Mobile vpn ikev2 Unhandled-External-Packet
Hi
M370 running 12.6.2
I have a Mobile ikev2 tunnel configured. On the Windows 10 client i have configured the tunnel as split tunnel and added routes.
Name : Sentia
ServerAddress : x.x.x.x
AllUserConnection : False
Guid : {C3AEBF45-1672-4688-8A4C-EFCD284BF29A}
TunnelType : Ikev2
AuthenticationMethod : {Eap}
EncryptionLevel : Custom
L2tpIPsecAuth :
UseWinlogonCredential : False
EapConfigXmlStream : #document
ConnectionStatus : Disconnected
RememberCredential : False
SplitTunneling : True
DnsSuffix : kaufmann.local
IdleDisconnectSeconds : 0
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.17.14.1 172.17.14.15 50
0.0.0.0 0.0.0.0 10.37.46.1 10.37.46.54 311
10.37.46.0 255.255.255.0 On-link 10.37.46.54 311
10.37.46.54 255.255.255.255 On-link 10.37.46.54 311
10.37.46.255 255.255.255.255 On-link 10.37.46.54 311
10.100.1.0 255.255.255.0 On-link 192.168.116.1 36
10.100.1.255 255.255.255.255 On-link 192.168.116.1 291
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
172.16.1.0 255.255.255.0 On-link 192.168.116.1 36
172.16.1.255 255.255.255.255 On-link 192.168.116.1 291
172.16.255.0 255.255.255.0 On-link 192.168.116.1 36
172.16.255.255 255.255.255.255 On-link 192.168.116.1 291
172.17.0.0 255.255.0.0 On-link 192.168.116.1 36
172.17.14.0 255.255.255.0 On-link 172.17.14.15 306
172.17.14.15 255.255.255.255 On-link 172.17.14.15 306
172.17.14.255 255.255.255.255 On-link 172.17.14.15 306
172.17.255.255 255.255.255.255 On-link 192.168.116.1 291
172.20.50.0 255.255.255.0 On-link 192.168.116.1 36
172.20.50.255 255.255.255.255 On-link 192.168.116.1 291
192.168.116.0 255.255.255.0 On-link 192.168.116.1 36
192.168.116.1 255.255.255.255 On-link 192.168.116.1 291
192.168.116.255 255.255.255.255 On-link 192.168.116.1 291
192.168.250.0 255.255.255.0 On-link 192.168.116.1 36
192.168.250.255 255.255.255.255 On-link 192.168.116.1 291
192.168.252.0 255.255.255.0 On-link 192.168.116.1 36
192.168.252.255 255.255.255.255 On-link 192.168.116.1 291
FWDeny, Denied, pri=4, disp=Deny, policy=Unhandled-External-Packet-00, protocol=icmp, src_ip=192.168.116.1, dst_ip=192.168.250.5, src_intf=TDC-EXT, dst_intf=Firebox, rc=101, pckt_len=92, ttl=2, src_user=username@KAUFMANN-Radius1, 3000-0148
I only have access to the "primary" ip subnet behind the firefox. When accessing all other subnets I get Unhandled-External-Packet.
Any idea why?
Regards
Robert
Comments
Documentation says:
If the VPN connection cannot establish because of a user account issue, the log message Unhandled external packet appears in Traffic Monitor on the Firebox. This log message indicates that the user is not part of a group that is allowed to connect to Mobile VPN with IKEv2
Session is established though and my policies do allow access to the above subnets.
Did you have multiple Add-VpnConnectionRoute entries in your IKEv2 setup script? If not, then this is a likely issue.
Review this:
IKEv2 Split Tunneling on Watchguard / Windows 10
https://community.spiceworks.com/topic/2269333-ikev2-split-tunneling-on-watchguard-windows-10