Forcepoint

Next Generation
Firewall
How to use iOS VPN clients with
Forcepoint Next Generation Firewall
6.0 and higher
Revision B
How to use iOS VPN Clients with Forcepoint NGFW

Contents

• Introduction on page 2
• Configuration scenarios on page 2
• Prepare for VPN configuration on page 3
• Configure an IKEv2 type VPN on page 12
• Configure a Cisco IPsec type VPN on page 12
• Open a VPN tunnel on the iOS device on page 13
• Troubleshooting on page 13

Introduction
You can configure native iOS VPN clients to connect to Forcepoint™ Next Generation Firewall (Forcepoint
NGFW).
We assume that the following configuration has already been done in the Management Client:

• The internal DHCP server on an interface of a Single Firewall has been configured to provide virtual IP
addresses to clients.
• A Policy-Based VPN has been configured.
• An Active Directory Server element has been created.
• Network Policy Server (NPS) authentication has been configured for the Active Directory Server.
For detailed information about using Active Directory Servers to authenticate users, see Knowledge Base article
9649.
For detailed information about VPN configuration, see the Forcepoint Next Generation Firewall Product Guide.

Configuration scenarios
The configuration scenarios include IKEv2 type VPN and Cisco IPsec type VPN configurations.
In both configuration scenarios, certificates contain RSA encryption keys.

IKEv2 type VPN

In this scenario, the VPN client on the iOS device is configured with an IKEv2 type VPN connection.
VPN client users are authenticated using the EAP-MSCHAPv2 authentication method. VPN client user accounts
are stored on an Active Directory server. Authentication is provided by Active Directory with NPS.

Note: Although it is possible to connect to the VPN with a user account stored in the
InternalDomain LDAP domain in the Forcepoint™ NGFW Security Management Center (SMC),

2
How to use iOS VPN Clients with Forcepoint NGFW

this configuration is not recommended. When user accounts are stored in the InternalDomain, you
must use external NPS authentication, and the user name must be the same in the SMC and on
the Active Directory server.

Cisco IPsec type VPN

In this scenario, the VPN client on the iOS device is configured with a Cisco IPsec type VPN connection.
You export an iOS VPN configuration profile from the SMC, and import the profile on the iOS device.

Prepare for VPN configuration

To prepare for VPN configuration, configure general settings that are needed in both configuration scenarios.

Configure the Network Policy Server in Active

Directory
Add the EAP-MSCHAPv2 method to the Network policy on the Network Policy Server (NPS) to allow IKEv2
authentication requests from VPN clients.

Steps
1) On the NPS, open the properties of the Network policy.

2) On the Constraints tab, select Authentication Methods.

3) Below the EAP Types list, click Add, then select Microsoft: Secured password (EAP-MSCHAP v2).

4) Select Unencrypted authentication (PAP, SPAP).

Note: PAP or SPAP RADIUS methods are used only in the Cisco IPsec type VPN. iOS VPN
clients and Forcepoint NGFW do not use the PAP or SPAP RADIUS methods in the IKEv2
type VPN.

5) Click OK.

3
How to use iOS VPN Clients with Forcepoint NGFW

Activate the internal DHCP server on a firewall

interface
In this configuration, the internal DHCP server running on a firewall interface provides IP addresses to the VPN
client Virtual Adapter.
Only IPv4 addresses are supported. To use this feature, the Firewall interface must have at least one IPv4
address.

Note: You can use the internal DHCP server to provide IP addresses to the VPN client Virtual
Adapter only if you use Single Firewalls as VPN gateways. For Firewall Clusters, you must use
an external DHCP server. See the Forcepoint Next Generation Firewall Product Guide for more
information.

Steps For more details about the product and how to configure features, click Help or press F1.

1) Right-click the Single Firewall element and select Edit <element type>.

2) In the navigation pane on the left, select Interfaces.

3) Right-click the interface, then select Edit <interface type>.

4) On the DHCP tab, select DHCP Server from the DHCP Mode drop-down list.

5) Next to the DHCP Address Range field, click Address and enter a single IP address or an IP address
range.

Note: The DHCP address range must be in the same network space defined for the Physical
Interface. The DHCP address range must not contain the Firewall’s NDI or CVI addresses or
broadcast IP addresses of networks behind the Firewall.

6) In the Primary DNS Server field, enter the IP addresses of the DNS servers that clients use to resolve
domain names.

7) In the Default Gateway field, enter the IP address of the gateway through which traffic from clients is routed.

8) Save the changes.

• To save the changes, click Save.
• To save the changes and refresh the security policy on the engine, click Save and Refresh.

4
How to use iOS VPN Clients with Forcepoint NGFW

Define a DHCP Server

Create a DHCP Server element to represent the internal DHCP server on the firewall interface in the VPN
configuration.

