Define Mobile VPNs

In a mobile VPN, a VPN client on a user's device connects to a VPN gateway.

You can use both SSL VPN and IPsec tunnels together in the mobile VPN configuration in the same policy-based VPN.

Note: Route-based VPN tunnels do not support mobile VPNs.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Configure VPN Client settings in the Engine Editor.
    1. Right-click a Firewall element, then select Edit <element type>.
    2. Browse to VPN > VPN Client.
    3. Configure the settings.
    4. (Optional) Configure the settings on the Advanced branch.
    5. Click Save and Refresh to save the changes to the configuration and refresh the policy on the engine.
  2. Create a policy-based VPN or edit an existing policy-based VPN.
  3. On the Mobile VPN tab of the policy-based VPN, specify which VPN Gateways provide mobile VPN access.
  4. Click Save.

Engine Editor > VPN > VPN Client

Use this branch to change settings that are used when the NGFW Engine acts as a VPN Gateway in a mobile VPN.

Option Definition
Gateway Display Name If you want to show a different name for the Gateway to Mobile VPN users, enter the name for the VPN Gateway element.
VPN Type Defines the type of tunnels the mobile VPN supports.
  • IPsec VPN — The mobile VPN only supports IPsec tunnels.
  • SSL VPN — The mobile VPN only supports SSL VPN tunnels.
  • Both IPsec & SSL VPN — The mobile VPN supports IPsec and SSL VPN tunnels.
SSL Port

(When VPN Type is SSL VPN)

The port for SSL VPN tunnels.
TLS Cryptography Suite Set

(When VPN Type is SSL VPN)

The cryptographic suite for SSL VPN tunnels. Click Select to select an element.
Note: Do not change the default setting unless you have a specific reason to do so.
Authentication Timeout

(When VPN Type is SSL VPN)

The timeout for Forcepoint VPN Client user authentication.
Option Definition
Local Security Checks section (Forcepoint VPN Client for Windows only) Defines whether the Forcepoint VPN Client for Windows checks for the presence of basic security software to stop connections from risky computers.
  • Anti-Virus is enabled — Requires anti-virus software to be enabled on the computers of mobile VPN users.
  • Firewall is enabled — Requires firewall software to be enabled on the computers of mobile VPN users.
  • Windows Update is enabled — Requires the Windows Update service to be enabled on the computers of mobile VPN users.
Option Definition
Virtual Address section Options for configuring the Forcepoint VPN Client with virtual IP addresses assigned by a DHCP server for connections inside the VPN.
DHCP Mode Specifies how DHCP requests from VPN clients are sent.
  • Disabled (IPsec VPN type only) — DHCP is not enabled.
  • Direct — When selected, the engine sends a normal DHCP client broadcast message to a DHCP server located in a directly connected network.
    Note: This option is included for backward compatibility with legacy NGFW software versions.
  • Relay — When selected, the engine sends unicast DHCP relay messages for VPN clients’ DHCP requests.
Note: If SSL VPN or Both IPsec & SSL VPN is selected from the VPN Type drop-down list, only the Direct and DHCP Relay are shown.
Interface

(When DHCP Mode is Direct)

The source address for the DHCP packets when querying the DHCP server (the interface toward the DHCP server).
Interface for DHCP Relay

(When DHCP Mode is Relay)

The source address for the DHCP packets when querying the DHCP server (the interface toward the DHCP server).
DHCP Server (NGFW < 5.9)

(When DHCP Mode is Direct)

The DHCP server that assigns IP addresses for the VPN clients.
Note: This option is included for backward compatibility with legacy NGFW software versions.
DHCP Servers

(When DHCP Mode is Relay)

The DHCP server that assigns IP addresses for the VPN clients. Click Add to add an element to the table, or Remove to remove the selected element.
Add Information

(Optional)

Specifies what VPN Client user information is added to the Remote ID option field in the DHCP Request packets.
  • Add User Information — When selected, VPN Client user information (in the form user@domain) is automatically added to the Remote ID option field in the DHCP Request packets.
  • Add Group Information — When selected, VPN Client user information (in the form group@domain) is automatically added to the Remote ID option field in the DHCP Request packets.
  • None — When selected, no user or user group information is added to the Remote ID option field in the DHCP Request packets.
Restrict Virtual Address Ranges When selected, the VPN gateway restricts the VPN clients’ addresses to the specified range, even if the DHCP server tries to assign some other IP address. Enter the IP address range in the field on the right.
Proxy ARP When selected, the engine acts as a proxy for the VPN clients’ ARP requests. Enter the IP address range for proxy ARP in the field on the right.
Option Definition
Secondary IPsec VPN Gateways section

(Optional)

(When VPN Type is IPsec VPN)

Other IPsec VPN gateways to contact in case there is a disruption at the IPsec VPN gateway end (in the order of contact). Click Add to add a row to the table, or Remove to remove the selected row. Click Up or Down to move the selected element up or down.

