EPDR Discovery problem on IKEv2 VPN

HughGambleHughGamble
in Firebox - VPN Mobile User

EPDR cannot Discover endpoints on WG Mobile VPN IKEv2. SSLVPN clients can be discovered.
IKE vpn is configured with 1-to1 NAT precedence and endpoints can see the LAN but not each other. Sometimes not seeing each other is ideal, but we need to be able to Discover EPDR endpoints connected through IKE.
Any suggestions how to fix this (without being excessively disruptive to users)?

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @HughGamble

    If you're trying to initiate traffic to the SSLVPN or IKEv2 users, you'll need to create a policy to allow that traffic. Generally, an any packet filter from the IP(s) you want to search from to the subnet of the SSLVPN (e.g. 192.168.113.0/24) is the easiest way to do that. I would caution against allowing everything to talk to everything, as that can allow other things to spread (like malware, etc, should a PC be infected.)

    -James Carson
    WatchGuard Customer Support

  • HughGambleHughGamble

    @james.carson said:
    Hi @HughGamble

    If you're trying to initiate traffic to the SSLVPN or IKEv2 users, you'll need to create a policy to allow that traffic. Generally, an any packet filter from the IP(s) you want to search from to the subnet of the SSLVPN (e.g. 192.168.113.0/24) is the easiest way to do that. I would caution against allowing everything to talk to everything, as that can allow other things to spread (like malware, etc, should a PC be infected.)

    To clarify, Watchguard EPDR Discovery only needs access from a PC on the vpn (or LAN/other secure zone) to other PCs on the vpn (broadcast capability). Firewall Policies are probably not the issue here. And it works to ping/discover inside the WG Mobile SSLVPN. But the WG Mobile IKE vpn works quite differently. We cannot ping from one PC on the vpn to another (which is normally good security, and not needed). But for Watchguard EPDR to discover and install new endpoints we need the IKE vpn to work as the SSLVPN does. FYI the SSLVPN is routed rather than bridged, and does not give precedence to 1-to-1 NAT over Dynamic NAT. the problematic IKE vpn does give precedence to 1-to-1 NAT.

    Also, for reasons I do not recall, the ike vpn /24 has a static route set up to the firecluster LAN IP as a gateway.

    I expect the answer is not hard. But I don't want to fiddle with different things at random. If I change the NAT precedence of the vpn, it is likely to break something users will complain about.

    Watchguard EPDR also needs the PCs configured for Admin share access, network discovery ... a number of things, but they work from the WG Mobile SSLVPN so that part is ok. I just need to be able to broadcast within the subnet of the IKE vpn.

  • HughGambleHughGamble

    We do have the auto-generated firewall policy rules for both the sslvpn and ike vpn. Both allowing from the respective vpn users to Any port Any. Differing slightly in the nat precedence checkboxes (IIRC sslvpn did not work when 1-to-1 nat precedence was ticked)

Sign In to comment.