IPsec Mobile Clients Tab

The Mobile Clients tab under VPN > IPsec contains settings which influence the authentication and configuration of mobile clients. These are specific to mobile tunnels and separate from the typical phase 1 and phase 2 negotiation.

Warning

The behavior of these fields varies by the type of mobile connection in use. Check type-specific documentation such as those linked on Choosing a Mobile IPsec Style for recommendations relevant to a given use case.

Enable

IKE Extensions:

When checked, enables support for mobile IPsec in the GUI. The GUI will prompt to create an IPsec phase 1 entry for mobile connections if one does not already exist.

Extended Authentication

User Authentication:

Specifies which authentication sources will be used when authenticating mobile users.

This list contains Local Database which is users from the User Manager or the IPsec Pre-Shared Keys Tab, as well as RADIUS and LDAP servers defined on the firewall.

See also

See Authentication Servers for information on managing entries for this list.

Group Authentication:

When set, the authentication process checks group membership of the user and their privileges. The groups are checked for either “User - VPN: IPsec with Dialin” or “WebCfg - All pages” privileges.

Authentication Groups:

A list of available groups from the user manager. Only members of the selected groups will pass authentication.

When using EAP-RADIUS, group membership is determined by responses from a RADIUS server. See RADIUS Groups for details.

RADIUS Accounting:

When enabled, the IPsec daemon will attempt to send RADIUS accounting data for all tunnels, not only connections associated with mobile IPsec. The RADIUS server must be selected in the User Authentication list above.

Warning

Do not enable this option unless the selected RADIUS servers are always online and capable of receiving RADIUS accounting data. Tunnels will be disconnected if RADIUS accounting data is enabled and fails to send, even if they are not mobile clients.

Client Configuration

Virtual Address Pool:

Defines the pool of IP addresses from which dynamic client addresses are assigned. For example, 10.3.200.0/24.

Note

This subnet must not already be in use on an interface or elsewhere on the firewall or local network.

Virtual IPv6 Address Pool:

Same as above, but for IPv6 addresses.

RADIUS IP Address Priority:

When set, the IPv4/IPv6 address pool is used if address is not supplied by RADIUS server. When unset, a client only receives an IP address if RADIUS provides one.

RADIUS Advanced Parameters:

Advanced options for tuning RADIUS behavior. Typically only required when under high load or when using two-factor or similar out-of-band authentication methods with RADIUS.

Retransmit Base:

Base to use for calculating exponential back off. Default value is 1.4.

Retransmit Timeout:

Timeout in seconds before sending first retransmit. Default value is 2.

Retransmit Tries:

Number of times to retransmit a packet before giving up. Default value is 4.

Sockets:

Maximum number of sockets (ports) to use when communicating with a RADIUS server. Increase for high load environments with many frequent authentication requests. Default value is 1.

Network List:

Controls whether the client will attempt to send all of its traffic across the tunnel or only traffic for specific networks.

If this option is checked the networks defined in the Local Network options for the mobile phase 2 definitions will be sent to the client. If this option is unchecked clients will attempt to send all of their traffic, including Internet traffic, across the tunnel.

Note

Not all clients and mobile IPsec modes respect this option. Some, such as Windows, require routes to be added on the client side in certain configurations like IKEv2.

Save Xauth Password:

When checked, clients that support this control message will allow the user to save their credentials when manually entered during Xauth authentication.

This is mainly respected by Cisco-based Xauth clients like those found on iOS and macOS.

DNS Default Domain:

When checked, the GUI offers a text box for a value the firewall will push to clients as their default domain suffix for DNS requests.

For example if this is set to example.com and a client requests host, then the DNS request will be for host.example.com.

Split DNS:

Controls how the client will send DNS requests to the DNS Server supplied (if any).

The following behaviors are available:

  • If this option is unchecked, the client will send all of its DNS requests to the provided DNS Server(s).

  • If the option is checked and the text box is empty, and a DNS Default Domain is set, then only requests for that domain name will go to the provided DNS Server(s).

  • If the options is checked and a value is entered in the text box, then only requests for the domain(s) entered in the box will be forwarded to the provided DNS Server(s).

DNS Servers:

When Provide a DNS server list to clients is checked and DNS server IP addresses are entered, the firewall sends these values to clients for making DNS requests while the VPN is connected.

Note

If mobile clients will route to the Internet over the VPN, ensure the clients get a DNS Server from the firewall using this option and that they do not have Split DNS enabled.

Without this configuration clients will send DNS requests to servers they were assigned by their ISP, however, clients will route the request across the tunnel and the queries will most likely fail.

WINS Servers:

Works similar to DNS servers, but for WINS.

WINS is rarely used on modern networks and is best left disabled.

Phase 2 PFS Group:

Overrides the PFS setting for all mobile phase 2 entries.

The best practice is to set this value on the phase 2 entries individually.

Login Banner:

A brief bit of text sent to the client for display after the login process succeeds. Optional and only works on some Xauth clients.