software for macOS
To install the client on a macOS computer:
To start the WatchGuard Mobile VPN Client:
From the Applications folder, double-click the WatchGuard Mobile VPN client.
To configure the client, you import the end user profile that configures the IPSec Mobile VPN client with the settings required to create a VPN tunnel. For this step, you need the profile passphrase set by the administrator.
To import the end user profile:
If you type your user name and password, the Firebox stores them and you do not have to enter this information each time you connect. However, this is a security risk. You can also type just your user name and keep the Password field empty.
To see the installed profiles, or install a different profile, in the WatchGuard Mobile VPN client, select WatchGuard Mobile VPN > Profiles.
After you install the client software, reinstall the original desktop firewall software or configure the firewall that is part of the client software. If you use a third-party desktop firewall, make sure you configure it to allow traffic to establish the VPN tunnel and the traffic that goes through the tunnel. Contact your network administrator for instructions.
In v12.5 or higher, the WatchGuard VPN client for macOS supports Dark Mode for macOS Mojave or higher.
Select a Certificate and Type the PIN
Complete these steps only if you have a cacert.pem and a .p12 file.
To configure the certificate in the Windows VPN client:
To configure the certificate in the macOS VPN client:
In v12.5 or higher, the WatchGuard VPN client for macOS supports the macOS Keychain for certificate storage. You must first import the certificate into the macOS Keychain. To use the private key contained in the certificate, make sure the NCP service ncprwsmac can access the directory /Library/Application Support/NCP/Secure Client/.
Activate the VPN Client License
The IPSec Mobile VPN client comes with a 30 day trial license. To use the client longer than 30 days, you must activate a license for it. To activate your IPSec Mobile VPN Client, you must have:
To activate the client with the license number and serial number:
In the Windows client, the Software Activation Wizard provides two options you can use to connect to the Internet:
Watchguard Ipsec Vpn Client For Macos Mac
To activate the client with an Initialization File:
Connect and Disconnect the Mobile VPN Client
Connect to the Internet through a dial-up networking connection or a LAN connection. Then, use the instructions below to select your profile, connect, and disconnect.
To select your profile in the WatchGuard Mobile VPN client:
To disconnect the Mobile VPN client:
Or select Disconnect from the Mobile VPN icon menu in the Windows system tray or macOS menu bar.
WatchGuard Mobile VPN Client Icon
The WatchGuard Mobile VPN client icon appears in the system tray (Windows) or menu bar (macOS). The icon color indicates the status of the VPN connection.
On a Windows computer, you can right-click the icon in the system tray to reconnect and disconnect your Mobile VPN, and to see the profile in use.
On a macOS computer, the VPN client icon does not automatically appear in the menu bar. To make the icon appear in the menu bar, in the Mobile VPN Client, select WatchGuard Mobile VPN > Show VPN client monitor in menu bar.
Click the icon in the menu bar to show VPN connection status.
From the menu bar icon, you can:
Control the Connection Behavior
The connection behavior controls the action the IPSec Mobile VPN client software takes when the VPN tunnel becomes unavailable for any reason. By default, you must manually reconnect. You are not required to change the connection behavior, but you can configure the client to automatically or variably reconnect. Contact your network administrator for the suggested setting.
If you import a .ini file to configure the VPN client, do not change the Line Management settings. The .ini file configures these settings for you.
Install Watchguard Vpn Client
To set the behavior of the Mobile VPN client when the VPN tunnel becomes unavailable:
The available connection modes are:
manual
In manual mode, you must manually start the VPN tunnel. The client does not try to restart the VPN tunnel automatically if the VPN tunnel disconnects. To start the VPN tunnel, click Connect in the Mobile VPN client or right-click the Mobile VPN icon on your Windows desktop toolbar and click Connect.
automatic (connection initiated by data transfer)
In automatic mode, the client automatically tries to start the connection when your computer sends traffic to a remote host through the VPN tunnel. If the VPN tunnel disconnects, the client automatically tries to restart the VPN tunnel when an application on the client computer sends traffic to a remote host.
always
In always mode, the client automatically starts the VPN connection when you start the client. The connection is established independent of the Connect button, traffic through the tunnel, or how the VPN monitor is set to be displayed.
variable ('Connect' starts 'automatic' mode)
In this mode, click Connect to manually start the VPN tunnel the first time. After you start the tunnel, the tunnel runs in automatic mode until you click Disconnect. If the VPN tunnel goes down before you click Disconnect, the client automatically tries to restart the VPN tunnel whenever an application on the client initiates sends traffic to a remote host.
variable ('Connect' starts 'always' mode)
In this mode, click Connect to manually start the VPN tunnel the first time. After you start the tunnel, the tunnel runs in always mode, as described above. The client continues to use always mode until you close the client.
For information about other line management settings, click Help in the WatchGuard Mobile VPN Client.
Other Configuration Settings
For information about other settings in the client, click Help in the WatchGuard Mobile VPN Client.
Apple iOS devices (iPhone, iPad, and iPod Touch) and macOS 10.6 and higher devices include a native Cisco IPSec VPN client. You can use this client to make an IPSec VPN connection to a Firebox. To use the native IPSec VPN client to make a connection to your Firebox, you must configure the VPN settings on your Firebox to match those on the iOS or macOS device.
For IPSec VPN connections from a macOS device, you can also use the WatchGuard IPSec VPN Client for macOS. For more information, see Install the IPSec Mobile VPN Client Software.