Steps For more details about the product and how to configure features, click Help or press F1.

1) Select Configuration.

2) Expand the Network Elements tree.

3) Right-click Servers, then select New > DHCP Server.

4) In the Name field, enter a unique name.

5) In the IP Address field, enter the IP address of the firewall interface on which you activated the internal
DHCP server.

6) Click OK.

Define endpoints for the NGFW Engine

Define one or more a VPN endpoints for the NGFW Engine.

Steps For more details about the product and how to configure features, click Help or press F1.

1) Right-click the engine element, then select Edit Single Firewall or Edit Firewall Cluster.

2) In the navigation pane on the left, browse to VPN > Endpoints.

The IP addresses available for use as endpoints are displayed.

3) (Optional) Change the selection of IP addresses that you want to use as endpoints in VPNs.
• Typically, these are IP addresses that belong to interfaces toward the Internet, which are automatically
selected based on the firewall’s default routing table.
• If you have more than one Internet connection, select an IP address from each ISP.

4) Double-click the endpoint to open the Properties dialog box.

5) From the ID Type drop-down list, select IP Address or DNS Name.

6) In the ID Value field, enter an ID value according to the selected ID type.

• If you selected DNS Name, enter the fully qualified domain name (FQDN) to which VPN clients connect.
• If the endpoint has a dynamic IP address, enter a specific IP address as the value for the IP Address
type.

5
How to use iOS VPN Clients with Forcepoint NGFW

Note: If the endpoint has a static IP address, the value for the IP Address type is filled in
automatically.

7) Click OK to save your changes to the endpoint.

8) Save the changes.

• To save the changes, click Save.
• To save the changes and refresh the security policy on the engine, click Save and Refresh.

Configure VPN Client settings for the NGFW

Engine
Configure VPN Client settings for the NGFW Engine

Steps For more details about the product and how to configure features, click Help or press F1.

1) Right-click the Firewall element and select Edit <element type>.

2) In the navigation pane on the left, browse to VPN > VPN Client.

3) From the VPN Type drop-down list, select Both IPsec & SSL VPN.

Note: Native iOS VPN clients only support IPsec VPNs.

4) From the DHCP Mode drop-down list, select Relay.

5) From the Interface for DHCP Relay drop-down list, select the firewall interface on which you activated the
internal DHCP server.

6) Next to the DHCP Servers field, click Add, then select the DHCP Server element that represents the internal
DHCP server on the firewall's interface.

7) Select Restrict Virtual Address Ranges, then enter the IP address range in the field on the right.
With this option, you can restrict the VPN clients’ addresses to a set range, even if the DHCP server tries
to assign some other IP address. If an incorrect address is assigned, the user might not be able to access
resources.

8) Select Proxy ARP, then enter the IP address range in the field on the right.
Add all virtual IP addresses that the VPN clients are allowed to use. We recommend using the same
IP address range as the DHCP Address Range setting for the firewall interface or the Restrict Virtual
Address Ranges setting. This configuration allows the firewall to handle connections that are opened from
protected internal network towards the VPN Clients.

9) Save the changes.

• To save the changes, click Save.

6
How to use iOS VPN Clients with Forcepoint NGFW

• To save the changes and refresh the security policy on the engine, click Save and Refresh.

Create a VPN Profile element

Create a VPN Profile element that defines the IKE SA and IPsec SA settings for the VPN.

Steps For more details about the product and how to configure features, click Help or press F1.

1) Select Configuration, then browse to VPN.

2) Expand the Other Elements > Profiles branch in the element tree.

3) Right-click VPN Profiles and select New VPN Profile.

4) In the Name field, enter a unique name.

5) On the IKE SA tab, configure the settings.

a) In the Version section, select one or more IKE versions.
• For an IKEv2 type VPN, select IKEv2.
• For a Cisco IPsec type VPN, select IKEv1.

b) In the Cipher Algorithms section, select one or more of the following encryption methods: AES-128,
AES-256, 3DES.

c) In the Message Digest Algorithm section, select one or more of the following message digest
algorithms to use in the VPN: SHA-1, SHA-2.

d) If you selected SHA-2 as the message digest algorithm, select the minimum length for the digest from
the drop-down list to the right of the option.

e) In the Diffie-Hellman Groups section, select one or more of the following Diffie-Hellman groups for key
exchange in the VPN: 2, 5, 14, 19.

f) From the Authentication Method drop-down list, select RSA Signatures.

g) If you selected IKEv1 as the version, select the IKEv1 negotiation mode from the IKEv1 Negotiation
Mode drop-down list.

