Professional Documents
Culture Documents
ngfw_ht-ios-vpn-clients-with-ngfw_b
ngfw_ht-ios-vpn-clients-with-ngfw_b
Next Generation
Firewall
How to use iOS VPN clients with
Forcepoint Next Generation Firewall
6.0 and higher
Revision B
How to use iOS VPN Clients with Forcepoint NGFW
Contents
• Introduction on page 2
• Configuration scenarios on page 2
• Prepare for VPN configuration on page 3
• Configure an IKEv2 type VPN on page 12
• Configure a Cisco IPsec type VPN on page 12
• Open a VPN tunnel on the iOS device on page 13
• Troubleshooting on page 13
Introduction
You can configure native iOS VPN clients to connect to Forcepoint™ Next Generation Firewall (Forcepoint
NGFW).
We assume that the following configuration has already been done in the Management Client:
• The internal DHCP server on an interface of a Single Firewall has been configured to provide virtual IP
addresses to clients.
• A Policy-Based VPN has been configured.
• An Active Directory Server element has been created.
• Network Policy Server (NPS) authentication has been configured for the Active Directory Server.
For detailed information about using Active Directory Servers to authenticate users, see Knowledge Base article
9649.
For detailed information about VPN configuration, see the Forcepoint Next Generation Firewall Product Guide.
Configuration scenarios
The configuration scenarios include IKEv2 type VPN and Cisco IPsec type VPN configurations.
In both configuration scenarios, certificates contain RSA encryption keys.
Note: Although it is possible to connect to the VPN with a user account stored in the
InternalDomain LDAP domain in the Forcepoint™ NGFW Security Management Center (SMC),
2
How to use iOS VPN Clients with Forcepoint NGFW
this configuration is not recommended. When user accounts are stored in the InternalDomain, you
must use external NPS authentication, and the user name must be the same in the SMC and on
the Active Directory server.
Steps
1) On the NPS, open the properties of the Network policy.
3) Below the EAP Types list, click Add, then select Microsoft: Secured password (EAP-MSCHAP v2).
Note: PAP or SPAP RADIUS methods are used only in the Cisco IPsec type VPN. iOS VPN
clients and Forcepoint NGFW do not use the PAP or SPAP RADIUS methods in the IKEv2
type VPN.
5) Click OK.
3
How to use iOS VPN Clients with Forcepoint NGFW
Note: You can use the internal DHCP server to provide IP addresses to the VPN client Virtual
Adapter only if you use Single Firewalls as VPN gateways. For Firewall Clusters, you must use
an external DHCP server. See the Forcepoint Next Generation Firewall Product Guide for more
information.
Steps For more details about the product and how to configure features, click Help or press F1.
1) Right-click the Single Firewall element and select Edit <element type>.
4) On the DHCP tab, select DHCP Server from the DHCP Mode drop-down list.
5) Next to the DHCP Address Range field, click Address and enter a single IP address or an IP address
range.
Note: The DHCP address range must be in the same network space defined for the Physical
Interface. The DHCP address range must not contain the Firewall’s NDI or CVI addresses or
broadcast IP addresses of networks behind the Firewall.
6) In the Primary DNS Server field, enter the IP addresses of the DNS servers that clients use to resolve
domain names.
7) In the Default Gateway field, enter the IP address of the gateway through which traffic from clients is routed.
4
How to use iOS VPN Clients with Forcepoint NGFW
Steps For more details about the product and how to configure features, click Help or press F1.
1) Select Configuration.
5) In the IP Address field, enter the IP address of the firewall interface on which you activated the internal
DHCP server.
6) Click OK.
Steps For more details about the product and how to configure features, click Help or press F1.
1) Right-click the engine element, then select Edit Single Firewall or Edit Firewall Cluster.
3) (Optional) Change the selection of IP addresses that you want to use as endpoints in VPNs.
• Typically, these are IP addresses that belong to interfaces toward the Internet, which are automatically
selected based on the firewall’s default routing table.
• If you have more than one Internet connection, select an IP address from each ISP.
5
How to use iOS VPN Clients with Forcepoint NGFW
Note: If the endpoint has a static IP address, the value for the IP Address type is filled in
automatically.
Steps For more details about the product and how to configure features, click Help or press F1.
2) In the navigation pane on the left, browse to VPN > VPN Client.
3) From the VPN Type drop-down list, select Both IPsec & SSL VPN.
