iPad, iPhone, Android device IPSec VPN with Watchguard Firewall

I'm trying to get an IPSec VPN connection to work on iOS and android devices.  I got it to work with PPTP using the Firebox Authentication, but I would like to do it with IPSec instead.  I do not want to use PPTP with Radius.  I have IPSec working fine when I use the MUVPN client software so the issue does not exist in my IPSec setup.

Thanks
LVL 1
vbchewieAsked:
Who is Participating?
 
dpk_walConnect With a Mentor Commented:
What I am saying is, all you did is correct.
The WatchguardPPTP service if you would check is allowing traffic on port 1723 protocol TCP and protocol 47 [GRE]. This service allows connection from internet to the firebox.

If you would notice there is also a service wg_authentication [it might be hidden]; which allows authentication on TCP 4100. This service allows external users to authenticate to WG.

What I am saying is that for the remote users to connect to shared resources behind firewall; there should be a policy on firewall which allows traffic from the authenticated VPN group named VPNAccess to shared resources. You can create ANY policy or you can configure specific policies like HTTP, FTP, others or create a custom policy.

You can refer to the KB article I have listed in post # 35704117. Look at section "Configure a PPTP policy" [http://www.watchguard.com/help/docs/fireware/10/en-US/Content/en-US/ruvpn/pptp_policy-configure_f.html]
The article talks about adding firebox User but you would use RADIUS group instead.

Please let know if you need more details.

Thank you.
0
 
dpk_walCommented:
WG does not have a IPSec client which can be used on smartphones; they only talk about PPTP VPN from smartphones:
http://customers.watchguard.com/articles/Article/2166?retURL=%2Fapex%2FknowledgeHome&popup=false

If you use a third party or integrated IPSec VPN client on smartphones and configure exactly as setting on WG then you should be able to get connected.

Can you post few sanitized logs from smartphone client which might explain the reason for failure.

Thank you.
0
 
vbchewieAuthor Commented:
Do you have any suggestion for such 3rd Party apps?  Here are the error logs from an Android devise trying to use IPSec.

2011-05-06 10:16:27 Deny 174.xxx.xxx.xxx 25.xxx.xxx.xxx isakmp/udp 61964 500 0-External-??????? 1-Trusted Denied 380 45 (Unhandled External Packet-00)  proc_id="firewall" rc="101" dst_ip_nat="192.xxx.xxx.xxx" 	Traffic
2011-05-06 10:16:48 Deny 174.xxx.xxx.xxx 25.xxx.xxx.xxx isakmp/udp 61964 500 0-External-??????? 1-Trusted Denied 380 45 (Unhandled External Packet-00)  proc_id="firewall" rc="101" dst_ip_nat="192.xxx.xxx.xxx" 	Traffic
2011-05-06 10:16:59 Deny 174.xxx.xxx.xxx 25.xxx.xxx.xxx l2tp/udp 61981 1701 0-External-??????? 1-Trusted Denied 97 45 (Unhandled External Packet-00)  proc_id="firewall" rc="101" dst_ip_nat="192.xxx.xxx.xxx" 	Traffic

Open in new window


Thank You
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
dpk_walCommented:
Any specific reason why you do not wish to go with PPTP which as you have said is a working solution.

Sorry am not aware of any IPSec client for smartphones.
0
 
vbchewieAuthor Commented:
PPTP doesn't seem to be allowing the nework authentication to work.  For example if I want to open a network resource like sharepoint or reporting services it doesn't seem to work.  But it does work if the device is connected via wifi, so assumed it had something to do with PPTP.
0
 
dpk_walCommented:
If you have allowed ANY service from PPTP remote VPN users then firewall would allow all traffic to flow; you might want to look at specific service if it has remote_vpn user/group added if needed.

Thank you.
0
 
vbchewieAuthor Commented:
Its not authenticating to AD when I do PPTP.  I won't allow me to use an RDP client or connect to resources like SharePoint or SQLServer Reporting Services.  I think I'm going to take a look a the Citrix Xen solutions.

Thank you.  
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
I've requested that this question be deleted for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
 
vbchewieAuthor Commented:
Okay I got the RADIUS working, used the VPN connection on an iPhone got connected.  Checked the watchguard system manager and it showed the connection.  However, even when connected it won't let me access network resources like it will when I am connected to the Corportate WiFi through the iPhone.  I tried RDP Lite to connect to server, it works if I'm on WiFi but not when I'm connected through the VPN.
0
 
dpk_walCommented:
Have you added a policy to allow access from remote users [as you are using RADIUS, say on RADIUS you have a user or group by name forVPN {case sensitive}]; so you must have defined the user/group on WG as for VPN. Add specific service or ANY service as:
Enabled and Allowed; from forVPN; to Trusted [here you can give specific sources/IP/subnet/interface as the case is].

Please check and update.

Thank you.
0
 
vbchewieAuthor Commented:
Whe
0
 
vbchewieAuthor Commented:
I've set up the IAS Radius server it is set to allow window-groups "domain\VPNAccess"
I setup a RADIUS Authentication Server on the Firebox and set the Shared Key I used on the IAS server
I setup VPN -> Mobile VPN ->PPTP -> Use Radius authentication to authenticat Mobile VPN with PPTP users
WG Automatically generated policy = WatchGuard PPTP From Any to Firebox
With this setup I am able to connect to threw the VPN so I'm pretty sure I have my Radius and Group right.
Are you saying I need to create another Police to go from Firebox to Any?

Thanks,

0
 
TheBigDogCommented:
Watchguard has announced support in the coming release of the XTM firmware for native IPSEC on iOS in Q4 2011. HTH.
0
 
eshcomCommented:
IPSEC in iOS works fine with Watchguad now if you are running XTM 11.5.1 now.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.