IKEv2 Clients Fail To Connect

We have a T-40 Firebox with FW: 12.7.B639066
IKEv2 Clients are unable to connect. From Traffic Monitor, I see the following entry:

2021-05-23 15:27:51 Deny xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx isakmp/udp 500 500 External Firebox Denied 572 123 (Unhandled External Packet-00) proc_id="firewall" rc="101" msg_id="3000-0148"

(Deny IP is WAN IP of Client).

Firewall Policy enabled to Allow IKEv2-Users
From IKEv2-Users (Any)
To Any

(User is setup in Authentication Server)

Any thoughts/suggestions would be appreciated. Please let me know if you need additional information
Thank you!
Chip

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Chip,

    Unhandled External means that the firewall isn't matching any policy for that traffic.

    Check to see if your default IKE rule is turned on.
    -In Policy Manager, go to VPN -> VPN Settings. Ensure "Enable built-in IPSec policy" is on.
    -In WebUI, go to VPN -> Global Settings, and ensure "Enable built-in IPSec policy" is turned on.

    If it's turned off on your firewall it's likely because you were passing IKE traffic to something else like a VPN concentrator.

    -James Carson
    WatchGuard Customer Support

  • Wow James... Excellent! "Enable built-in IPSec policy" was turned off. I would have never figured this out. Thank you sooo much for support and taking the time! Much appreciated!

Sign In to comment.