5) From the Interface for DHCP Relay drop-down list, select the firewall interface on which you activated the
internal DHCP server.
6) Next to the DHCP Servers field, click Add, then select the DHCP Server element that represents the internal
DHCP server on the firewall's interface.
7) Select Restrict Virtual Address Ranges, then enter the IP address range in the field on the right.
With this option, you can restrict the VPN clients’ addresses to a set range, even if the DHCP server tries
to assign some other IP address. If an incorrect address is assigned, the user might not be able to access
resources.
8) Select Proxy ARP, then enter the IP address range in the field on the right.
Add all virtual IP addresses that the VPN clients are allowed to use. We recommend using the same
IP address range as the DHCP Address Range setting for the firewall interface or the Restrict Virtual
Address Ranges setting. This configuration allows the firewall to handle connections that are opened from
protected internal network towards the VPN Clients.
6
How to use iOS VPN Clients with Forcepoint NGFW
• To save the changes and refresh the security policy on the engine, click Save and Refresh.
Steps For more details about the product and how to configure features, click Help or press F1.
2) Expand the Other Elements > Profiles branch in the element tree.
b) In the Cipher Algorithms section, select one or more of the following encryption methods: AES-128,
AES-256, 3DES.
c) In the Message Digest Algorithm section, select one or more of the following message digest
algorithms to use in the VPN: SHA-1, SHA-2.
d) If you selected SHA-2 as the message digest algorithm, select the minimum length for the digest from
the drop-down list to the right of the option.
e) In the Diffie-Hellman Groups section, select one or more of the following Diffie-Hellman groups for key
exchange in the VPN: 2, 5, 14, 19.
g) If you selected IKEv1 as the version, select the IKEv1 negotiation mode from the IKEv1 Negotiation
Mode drop-down list.
7
How to use iOS VPN Clients with Forcepoint NGFW
b) In the Cipher Algorithms section, select one or more of the following encryption methods: AES-128,
AES-256, 3DES.
c) In the Message Digest Algorithm section, select one or more of the following message digest
algorithms to use in the VPN: SHA-1, SHA-2.
d) If you selected SHA-2 as the message digest algorithm, select the minimum length for the digest from
the drop-down list to the right of the option.
f) In the Security Association Granularity for Tunnel Mode section, select SA per Net.
8
How to use iOS VPN Clients with Forcepoint NGFW
c) In the IPsec Security Association Granularity for Tunnel Mode section, select the following options:
• SA per Net
• Allow SA to Any Network
Note: The iOS VPN client does not support split tunnels. To generate a full-tunnel
VPN, you must select the Allow SA to Any Network option in the VPN Profile
element. Optionally, you can use the Any network (0.0.0.0/0) element in the site
definition for the VPN gateway.
9) Click OK.
9
How to use iOS VPN Clients with Forcepoint NGFW
Steps For more details about the product and how to configure features, click Help or press F1.
4) From the Default VPN Profile drop-down list, select Select, then select the VPN Profile element that you
created.
5) (Optional) Select Apply NAT to Traffic That Uses This VPN in the following cases:
• You want the NAT rules in the engine’s policy to apply to traffic that it sends into or receives from the
VPN.
• You want to use the NAT Pool feature to translate VPN client connections
The option affects the traffic that is transported inside the tunnels. The option does not affect the tunnel
negotiations or the encrypted packets between gateways.
6) Click OK.
Steps For more details about the product and how to configure features, click Help or press F1.
1) Select Configuration.
10
How to use iOS VPN Clients with Forcepoint NGFW
4) On the IPv4 Access tab, add the following type of Access rule.
VPN Client ANY DNS, HTTP, Allow Users: Mobile Client VPN
DHCP range HTTPS VPN Users
Address Range Authentication
element method: AD
NPS
Authorization
Timeout = 3600
Note: If connections are opened from internal hosts to VPN clients, use the Enforce or
Apply VPN action instead, and remove Client VPN from the Source VPN cell. Alternatively,
you can create a separate rule with the Enforce or Apply VPN action.
5) If Internet access is allowed for VPN clients, add the following type of NAT rule on the IPv4 NAT tab.
Steps For more details about the product and how to configure features, click Help or press F1.
1) In the Management Client, export the certificate of the Internal RSA CA for Gateways or the Internal
ECDSA CA for Gateways.
a) Select Configuration, then browse to VPN.
c) Right-click a VPN Certificate Authority and select Tools > Export Certificate.
d) Browse to the location where you want to save the file and click Save.
