Configure an Access Point VPN (2024)

Table of Contents
Access Point VPNRequirements Network Requirements Configure an Access Point VPN Configure a Firebox with Mobile VPN (IKEv2) Add an Access Point Site Add an SSID with NAT Configure the Access Point VPN Deploy the Site Configuration to an Access Point Test the Access Point VPN

Applies To: WatchGuard Cloud-managed Access Points (AP130, AP230W, AP330, AP332CR, AP430CR, AP432) This topic applies to Wi-Fi 6 access points you manage in WatchGuard Cloud (AP130, AP330, AP430CR, AP432).

You can create a secure VPNtunnel between a WatchGuard Cloud-managed access point and a cloud-managed Firebox.

Configure an AccessPoint VPN (1)

Access Point VPN is currently only supported with a cloud-managed Firebox.

AVPN tunnel offers a better and secure way for remote workers to connect back to the corporate data center over an IKEv2 (IKE Version 2) VPN with no user configuration required.

For example:

  • A remote worker located at home that requires a secure connection to the corporate network.
  • A small branch office that does not require a firewall but requires secure connectivity to the corporate network.

Access Point VPNRequirements

To create an Access Point VPN, you must have:

  • Cloud-managed Firebox with Mobile VPN (IKEv2) enabled
  • SSID with NAT enabled on your access point

The Access Point VPN feature does not support an SSIDwith a VLAN enabled or if the SSID is configured with a Captive Portal.

  • WatchGuard USPWi-Fi license

Network Requirements

If the access point you use for the VPNis located behind another firewall or router, make sure these ports are open for VPN communications:

  • UDP port 500
  • UDPport 4500

Typically, you do not have to specify ESP IP Protocol 50 because it is encapsulated within UDP port 4500 packets. This port is used for NAT Traversal, and ESP cannot use NAT. In most cases, the access point will be the perimeter device and will always use NAT traversal.

Make sure outbound IPSec pass-through is enabled on your firewall or router. Many devices already have this enabled by default. On a WatchGuard Firebox, you can enable the option to add a pass-through policy in the VPN global settings in Fireware Web UI or Policy Manager. For more information, see About Global VPN Settings in the Fireware Help.

Configure an Access Point VPN

To configure an Access Point VPN, follow these steps:

See Also
What is VPN Gate and should you trust it?Top 3 vpngate.net Alternatives & CompetitorsWhat is KYC and Why is it Necessary in the Crypto Space?Connect to VPN Gate by Using SoftEther VPN (SSL-VPN)

  • Configure a Firebox with Mobile VPN (IKEv2)
  • Add an Access Point Site
  • Add an SSID with NAT
  • Configure the Access Point VPN
  • Deploy the Site Configuration to an Access Point
  • Test the Access Point VPN

Configure a Firebox with Mobile VPN (IKEv2)

Mobile Virtual Private Networking (Mobile VPN) creates a secure connection between a remote device, such as an access point, and network resources behind the Firebox.

Cloud-managed Fireboxes and WatchGuard access points support Mobile VPN with IKEv2 for the VPN connection, which uses IPSec to provide strong encryption and authentication.

To configure a VPNbetween an access point and a cloud-managed Firebox, you must first configure a Mobile VPN with IKEv2 on the Firebox.

  1. From a Subscriber account, select Configure > Devices.
  2. Select the Firebox.
  3. Select Device Configuration.
    The Device Configuration page opens.
  4. In the VPN section, select Add Mobile VPN.
    The Add Mobile VPN page opens.
  5. Select IKEv2.
    The Mobile VPN with IKEv2 configuration page opens.

Configure an AccessPoint VPN (2)

  1. Type a Name for the VPN.
  2. In the Firebox Addresses section, click Add Domain Name or IPAddress. Add the domain name or public IPaddress of the Firebox.
  3. Click Save.

When you configure and deploy the Access Point VPN, the Firebox automatically creates a corresponding authentication group and users for the Access Point VPN users for the Mobile VPN. The group name is the name of the access point site, and the user name for the access point that appears in the group details is the serial number of the device.

For more information, see Configure Mobile VPN with IKEv2 for a Cloud-Managed Firebox.