Policy-Based VPN editing view

Use this view to create and modify policy-based virtual private networks (VPN).

Option Definition
Resources Use this pane to create and add elements to a VPN.
Search Opens a search field for the selected element list.
Up (Backspace) Returns to the previous folder.
New Opens the associated dialog box to create an element.
Tools
  • New — Creates an element of the specified type.
  • Show Deleted Elements — Shows elements that have been moved to the Trash.
  • Expand All — Expands all levels of the interface tree.
  • Collapse All — Collapses all levels of the interface tree.
  • Refresh View — Updates the interface tree.
  • Sign VPN Client Certificate — Opens the Sign VPN Client Certificate dialog box.
  • Show Certificates — Shows certificates for VPN gateways.
  • Show Sites — Shows sites for VPN gateways.
  • Show Certificate Requests — Shows certificate requests for VPN gateways.
Option Definition
Editor toolbar
Save Saves the changes.
Tools menu
Properties Opens the VPN Properties dialog box.
Sign VPN Client Certificate Opens the Sign VPN Client Certificate dialog box.
Filter by Gateway Shows only tunnels where the selected gateway is used. Only available on the Tunnels tab.
Filter by Firewall Shows only tunnels where the selected firewall is used. Only available on the Tunnels tab.
No Filtering Disables filtering.
Option Definition
Site-to-Site VPN tab
Central Gateways list Specifies which VPN gateways are central gateways in the VPN. Central gateways can establish a VPN with any other gateway in the VPN.
Satellite Gateways list Specifies which VPN gateways are satellite gateways in the VPN. Satellite gateways can establish a VPN only with central gateways in the VPN.
Option Definition
Mobile VPN tab
Select engines that provide Mobile VPN Access Specifies the gateways that can be selected for mobile VPN access.
  • None — None of the VPN gateways provide mobile VPN access.
  • Only central Gateways from overall topology — Only the VPN Gateways in the Central Gateways list on the Site-to-Site VPN tab provide mobile VPN access.
  • All Gateways from overall topology — All VPN Gateways included in the VPN provide mobile VPN access.
  • Selected Gateways below — Only the VPN Gateways that you add to the Mobile VPN Gateways tree provide mobile VPN access.
Option Definition
Tunnels tab
Gateway A or Gateway B VPN Gateway elements are used for Gateway A; for Gateway B, they can be VPN Gateway or External VPN Gateway elements.
Right-clicking this type of cell opens these menu items:
  • Properties — Opens the element properties. For VPN Gateway elements, this action opens the Engine Editor.
  • Disable — Disables the VPN tunnel.
  • Enable — Enables the VPN tunnel.
  • Delete Pre-Shared Key — Deletes the pre-shared key for the VPN tunnel.
  • Generate Regular Missing Pre-Shared Key — Generates a pre-shared key for the VPN tunnel.
  • View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view.
  • View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
  • Monitoring — Opens the Logs view or another Monitoring view according to the option selected from the Monitoring menu.
  • Add Category — Adds a Category to the selected element.
  • Tools
    • Export Elements — Exports the selected element.
    • Generate Certificate — Opens the Generate Certificate dialog box.
    • Export iOS VPN Configuration Profile — Exports a configuration profile for Forcepoint VPN Client for iOS.
    • Save Gateway Contact Information — Saves the contact information for the selected gateway.
    • Lock — Prevents edits until the element is unlocked. Opens the Lock Properties dialog box.
    • References — Shows references to the selected element.
    • Audit History — Opens the Logs view and shows audit log data associated with the selected element.
VPN Profile

To override the default VPN profile for this VPN, select a VPN Profile element for the tunnel.

