IKEv2 Clients are able to Authenticate but

I've enabled IKEv2 for Mac and iOS users using the Firebox DB as the authentication mechanism. The users are members of the IKEv2 group as well as the SSL-VPN.
The authentication process completes without a glitch. Once they're connected they aren't unable to access resources in the trusted network.

During the setup process the box created a rule
Allow IKEv2-Users - Policy Type Any - From IKEv2-Users (Any) - To Any-Trusted - Port any

Any and all help will be highly appreciated.


  • Can these IKEv2 users access anything else, such as the Internet ?

    What do you see in Traffic Monitor when this access is tried?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    -Are the users part of the IKEv2_Users group in Firebox-DB?
    -Is the subnet the same where the users are coming from and the network they're trying to access? (e.g.,

    -James Carson
    WatchGuard Customer Support

  • edited February 2022

    james - I may have found the issue. Some genius, before my time, assigned the Corporate network IP range Long term solution would be to migrate to a new local network range 10.10.x.x.
    Evaluating short term solutions to this issue.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    The WatchGuard IPSec (IKEv1) client includes some network 1:to:1 NAT options you can use to try and overcome that, but it also requires that your user remember what the destination network is being NAT'ed to.

    The easiest and lowest friction thing to do would likely be to have the user change their network to something else (sine it's a /24, even something like would work.) They would need to reconnect everything on their network, but that'd generally just be a reboot for consumer devices. The issue is that MANY home networks run on that network, so you'll need to do that every time you run into that.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.