Define Mobile VPNs

You can use both SSL VPN and IPsec tunnels together in the mobile VPN configuration in the same policy-based VPN.

Mobile VPNs are not supported with route-based VPNs.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Configure VPN Client settings in the Engine Editor.
    1. Right-click a Firewall element, then select Edit <element type>.
    2. Browse to VPN > VPN Client.
    3. Configure the settings.
    4. (Optional) Configure the settings on the Advanced branch.
    5. Click Save and Refresh to save the changes to the configuration and refresh the policy on the engine.
  2. Create a policy-based VPN or edit an existing policy-based VPN.
  3. On the Mobile VPN tab of the policy-based VPN, select one of the following options to define which VPN Gateways provide mobile VPN access:
    • Only central Gateways from overall topology — Only the VPN Gateways in the Central Gateways list on the Site-to-Site VPN tab provide mobile VPN access.
    • All Gateways from overall topology — All VPN Gateways included in the VPN provide mobile VPN access.
    • Selected Gateways below — Only the VPN Gateways that you add to the Mobile VPN Gateways list provide mobile VPN access. Drag and drop the VPN Gateways from the Resources pane.
  4. Click Save.

Engine Editor – VPN – VPN Client

Use this branch to change settings that are used when the engine acts as a VPN Gateway in a mobile VPN.

Option Definition
Gateway Display Name If you want to display a different name for the Gateway to Mobile VPN users, enter the name for the VPN Gateway element.
VPN Type Defines the type of tunnels the mobile VPN supports.
  • IPsec VPN — The mobile VPN only supports IPsec tunnels.
  • SSL VPN — The mobile VPN only supports SSL VPN tunnels.
  • Both IPsec & SSL VPN — The mobile VPN supports IPsec and SSL VPN tunnels.
SSL Port

(SSL VPN only)

The port for SSL VPN tunnels.
TLS Cryptography Suite Set

(SSL VPN only)

The cryptographic suite for SSL VPN tunnels. Click Select to select an element.
Note: Do not change the default setting unless you have a specific reason to do so.
Authentication Timeout

(SSL VPN only)

The timeout for Stonesoft VPN Client user authentication.
Option Definition
Local Security Checks section Defines whether the Stonesoft VPN Client checks for the presence of basic security software to stop connections from risky computers.
  • Anti-Virus is enabled — Requires anti-virus software to be enabled on the computers of mobile VPN users.
  • Firewall is enabled — Requires firewall software to be enabled on the computers of mobile VPN users.
  • Windows Update is enabled — Requires the Windows Update service to be enabled on the computers of mobile VPN users.
Option Definition
Virtual Address section Options for configuring the Stonesoft VPN Client with virtual IP addresses assigned by a DHCP server for connections inside the VPN.
DHCP Mode Specifies how DHCP requests from VPN clients are sent.
  • Disabled (IPsec VPN type only) — DHCP is not enabled.
  • Direct — When selected, the engine sends a normal DHCP client broadcast message to a DHCP server located in a directly connected network.
    Note: This option is intended for backward compatibility with Forcepoint NGFW versions earlier than version 5.9.
  • Relay — When selected, the engine sends unicast DHCP relay messages for VPN clients’ DHCP requests.
Note: If SSL VPN or Both IPsec & SSL VPN is selected from the VPN Type drop-down list, only the Direct and DHCP Relay are shown.
Interface

(Direct DHCP mode only)

The source address for the DHCP packets when querying the DHCP server (the interface toward the DHCP server).
Interface for DHCP Relay

(Relay DHCP mode only)

 The source address for the DHCP packets when querying the DHCP server (the interface toward the DHCP server).
DHCP Server (NGFW < 5.9)

(Direct DHCP mode only)

 The DHCP server that assigns IP addresses for the VPN clients.
Note: This option is intended for backward compatibility with Forcepoint NGFW versions earlier than version 5.9.
DHCP Servers

(Relay DHCP mode only)

The DHCP server that assigns IP addresses for the VPN clients. Click Add to add an element to the table, or Remove to remove the selected element.
Add Information (Optional) Specifies what VPN Client user information is added to the Remote ID option field in the DHCP Request packets.
  • Add User Information — When selected, VPN Client user information (in the form user@domain) is automatically added to the Remote ID option field in the DHCP Request packets.
  • Add Group Information — When selected, VPN Client user information (in the form group@domain) is automatically added to the Remote ID option field in the DHCP Request packets.
  • None — When selected, no user or user group information is added to the Remote ID option field in the DHCP Request packets.
Restrict Virtual Address Ranges When selected, the VPN gateway restricts the VPN clients’ addresses to the specified range, even if the DHCP server tries to assign some other IP address. Enter the IP address range in the field on the right.
Proxy ARP When selected, the engine acts as a proxy for the VPN clients’ ARP requests. Enter the IP address range for proxy ARP in the field on the right.
Option Definition
Secondary IPsec VPN Gateways section

(Optional)

(IPsec VPN type only)

 Other IPsec VPN gateways to contact in case there is a disruption at the IPsec VPN gateway end (in the order of contact). Click Add to add a row to the table, or Remove to remove the selected row. Click Up or Down to move the selected element up or down.