7
How to use iOS VPN Clients with Forcepoint NGFW

Figure 1: Example of the IKE SA configuration

6) On the IPsec SA tab, configure the settings.

a) In the IPsec Type section, select the IPsec type.
ESP is the recommended setting (the communications are encrypted).

b) In the Cipher Algorithms section, select one or more of the following encryption methods: AES-128,
AES-256, 3DES.

c) In the Message Digest Algorithm section, select one or more of the following message digest
algorithms to use in the VPN: SHA-1, SHA-2.

d) If you selected SHA-2 as the message digest algorithm, select the minimum length for the digest from
the drop-down list to the right of the option.

e) In the Compression Algorithm section, select None.

f) In the Security Association Granularity for Tunnel Mode section, select SA per Net.

8
How to use iOS VPN Clients with Forcepoint NGFW

Figure 2: Example of the IPsec SA configuration

7) On the IPsec Client tab, configure the settings.

a) From the Authentication Method drop-down list, select RSA Signatures.

b) Select Allow Hybrid / EAP Authentication.

c) In the IPsec Security Association Granularity for Tunnel Mode section, select the following options:
• SA per Net
• Allow SA to Any Network

Note: The iOS VPN client does not support split tunnels. To generate a full-tunnel
VPN, you must select the Allow SA to Any Network option in the VPN Profile
element. Optionally, you can use the Any network (0.0.0.0/0) element in the site
definition for the VPN gateway.

8) On the Certificate Authorities tab, select Trust All.

9) Click OK.

9
How to use iOS VPN Clients with Forcepoint NGFW

Edit the properties of the Policy-Based VPN

element
Select the default VPN Profile for the VPN and optionally enable NAT for VPN traffic.

Steps For more details about the product and how to configure features, click Help or press F1.

1) Select Configuration, then browse to VPN.

2) Expand the Policy-Based VPNs branch in the element tree.

3) Right-click the Policy-Based VPN element and select Properties.

4) From the Default VPN Profile drop-down list, select Select, then select the VPN Profile element that you
created.

5) (Optional) Select Apply NAT to Traffic That Uses This VPN in the following cases:
• You want the NAT rules in the engine’s policy to apply to traffic that it sends into or receives from the
VPN.
• You want to use the NAT Pool feature to translate VPN client connections
The option affects the traffic that is transported inside the tunnels. The option does not affect the tunnel
negotiations or the encrypted packets between gateways.

6) Click OK.

Add rules for VPN client traffic

Add Access rules and optionally NAT rules for the VPN client traffic.

Steps For more details about the product and how to configure features, click Help or press F1.

1) Select Configuration.

2) Browse to Policies > Firewall Policies.

3) Right-click your Firewall Policy, then select Edit.

10
How to use iOS VPN Clients with Forcepoint NGFW

4) On the IPv4 Access tab, add the following type of Access rule.

Source Destination Service Action Authentication Source VPN

VPN Client ANY DNS, HTTP, Allow Users: Mobile Client VPN
DHCP range HTTPS VPN Users
Address Range Authentication
element method: AD
NPS
Authorization
Timeout = 3600

Note: If connections are opened from internal hosts to VPN clients, use the Enforce or
Apply VPN action instead, and remove Client VPN from the Source VPN cell. Alternatively,
you can create a separate rule with the Enforce or Apply VPN action.

5) If Internet access is allowed for VPN clients, add the following type of NAT rule on the IPv4 NAT tab.

Source Destination Service NAT Used On

VPN Client DHCP not internal ANY Source translation: ANY

range Address addresses Dynamic to
Range element Expression element Firewall-public-
IP Host element on
1024-65535

6) Click Save and Install.

Import the certificate of the certificate authority

To establish the VPN tunnel, the VPN client uses certificates to authenticate the VPN Gateway. To verify the VPN
Gateway certificate, the client device must also trust the certificate authority (CA) that issued the certificate for the
VPN Gateway.

Steps For more details about the product and how to configure features, click Help or press F1.

1) In the Management Client, export the certificate of the Internal RSA CA for Gateways or the Internal
ECDSA CA for Gateways.
a) Select Configuration, then browse to VPN.

b) Browse to Other Elements > Certificates > VPN Certificate Authorities.

c) Right-click a VPN Certificate Authority and select Tools > Export Certificate.

d) Browse to the location where you want to save the file and click Save.

2) On the iOS device, open the certificate file using the Email application or the Safari web browser, then add it
to the trusted certificates.

11
How to use iOS VPN Clients with Forcepoint NGFW

Configure an IKEv2 type VPN

Create an IKEv2 type VPN on the iOS device.

Steps
1) On the iOS device, select Settings > General > VPN.

2) Select Add VPN configuration.

3) From the Type list, select IKEv2.

4) In the Server field, enter the IP address or the DNS name of the VPN endpoint on the NGFW Engine.

Note: The Phase-1 ID value for the VPN endpoint must also match the value that you enter
here.

