[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

iPad, iPhone, Android device IPSec VPN with Watchguard Firewall

Posted on 2011-05-05
16
Medium Priority
?
8,231 Views
Last Modified: 2013-11-16
I'm trying to get an IPSec VPN connection to work on iOS and android devices.  I got it to work with PPTP using the Firebox Authentication, but I would like to do it with IPSec instead.  I do not want to use PPTP with Radius.  I have IPSec working fine when I use the MUVPN client software so the issue does not exist in my IPSec setup.

Thanks
0
Comment
Question by:vbchewie
15 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 35704117
WG does not have a IPSec client which can be used on smartphones; they only talk about PPTP VPN from smartphones:
http://customers.watchguard.com/articles/Article/2166?retURL=%2Fapex%2FknowledgeHome&popup=false

If you use a third party or integrated IPSec VPN client on smartphones and configure exactly as setting on WG then you should be able to get connected.

Can you post few sanitized logs from smartphone client which might explain the reason for failure.

Thank you.
0
 
LVL 1

Author Comment

by:vbchewie
ID: 35708186
Do you have any suggestion for such 3rd Party apps?  Here are the error logs from an Android devise trying to use IPSec.

2011-05-06 10:16:27 Deny 174.xxx.xxx.xxx 25.xxx.xxx.xxx isakmp/udp 61964 500 0-External-??????? 1-Trusted Denied 380 45 (Unhandled External Packet-00)  proc_id="firewall" rc="101" dst_ip_nat="192.xxx.xxx.xxx" 	Traffic
2011-05-06 10:16:48 Deny 174.xxx.xxx.xxx 25.xxx.xxx.xxx isakmp/udp 61964 500 0-External-??????? 1-Trusted Denied 380 45 (Unhandled External Packet-00)  proc_id="firewall" rc="101" dst_ip_nat="192.xxx.xxx.xxx" 	Traffic
2011-05-06 10:16:59 Deny 174.xxx.xxx.xxx 25.xxx.xxx.xxx l2tp/udp 61981 1701 0-External-??????? 1-Trusted Denied 97 45 (Unhandled External Packet-00)  proc_id="firewall" rc="101" dst_ip_nat="192.xxx.xxx.xxx" 	Traffic

Open in new window


Thank You
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 35712802
Any specific reason why you do not wish to go with PPTP which as you have said is a working solution.

Sorry am not aware of any IPSec client for smartphones.
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 1

Author Comment

by:vbchewie
ID: 35713528
PPTP doesn't seem to be allowing the nework authentication to work.  For example if I want to open a network resource like sharepoint or reporting services it doesn't seem to work.  But it does work if the device is connected via wifi, so assumed it had something to do with PPTP.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 35714142
If you have allowed ANY service from PPTP remote VPN users then firewall would allow all traffic to flow; you might want to look at specific service if it has remote_vpn user/group added if needed.

Thank you.
0
 
LVL 1

Author Comment

by:vbchewie
ID: 35825008
Its not authenticating to AD when I do PPTP.  I won't allow me to use an RDP client or connect to resources like SharePoint or SQLServer Reporting Services.  I think I'm going to take a look a the Citrix Xen solutions.

Thank you.  
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 35990301
I've requested that this question be deleted for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
 
LVL 1

Author Comment

by:vbchewie
ID: 35986387
Okay I got the RADIUS working, used the VPN connection on an iPhone got connected.  Checked the watchguard system manager and it showed the connection.  However, even when connected it won't let me access network resources like it will when I am connected to the Corportate WiFi through the iPhone.  I tried RDP Lite to connect to server, it works if I'm on WiFi but not when I'm connected through the VPN.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 35986902
Have you added a policy to allow access from remote users [as you are using RADIUS, say on RADIUS you have a user or group by name forVPN {case sensitive}]; so you must have defined the user/group on WG as for VPN. Add specific service or ANY service as:
Enabled and Allowed; from forVPN; to Trusted [here you can give specific sources/IP/subnet/interface as the case is].

Please check and update.

Thank you.
0
 
LVL 1

Author Comment

by:vbchewie
ID: 35990302
Whe
0
 
LVL 1

Author Comment

by:vbchewie
ID: 35990432
I've set up the IAS Radius server it is set to allow window-groups "domain\VPNAccess"
I setup a RADIUS Authentication Server on the Firebox and set the Shared Key I used on the IAS server
I setup VPN -> Mobile VPN ->PPTP -> Use Radius authentication to authenticat Mobile VPN with PPTP users
WG Automatically generated policy = WatchGuard PPTP From Any to Firebox
With this setup I am able to connect to threw the VPN so I'm pretty sure I have my Radius and Group right.
Are you saying I need to create another Police to go from Firebox to Any?

Thanks,

0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 2000 total points
ID: 35990586
What I am saying is, all you did is correct.
The WatchguardPPTP service if you would check is allowing traffic on port 1723 protocol TCP and protocol 47 [GRE]. This service allows connection from internet to the firebox.

If you would notice there is also a service wg_authentication [it might be hidden]; which allows authentication on TCP 4100. This service allows external users to authenticate to WG.

What I am saying is that for the remote users to connect to shared resources behind firewall; there should be a policy on firewall which allows traffic from the authenticated VPN group named VPNAccess to shared resources. You can create ANY policy or you can configure specific policies like HTTP, FTP, others or create a custom policy.

You can refer to the KB article I have listed in post # 35704117. Look at section "Configure a PPTP policy" [http://www.watchguard.com/help/docs/fireware/10/en-US/Content/en-US/ruvpn/pptp_policy-configure_f.html]
The article talks about adding firebox User but you would use RADIUS group instead.

Please let know if you need more details.

Thank you.
0
 

Expert Comment

by:TheBigDog
ID: 36933252
Watchguard has announced support in the coming release of the XTM firmware for native IPSEC on iOS in Q4 2011. HTH.
0
 

Expert Comment

by:eshcom
ID: 37464432
IPSEC in iOS works fine with Watchguad now if you are running XTM 11.5.1 now.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month18 days, 17 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question