IKEv2 Multi WAN / SD WAN
M470
12.5.3
Just curious about something here. Recently I have been having select users move from SSL-VPN to IKEv2 due to the speed increase of IKEv2 hoping to eliminate the dropped RDP sessions they are experiencing.
Not using RADIUS, just Firebox users.
Now IKEv2 doesn't allow a split VPN so all traffic runs through the tunnel. If those are the rules I will play by them. ;-)
Now I have a multi-wan configuration utilizing SDwan for routing, one connection is fast, while the other is slow. T-1 like slow.
If I connect a PC to the IKEv2 VPN and perform a tracert to yahoo.com, DNS resolves as expected but the external connection defaults to my slow T-1. Which sorta defeats the purpose of a faster VPN connection right?
For fun I edit the default IKEv2 Users policy and enable SDwan sending outbound traffic out the fast external connection.
After I do this DNS no longer resolves and a tracert to yahoo.com fails, as does a tracert to 8.8.8.8
Disabling SDwan makes everything work fine again.
The IKEv2 connection is pointed to one of the external IP's of my fast Internet connection, but my outbound IP is a different address on that subnet.
How does IKEv2 determine the external IP and routing of the VPN connection, and why does enabling SDwan blow everything up?
Bruce you out there?
Thanks for any input!
- Doug
It's usually something simple.
Comments
SD-WAN is only for outgoing policies. Do not select it on incoming policies.
The IKEv2 policy is for incoming connections.
Add outgoing policies From: IKEv2-Users for DNS etc, with SD-WAN to do what you want.
That makes sense Bruce, but what I don't understand is why all my outbound http/https policies utilize SD-WAN yet the Allow IKEv2 Users any/any policy chooses the slow connection.
Now, correct me if I"m wrong, but I believe since the slow external connection is utilizing the default external port on the Firebox that is what the IKEv2 policy is using as it's external port.
The faster connection utilizes another Optional port that has been changed to an External port.
That makes sense to me.
It's usually something simple.
From the docs:
"Do not enable SD-WAN in the BOVPN-Allow policies or in policies that apply to mobile VPN traffic or incoming traffic."
I'm assuming that since it did not work for you with SD-WAN on the Allow IKEV2-Users policy, that it is one of the reasons above.
Try adding additional policies as I suggested earlier.
Also without SD-WAN - if there is no other reason to use the 2nd WAN interface (caused by your Multi-WAN settings), then the lowest interface number will be used for outgoing traffic.
And consider opening a support incident if you want to find out exactly why SD-WAN on the Allow IKEV2-Users policy fails.