Right-clicking this type of cell opens these menu items:
  • Edit VPN Profile — Opens a menu from which you can select the VPN Profile.
  • Properties — Opens the VPN Profile Properties dialog box.
  • Disable — Disables the VPN tunnel.
  • Enable — Enables the VPN tunnel.
  • Select Profile — Opens the Select Profile dialog box.
  • Delete Pre-Shared Key — Deletes the pre-shared key for the VPN tunnel.
  • Generate missing Regular Pre-Shared Key — Generates a pre-shared key for the VPN tunnel.
  • View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view.
  • View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
  • Tools
    • Export Elements — Exports the selected element.
    • References — Shows references to the selected element.
    • Audit History — Opens the Logs view and shows audit log data associated with the selected element.
Key Verifies if the required pre-shared key is properly set. If you use pre-shared keys for authentication with external gateways, either set the key agreed with your partner or export the keys that have been automatically generated for your partner to use.

To view, change, or export the pre-shared key, double-click .

Right-clicking this type of cell opens these menu items:
  • Edit Key — Opens the Pre-Shared Key dialog box.
  • Disable — Disables the VPN tunnel.
  • Enable — Enables the VPN tunnel.
  • Delete Pre-Shared Key — Deletes the pre-shared key for the VPN tunnel.
  • Generate missing Regular Pre-Shared Key — Generates a pre-shared key for the VPN tunnel.
  • View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view.
  • View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
Validity Verifies if the tunnel is valid. If a tunnel has a warning icon in the Validity cell, right-click the tunnel and select View issues. You must resolve all problems indicated in the messages shown.
Right-clicking this type of cell opens these menu items:
  • Disable — Disables the VPN tunnel.
  • Enable — Enables the VPN tunnel.
  • Delete Pre-Shared Key — Deletes the pre-shared key for the VPN tunnel.
  • Generate missing Regular Pre-Shared Key — Generates a pre-shared key for the VPN tunnel.
  • View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view.
  • View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
Forwarding Gateways Right-clicking this type of cell opens these menu items:
  • Disable — Disables the VPN tunnel.
  • Enable — Enables the VPN tunnel.
  • Delete Pre-Shared Key — Deletes the pre-shared key for the VPN tunnel.
  • Generate missing Regular Pre-Shared Key — Generates a pre-shared key for the VPN tunnel.
  • View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view.
  • View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
Endpoint A or Endpoint B

Select the endpoint IP addresses. You cannot use the same endpoint in a route-based VPN tunnel and a policy-based VPN tunnel.

If loopback IP addresses are defined for a VPN Gateway, you can select a loopback IP address as the endpoint IP address.

Right-clicking this type of cell opens these menu items:
  • Disable — Disables the VPN tunnel.
  • Enable — Enables the VPN tunnel.
  • View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view.
  • View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
  • Logs by VPN Endpoint — Opens the Logs view and shows log data related to the VPN endpoint.
IPsec Profile Right-clicking this type of cell opens these menu items:
  • Edit IPsec Profile — Opens the VPN Profile Properties dialog box.
  • Disable — Disables the VPN tunnel.
  • Enable — Enables the VPN tunnel.
  • Select Profile — Opens the Select Profile dialog box.
  • View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view.
  • View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
  • Tools
    • Export Elements — Exports the selected element.
    • References — Shows references to the selected element.
    • Audit History — Opens the Logs view and shows audit log data associated with the selected element.
Mode Determines how the tunnel is used in a Multi-Link VPN.
Right-clicking this type of cell opens these menu items:
  • Edit Mode — Opens the Link Mode Properties dialog box.
  • Disable — Disables the VPN tunnel.
  • Enable — Enables the VPN tunnel.
  • Standby — The link is used only when all Active or Aggregate mode links are unusable.
  • Active — The link is always used.

    If there are multiple links in Active mode between the Gateways, the VPN traffic is load-balanced between the links based on the links’ load. VPN traffic is directed to the link that has the lowest load.

  • Aggregate — The link is always used and each VPN connection is load-balanced in round robin fashion between all the links that are in the Aggregate mode.

    For example, if there are two links in Aggregate mode, a new VPN connection is directed to both links.

  • View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view.
  • View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
Validity Verifies if the tunnel is valid.
Right-clicking this type of cell opens these menu items:
  • Disable — Disables the VPN tunnel.
  • Enable — Enables the VPN tunnel.
  • View Issues — Shows the issues for the VPN tunnel on the Issues tab at the bottom of the view.
  • View Link Summary — Shows a summary of the VPN link status for the VPN tunnel on the Link Summary tab at the bottom of the view.
Option Definition
Panes in the Policy-Based VPN editing view
Info pane Shows information about the selected element.
Issues pane Shows issues in the VPN configuration, such as incompatible settings.
Link Summary pane Shows a summary of the policy-based VPN configuration.