Supported Phase 1 and 2 Settings
For devices with iOS 9.3 and higher or macOS 10.11.4 and higher, these combinations of Phase 1 and 2 settings are supported.
If Diffie-Hellman Group 14 is selected in the Phase 1 settings:
If Diffie-Hellman Group 2 is selected in the Phase 1 settings:
For devices with versions of iOS lower than 9.3, these Phase 1 and 2 settings are supported.
Diffie-Hellman Group 5 is not supported on Apple devices for aggressive mode. Mobile VPN with IPSec only supports aggressive mode.
Configure the Firebox
Many of the VPN tunnel configuration settings in the VPN client on the macOS or iOS device are not configurable by the user. It is very important to configure the settings on your Firebox to match the settings required by the VPN client on the macOS or iOS device.
To configure the Firebox, from Fireware Web UI:
You can type the name of an existing group, or the name for a new Mobile VPN group. Make sure the name is unique among VPN group names, as well as all interface and VPN tunnel names.
You can authenticate users to the Firebox (Firebox-DB) or to a RADIUS, VASCO, SecurID, LDAP, or Active Directory server. Make sure that the method of authentication you select is enabled.
If you create a Mobile VPN user group that authenticates to an external authentication server, make sure you create a group on the server with the same name you specified in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with IPSec. For more information, see Configure the External Authentication Server.
The VPN client on the macOS or iOS device is configured to rekey after 1 hour. If this profile is only used for connections by VPN clients on macOS or iOS devices, set the SA Life to 1 hour to match the client setting.
To use this VPN profile for all supported VPN clients, set the SA Life to 8 hours. When the SA Life is set to 8 hours, the Shrew Soft VPN and WatchGuard IPSec Mobile VPN clients rekey after 8 hours, but the VPN client on the macOS or iOS device uses the smaller rekey value of 1 hour.
The number of IP addresses should be the same as the number of Mobile VPN users. The virtual IP addresses do not need to be on the same subnet as the trusted network. If FireCluster is configured, you must add two virtual IP addresses for each Mobile VPN user.
The IP addresses in the virtual IP address pool cannot be used for anything else on your network.
Make sure that you add all VPN users to the authentication group you selected.
For information about how to add users to a Firebox user group, see Define a New User for Firebox Authentication.
To configure the Firebox, from Policy Manager:
First, use the Mobile VPN with IPSec Wizard to configure the basic settings:
You can authenticate users to the Firebox (Firebox-DB) or to a RADIUS, VASCO, SecurID, LDAP, or Active Directory server. Make sure that the method of authentication you select is enabled.
You can type the name of a Mobile VPN group you have already created, or type a group name for a new Mobile VPN group. Make sure the name is unique among VPN group names, as well as all interface and tunnel names.
If you create a Mobile VPN user group that authenticates to an external authentication server, make sure you create a group on the server with the same name you specified in the wizard for the Mobile VPN group. If you use Active Directory as your authentication server, the users must belong to an Active Directory security group with the same name as the group name you configure for Mobile VPN with IPSec. For more information, see Configure the External Authentication Server.
For a default-route VPN configuration, the configuration automatically allows access to all network IP addresses and the Any-External alias.
Mobile VPN users are assigned an IP address from the virtual IP address pool when they connect to your network. The number of IP addresses in the virtual IP address pool should be the same as the number of Mobile VPN users. If a FireCluster is configured, you must add two virtual IP addresses for each Mobile VPN user.
The virtual IP addresses must be on a different subnet than the local networks. The virtual IP addresses cannot be used for anything else on your network.
Next, you must edit the VPN Phase 1 and Phase 2 settings to match the settings for the VPN client on the macOS or iOS device.
The VPN client on the macOS or iOS device is configured to rekey after 1 hour. If this profile is only used for connections by VPN clients on macOS or iOS devices, set the SA Life to 1 hour to match the client setting.
To use this VPN profile for all supported VPN clients, set the SA Life to 8 hours. When the SA Life is set to 8 hours, the Shrew Soft VPN and WatchGuard IPSec Mobile VPN clients rekey after 8 hours, but the VPN client on the macOS or iOS device uses the smaller rekey value of 1 hour.
Make sure that the macOS or iOS users are members of the authentication group you selected.
Next, you add the settings you configured on your Firebox to the VPN client settings on the macOS or iOS device.
Configure the VPN Client on an iOS Device
To manually configure the VPN client settings on the iOS device:
After you add the VPN configuration, a VPN switch appears in the Settings menu on the iOS device.
To enable or disable the VPN client, click the VPN switch. When a VPN connection is established, the VPN icon appears in the status bar.
The VPN client on the iOS device stays connected to the VPN only while the iOS device is in use. If the iOS device locks itself, the VPN client might disconnect. Users can manually reconnect their VPN clients. If users save their passwords, they do not have to retype the password each time the VPN client reconnects. If users do not save their passwords, they must type the password each time the client reconnects.
The WatchGuard Mobile VPN app for iOS is no longer available in the Apple Store.
Configure the VPN Client on a macOS Device
The Firebox does not generate a client configuration file for the VPN client on the macOS device. The user must manually configure the VPN client settings to match the settings configured on the Firebox.
To configure the VPN settings on the macOS device:
After you apply these settings, a VPN status icon appears in the menu bar of the macOS device.
To start or stop the VPN client connection, click the VPN status icon.
See Also
Give Us Feedbackâ¢Get Supportâ¢All Product Documentationâ¢Technical Search
© 2018 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.
Comments are closed.
|
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |