1. Navigate to VPN | IPsec.
2. Click on the Mobile Clients tab.
3. Check the Enable IPsec Mobile Client Support checkbox:

4. In the User Authentication listbox, select Local Database.
5. In the Group Authentication drop-down menu, select system.
6. Check the Provide a virtual IP address to clients checkbox.
7. Enter a network and CIDR for the virtual address pool.
8. Check the Save Xauth Password checkbox.
9. Check the DNS Default Domain checkbox, and enter localdomain as the default domain.
10. Check the Provide a DNS server list checkbox and enter 1.1.1.1 and 1.0.0.1 as the DNS servers.
11. Check the Login Banner checkbox and enter an appropriate login banner.
12. When you are done, click on the Save button.
13. When the page reloads, click the Create Phase 1 button.
14. Keep the Key Exchange set to IKEv1.
15. Set the Authentication Mode to Mutual PSK + XAuth.
16. Change Peer identifier to User distinguished name. Enter something unique for this field, such as an email address.
17. In the Pre-Shared key text field, enter an appropriate pre-shared key.
18. Scroll down to Advanced Options, and change NAT Traversal to Force. This will force the use of NAT-T on port 4500.
19. When you are done, click on Save.
20. When the page reloads, click on Apply Changes.
21. Click on the Show Phase 2 Entries for the newly created mobile client phase 1 entry. This should reveal the Add P2 button for the newly created connection.
22. Click on the Add P2 button.
23. Most of the default values on the Edit Phase 2 page can be kept at their default values. It is recommended, however, that you change the Encryption Algorithm to AES256-GCM, and that you change the Hash Algorithm to SHA256.

24. When you are done making changes, click on the Save button.
25. Phase 1 and phase 2 configuration is complete; now we must add one or more users via the User Manager. Navigate to System | User Manager to begin the process. First, add a group for VPN users:
    1. Click on the Groups tab.
    2. Click on the Add button to add a new group.
    3. Enter a group name of vpnusers:

• 4. In the Scope drop-down menu, select Remote.
  5. Click on the Save button.
  6. When the page reloads, the vpnusers group should be listed in the table. Click on the Edit icon for vpnusers.
  7. There will now be a section on the configuration page for the group called Assigned privileges. Click on the Add button in this section.
  8. In the Assigned privileges box, select User – VPN: IPsecxauthDialin and click on Save:

• 9. On the main configuration page, click on Save.

26. Now we can add users to the vpnusers group, which we can do by clicking on the Users tab:
    1. From the Users tab, click on the Add button.
    2. Set an appropriate Username and Password combination for the new user.

• 3. Under Group Memberships, select the vpnusers group.
  4. For the IPsec Pre-Shared Key, enter the key you entered during phase 1 configuration.
  5. Click on the Save button.
  6. Repeat these steps for as many users as you wish to add.