IKEv2 Clients are able to Authenticate but
I've enabled IKEv2 for Mac and iOS users using the Firebox DB as the authentication mechanism. The users are members of the IKEv2 group as well as the SSL-VPN.
The authentication process completes without a glitch. Once they're connected they aren't unable to access resources in the trusted network.
During the setup process the box created a rule
Allow IKEv2-Users - Policy Type Any - From IKEv2-Users (Any) - To Any-Trusted - Port any
Any and all help will be highly appreciated.
0
Sign In to comment.
Comments
Can these IKEv2 users access anything else, such as the Internet ?
What do you see in Traffic Monitor when this access is tried?
-Are the users part of the IKEv2_Users group in Firebox-DB?
-Is the subnet the same where the users are coming from and the network they're trying to access? (e.g., 192.168.1.0/24)
-James Carson
WatchGuard Customer Support
james - I may have found the issue. Some genius, before my time, assigned the Corporate network IP range 192.168.1.0/24. Long term solution would be to migrate to a new local network range 10.10.x.x.
Evaluating short term solutions to this issue.
The WatchGuard IPSec (IKEv1) client includes some network 1:to:1 NAT options you can use to try and overcome that, but it also requires that your user remember what the destination network is being NAT'ed to.
The easiest and lowest friction thing to do would likely be to have the user change their network to something else (sine it's a /24, even something like 192.168.123.0/24 would work.) They would need to reconnect everything on their network, but that'd generally just be a reboot for consumer devices. The issue is that MANY home networks run on that network, so you'll need to do that every time you run into that.
-James Carson
WatchGuard Customer Support