- /
- /
- /
IPsec Export Package
The IPsec Export package generates client configurations for mobile IPsec, making it easier to configure remote access clients. This package is available on AZTCO-FW Plus as well as older Factory Edition versions of AZTCO-FW software.
The IPsec Export package contains an IPsec Profile export page for Apple devices and an IPsec Export page for Windows. Both pages work in a similar manner, and give administrators a few extra options to control client behavior.
The package works with most types of mobile IPsec configurations, with some exceptions depending upon settings.
This utility checks configured Mobile Phase 1 and Phase 2 entries and attempts to locate a set of parameters which are compatible with clients. It uses the first match it finds, so order choices in the Phase 1 and Phase 2 list appropriately or manually edit the resulting profile or script as needed.
Export Settings
When exporting an IPsec configuration, the following options are available to fine-tune the values put into the generated configuration.VPN Name
The name of the VPN as seen by the client in their network list. This name is also used when creating the filename of the files exported by the package. It is pre-filled with some basic information, such as the firewall hostname, but it can be customized.Server Address
Select the server address to be used by the client. This list is generated from the SAN entries on the server certificate.
The hostname used by the client to connect to the server must exist in DNS and it must be present in the server certificate SAN list for the client to properly validate the certificate.
Set to Custom Hostname to fill in a hostname other than one shown in the list.Custom Hostname
A text field for a custom fully qualified domain name to which the client can connect. As with the Server Address, this must exist in DNS and be in the server certificate SAN list.VPN Client (Apple)
The user for which the package will generate a configuration. Depending on the Mobile IPsec Phase 1 settings, this could either be a user or a TLS certificate.
When using certificates, the list contains certificates which were signed by the CA selected on the mobile IPsec Phase 1 IPsec Peer Certificate Authority.
TLS User Certificate (Windows)
The TLS user certificate to include in the exported configuration, if needed. This field is only visible when the Mobile IPsec Phase 1 settings require a client certificate (e.g. EAP-TLS).
Export a Client Configuration
The process to export a client for an existing Mobile IPsec configuration varies slightly for Apple and Windows.
Apple
- Navigate to VPN > IPsec Export: Apple
- Configure the settings as described in Export Settings
- Click View to display the generated configuration profile
- Review the profile contents and confirm it is acceptable
- Click Download to download the configuration profile
Apple Client Configuration
Visit the Apple Configurator Site for details about creating and using profiles. The process varies between iOS and OS X.
Windows
- Navigate to VPN > IPsec Export: Windows
- Configure the settings as described in Export settings
- Click View to display the generated PowerShell script
- Review the script contents and confirm it is acceptable
- Click Download to download a ZIP archive containing the PowerShell script and the required certificates.
If the Network List option is active on the Mobile Clients tab in IPsec settings, the script will include parameters to setup Split Tunneling on the client as well as commands to configure routes on the VPN for networks configured in the mobile Phase 2 entries.
Windows Client Configuration
On the client system, unzip the configuration archive and run the script. The commands in the PowerShell script will import certificates and setup the VPN on the client workstation.
Running PowerShell scripts on Windows is disabled by default. If scripting is disabled, the commands may be copied and pasted into a PowerShell prompt.