Carrier-grade NAT and mobile IKEv2
we have a lot of issues when users trying to connect to the Watchguard with mobile IKEv2, when they are sitting behind a CG-NAT. Most of the time the connection gets not established. The Watchguard Traffic Monitor shows
reason="lifetime timer expires". I would say almost 5% of all users have this issue and it is getting more. Most of them are using Vodafone Germany as their ISP which is using CG-NAT for all new contracts. Currently you can call the support of the ISP and disable the CG-NAT option for free. But most users will not do that.
I know this might not be a specific Watchguard problem but I just want you to ask how your are handling this situation. I am planing to go back to mobile SSL VPN. This works without a problem on CG-NAT connections. But the Windows integration with IKEv2 allows us to connect to the Watchguard with the Windows login, which is nice for domain joined devices.
Do you guys have any solutions?