Add an Access Point Site

You configure a VPN in an Access Point Site. For more information on Access Point Sites, see About Access Point Sites.

To configure an Access Point VPN, from WatchGuard Cloud:

  1. From a Subscriber account, select Configure > Access Point Sites.
    The Access Point Sites page opens.
  2. Click Add Site.
    You can also select and configure an existing Access Point Site.

Configure an AccessPoint VPN (3)

  1. Type a Name and Description for the Access Point Site, then click Add.
    The Access Point Site configuration page opens.

Configure an AccessPoint VPN (4)

Add an SSID with NAT

To add a NAT-enabled SSID to the site for the Access Point VPN:

  1. In the Wi-Fi Networks tile, click Add SSID.
    The Add SSIDpage opens.

Configure an AccessPoint VPN (5)

Configure these SSIDsettings:

  1. SSIDName — Type the SSID name. This is the name for this wireless network that appears to clients.
  2. Broadcast SSID — Select the Broadcast SSID check box to broadcast the SSID name to wireless clients. Clear this check box if you want to hide the SSID name.
  3. SSID Type — Select a Private wireless network.
  4. Radio — Select the accesspoint radios (2.4 GHz, 5 GHz, or both 2.4 GHz and 5 GHz) that will broadcast this SSID.
  5. Security — Select the type of security and passphrase for this SSID. We recommend you use at minimum WPA2 Personal.
  6. In the Network section, you must select NAT.

The Access Point VPNcannot work with an SSID in bridged modeor with a VLAN enabled.

  1. Configure these settings when you enable NAT on the SSID:

Configure an AccessPoint VPN (6)

  • Local IPAddress (Gateway) — An IP address in the selected network outside of the DHCP address pool. This address is used as the gateway address for the clients on the wireless network.

Make sure you configure an IPaddress range that does not conflict with your existing network's IP addresses.

  • Subnet Mask— The net mask for the selected network.
  • DHCPPool Start IPAddress — The starting IP address of the DHCP address pool in the selected network.
  • DHCPPool End IPAddress — The end IP address of the DHCP address pool in the selected network.
  • Lease Time — The DHCP lease time in hours (1 to 24).
  • Primary and Secondary DNSServer — The primary and secondary DNS servers to which wireless clients make DNS queries. The primary DNSserver should be your corporate network DNSserver.
  1. Click Add to add the SSID to the site.
  2. Click Back to return to the site configuration settings page.

Configure an AccessPoint VPN (7)

  1. Click Schedule Deployment to deploy the site configuration with the new SSID.

If you do not deploy the SSID configuration, the SSIDwill not be available for you to select in the Access Point VPN configuration in the next step.

Configure the Access Point VPN

To enable and configure the Access Point VPN:

  1. From the Access Point Site configuration page, click Access Point VPN.
    The Access Point VPNpage opens.

Configure an AccessPoint VPN (8)

  1. Enable Access Point VPN.
  2. From the SSID drop-down list, select the SSID with NAT enabled that you created.
    The SSIDcannot have a VLANenabled.
  3. (Optional) Select the Use tunnel for RADIUS authentication check box to send RADIUS authentication traffic over the tunnel to a RADIUS server located behind the Firebox tunnel endpoint. The SSIDs configured in the Access Point VPNand any other SSIDs that use Enterprise authentication with the same RADIUS server will pass authentication traffic over the tunnel. This feature only appears if you have configured Enterprise authentication with a RADIUS server on the SSID configured for Access Point VPN.
  4. From the Firebox drop-down list, select the cloud-managed Firebox with Mobile VPN enabled.

Only SSIDs with NAT enabled and cloud-managed Fireboxes with Mobile VPN (IKEv2) enabled are displayed in the VPN configuration. Make sure you configure these items before you start the access point VPN configuration.

  1. Click Save.

After you save the Access Point VPN, the configuration is deployed immediately.

When you save and deploy the Access Point VPN, the Firebox automatically creates a corresponding authentication group and users for the Access Point VPN.

Configure an AccessPoint VPN (9)

Deploy the Site Configuration to an Access Point

When you have completed the SSIDand VPN configuration in your site, you must deploy the configuration to an access point by subscribing the device to the site.