5) In the Remote ID field, enter the value of the Phase-1 ID field for the VPN endpoint on the NGFW Engine.

6) From the User Authentication list, select Username.

7) In the Username and Password fields, enter your user name and password.

Note: If you authenticate from an LDAP domain other than the default LDAP domain in the
SMC, enter the user name as username@<LDAP domain name>.

8) Touch Done.

Configure a Cisco IPsec type VPN

Export the iOS VPN configuration profile from the SMC and create a Cisco IPsec type VPN on the iOS device.
You can export iOS VPN configuration profiles in the Management Client. Exporting iOS VPN configuration
profiles simplifies the VPN client configuration for iOS VPN client users. The exported mobileconfig file includes
the configuration information and certificates that you use to configure VPN settings on the iOS device.
Cisco IPsec type VPNs use certificates to authenticate users. The mobileconfig file contains the PKCS12 private
key and certificate for the VPN. The certificates are imported on the iOS device as profiles.

Note: Exported iOS VPN configuration profiles are only compatible with the RSA Signatures
Authentication Method.

Steps For more details about the product and how to configure features, click Help or press F1.

1) In the Management Client, select Configuration, then browse to VPN.

12
How to use iOS VPN Clients with Forcepoint NGFW

2) In the elements tree, select the Policy-Based VPNs branch, then right-click the VPN to which iOS VPN
client users connect.

3) Select Tools > Export iOS VPN Configuration Profile.

Note: Because the VPN does not use the default iOS Suite VPN Profile, a warning might be
shown. You can safely ignore the warning. The VPN configuration works correctly because
the custom VPN Profile uses the RSA Signatures authentication method.

4) Next to the Export File field, click Browse, then browse to the location where you want to save the file.

5) Next to the Gateway field, click Select, then select the VPN gateway to which iOS VPN client users connect.

6) From the Endpoint drop-down list, select the endpoint IP address to which iOS VPN client users connect.

7) (Optional) To require users to enter a password to open the configuration file, enter a password in the
Password field.

8) Click Export.

9) Copy the exported mobileconfig file to the iOS device, then open the mobileconfig file using the Email
application or the Safari web browser.
The VPN client setup procedure automatically starts. When the VPN client setup procedure is complete, the
VPN connection appears in the list of VPNs on the iOS device.

Open a VPN tunnel on the iOS device

When the VPN configuration is complete, you can open a VPN tunnel on the iOS device.

Steps
1) To open a VPN tunnel, slide the Connect button next to Status.

Troubleshooting
If there are problems with the VPN connection, use monitoring tools in the Management Client to find information
for troubleshooting.
The Firewall logs in the Management Client show information about VPN connections. To see more detailed
information, you can optionally enable diagnostics for the firewall. When you have finished troubleshooting,
disable diagnostics.

13
How to use iOS VPN Clients with Forcepoint NGFW

Table 1: Troubleshooting messages

Sender Message Problem Solution

Firewall General Payload The VPN client sent Check that certificates are configured correctly. Make
Header Reserved a packet that was sure that the iOS devices and the firewall trust the
not Zero not a standard IKE certificate authorities that issued the certificates.
packet. This problem Check the Phase-1 authentication parameters. If the
usually happens iOS VPN client connects to a gateway using its DNS
after an issue with name, the Phase-1 ID of the gateway must be a DNS
VPN negotiation. name. The gateway certificate must have the same
DNS name in the SubjectAltName field.

VPN Could not verify VPN The VPN client Make sure that the certificate authority that issued
client server/Gateway cannot validate the the firewall's gateway certificate is installed in the
firewall's gateway Keychain on the iOS device. Make sure that the Trust
certificate. settings for the certificate are defined correctly on the
iOS device.
Could not trust VPN The VPN client
server/Gateway does not trust the
firewall's gateway
certificate.
Firewall No proposal Chosen IKE negotiations Check the VPN Profile settings. Make sure that Allow
failed. SA to Any Network is selected.

Firewall Remote address not A VPN client is Make sure that all valid IP addresses are actually
allowed trying to use an IP included in the range of allowed addresses for VPN
address that is out of Gateway and check the DHCP server configuration.
the allowed address In the VPN Client settings for the firewall, select
range. Restrict Virtual Address Ranges.

Firewall User not found The user was not Check that the user exists in the Active Directory user
found in the Active storage, and that the user name is correct.
Directory user If users authenticate from an LDAP domain other
storage. than the default LDAP domain in the SMC, they must
enter the user name as username@<LDAP domain
name>.

Firewall EAP authentication User authentication Make sure that NPS is configured correctly. Check
failed failed. the RADIUS client shared secret and Network Policy
settings.

14
 © 2017 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.
Raytheon is a registered trademark of Raytheon Company.
All other trademarks used in this document are the property of their respective owners.