WatchGuard Technologies V10.0 manual Defining advanced Phase 1 settings

Modifying an Existing Mobile VPN Profile

Defining advanced Phase 1 settings

To define advanced Phase 1 settings for an Mobile VPN user profile:

1From the IPSec Tunnel tab of the Edit MUVPN Extended Authentication Group dialog box,

select Advanced.

The Phase1 Advanced Settings dialog box appears.

2To change the SA (security association) lifetime, type a number in the SA Life field, and select Hour or Minute from the drop-down list

3From the Key Group drop-down list, select the Diffie-Hellman group you want. WatchGuard supports groups 1, 2, and 5.

Diffie-Hellman groups determine the strength of the master key used in the key exchange process. The higher the group number, the greater the security but the more time is required to make the keys.

4If you want to build an Mobile VPN tunnel between the Firebox and another device that is behind a NAT device, select the NAT Traversal check box. NAT Traversal, or UDP Encapsulation, allows traffic to get to the correct destinations. To set the Keep-alive interval, type the number of seconds or use the value control to select the number of seconds you want.

5You must select the IKE Keep-alivecheck box to have the Firebox send messages to its IKE peer to keep the tunnel open. If you disable the IKE Keep-alive feature, the Mobile VPN client will not be able to connect to the Firebox.

To set the Message interval, type the number of seconds or use the value control to select the number of seconds you want.

6To set the maximum number of times the Firebox tries to send an IKE keep-alive message before it tries to negotiate Phase 1 again, type the number you want in the Max failures box.

7Click OK.

Defining advanced Phase 2 settings

To define advanced Phase 2 settings for an Mobile VPN user profile:

1From the IPSec Tunnel tab of the Edit MUVPN Extended Authentication Group dialog box,

select Proposal.

The Phase2 Proposal dialog box appears.