2) On the iOS device, open the certificate file using the Email application or the Safari web browser, then add it
to the trusted certificates.
11
How to use iOS VPN Clients with Forcepoint NGFW
Steps
1) On the iOS device, select Settings > General > VPN.
4) In the Server field, enter the IP address or the DNS name of the VPN endpoint on the NGFW Engine.
Note: The Phase-1 ID value for the VPN endpoint must also match the value that you enter
here.
5) In the Remote ID field, enter the value of the Phase-1 ID field for the VPN endpoint on the NGFW Engine.
7) In the Username and Password fields, enter your user name and password.
Note: If you authenticate from an LDAP domain other than the default LDAP domain in the
SMC, enter the user name as username@<LDAP domain name>.
8) Touch Done.
Note: Exported iOS VPN configuration profiles are only compatible with the RSA Signatures
Authentication Method.
Steps For more details about the product and how to configure features, click Help or press F1.
12
How to use iOS VPN Clients with Forcepoint NGFW
2) In the elements tree, select the Policy-Based VPNs branch, then right-click the VPN to which iOS VPN
client users connect.
Note: Because the VPN does not use the default iOS Suite VPN Profile, a warning might be
shown. You can safely ignore the warning. The VPN configuration works correctly because
the custom VPN Profile uses the RSA Signatures authentication method.
4) Next to the Export File field, click Browse, then browse to the location where you want to save the file.
5) Next to the Gateway field, click Select, then select the VPN gateway to which iOS VPN client users connect.
6) From the Endpoint drop-down list, select the endpoint IP address to which iOS VPN client users connect.
7) (Optional) To require users to enter a password to open the configuration file, enter a password in the
Password field.
8) Click Export.
9) Copy the exported mobileconfig file to the iOS device, then open the mobileconfig file using the Email
application or the Safari web browser.
The VPN client setup procedure automatically starts. When the VPN client setup procedure is complete, the
VPN connection appears in the list of VPNs on the iOS device.
Steps
1) To open a VPN tunnel, slide the Connect button next to Status.
Troubleshooting
If there are problems with the VPN connection, use monitoring tools in the Management Client to find information
for troubleshooting.
The Firewall logs in the Management Client show information about VPN connections. To see more detailed
information, you can optionally enable diagnostics for the firewall. When you have finished troubleshooting,
disable diagnostics.
13
How to use iOS VPN Clients with Forcepoint NGFW
Firewall General Payload The VPN client sent Check that certificates are configured correctly. Make
Header Reserved a packet that was sure that the iOS devices and the firewall trust the
not Zero not a standard IKE certificate authorities that issued the certificates.
packet. This problem Check the Phase-1 authentication parameters. If the
usually happens iOS VPN client connects to a gateway using its DNS
after an issue with name, the Phase-1 ID of the gateway must be a DNS
VPN negotiation. name. The gateway certificate must have the same
DNS name in the SubjectAltName field.
VPN Could not verify VPN The VPN client Make sure that the certificate authority that issued
client server/Gateway cannot validate the the firewall's gateway certificate is installed in the
firewall's gateway Keychain on the iOS device. Make sure that the Trust
certificate. settings for the certificate are defined correctly on the
iOS device.
Could not trust VPN The VPN client
server/Gateway does not trust the
firewall's gateway
certificate.
Firewall No proposal Chosen IKE negotiations Check the VPN Profile settings. Make sure that Allow
failed. SA to Any Network is selected.
Firewall Remote address not A VPN client is Make sure that all valid IP addresses are actually
allowed trying to use an IP included in the range of allowed addresses for VPN
address that is out of Gateway and check the DHCP server configuration.
the allowed address In the VPN Client settings for the firewall, select
range. Restrict Virtual Address Ranges.
Firewall User not found The user was not Check that the user exists in the Active Directory user
found in the Active storage, and that the user name is correct.
Directory user If users authenticate from an LDAP domain other
storage. than the default LDAP domain in the SMC, they must
enter the user name as username@<LDAP domain
name>.
Firewall EAP authentication User authentication Make sure that NPS is configured correctly. Check
failed failed. the RADIUS client shared secret and Network Policy
settings.
14
© 2017 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.
Raytheon is a registered trademark of Raytheon Company.
All other trademarks used in this document are the property of their respective owners.