  1. Return to the site configuration settings page.
  2. Click the Subscribed Devices tab.
    The Subscribed Devices tab shows a list of all devices subscribed to the site.

Configure an AccessPoint VPN (10)

  1. To select devices to subscribe to this site, click Select Devices.
    The Select Devices page opens. This list shows all devices in the currently selected account that do not already subscribe to this site.

Configure an AccessPoint VPN (11)

  1. Click the check box next to the devices you want to subscribe to the VPN site.
  2. Click Save.
    The site is immediately deployed to the cloud for the selected devices to download.

Test the Access Point VPN

If the Access Point VPN is set up correctly, the access point appears in the Live Status > VPN > Mobile VPN page on the Firebox that you set up with Mobile VPN with IKEv2.

Configure an AccessPoint VPN (12)

To test your connection, associate a wireless client with the SSIDyou created for your Access Point VPN, then attempt to connect to resources behind the Firebox.

You should see traffic sent and received over the VPN.

Configure an AccessPoint VPN (13)

Related Topics

Configure Access Point SSIDSettings

About Access Point Sites

About Mobile VPN for a Cloud-Managed Firebox

© 2024 WatchGuard Technologies, Inc. All rights reserved. WatchGuard and the WatchGuard logo are registered trademarks or trademarks of WatchGuard Technologies in the United States and other countries. Various other trademarks are held by their respective owners.

Configure an Access Point VPN (2024)
Top Articles
6 Steps To Capitalize On AI In Your Business
Compare data in SSMS
How To Start a Consignment Shop in 12 Steps (2024) - Shopify
English Bulldog Puppies For Sale Under 1000 In Florida
Overton Funeral Home Waterloo Iowa
Dte Outage Map Woodhaven
Chatiw.ib
Davante Adams Wikipedia
Kansas Craigslist Free Stuff
Botanist Workbench Rs3
Weapons Storehouse Nyt Crossword
Canelo Vs Ryder Directv
Fire Rescue 1 Login
Clairememory Scam
De Leerling Watch Online
Notisabelrenu
Nutrislice Menus
Theresa Alone Gofundme
Jenn Pellegrino Photos
Locate At&T Store Near Me
Prestige Home Designs By American Furniture Galleries
Vandymania Com Forums
Palm Springs Ca Craigslist
Decosmo Industrial Auctions
Chase Bank Pensacola Fl
Village
Construction Management Jumpstart 3Rd Edition Pdf Free Download
Inkwell, pen rests and nib boxes made of pewter, glass and porcelain.
Dei Ebill
Costco Jobs San Diego
O'reilly's In Monroe Georgia
Mississippi Craigslist
Co10 Unr
Current Students - Pace University Online
How To Improve Your Pilates C-Curve
Stubhub Elton John Dodger Stadium
Elanco Rebates.com 2022
140000 Kilometers To Miles
Great Clips On Alameda
Kelsey Mcewen Photos
Is Arnold Swansinger Married
Uc Santa Cruz Events
10 Rarest and Most Valuable Milk Glass Pieces: Value Guide
SF bay area cars & trucks "chevrolet 50" - craigslist
Patricia And Aaron Toro
Comanche Or Crow Crossword Clue
What is 'Breaking Bad' star Aaron Paul's Net Worth?
3367164101
Kushfly Promo Code
Evil Dead Rise - Everything You Need To Know
2000 Fortnite Symbols
ESPN's New Standalone Streaming Service Will Be Available Through Disney+ In 2025
Latest Posts
5 Big Risks Of Owning Rental Property That Every Landlord Should Know
School Stress: How Student Life Affects Your Teen
Article information

Author: Kerri Lueilwitz

Last Updated:

Views: 5740

Rating: 4.7 / 5 (47 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Kerri Lueilwitz

Birthday: 1992-10-31

Address: Suite 878 3699 Chantelle Roads, Colebury, NC 68599

Phone: +6111989609516

Job: Chief Farming Manager

Hobby: Mycology, Stone skipping, Dowsing, Whittling, Taxidermy, Sand art, Roller skating

Introduction: My name is Kerri Lueilwitz, I am a courageous, gentle, quaint, thankful, outstanding, brave, vast person who loves writing and wants to share my knowledge and understanding with you.