IKEv2 clients can no longer access sites on the trusted/optional networks M200 12.5.11

I suspect this occurred during the 12.5.11 update, but I am unsure. Previously, the firebox was on version 12.5.9.

As of a somewhat indeterminate time, users connecting via IKEv2 mobile vpn can no longer access http or https content on the internal network. Prior to updating to 12.5.11, they could (that's how I did the update).

They can ping any device they should be able to (at least the half dozen or so I've checked).

With logging enabled for the "Allow IKEv2 Users", the traffic monitor shows that requests are being passed along fine.

Possibly of note - IKEv2 Users (group) and the users in said group (ike2c1 - ike2cn) do not show up in the WebUI policy manager (and so cannot be added to other policies) but do show up in the WSM Policy Manager. They are also present in Authentication > Servers > FireboxDB, but not Authentication > Users and Groups. Unsure if that's expected behaviour.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @UBu
    By default the IKEv2 allow policy allows access to any resources -- and the VPN route is a full tunnel.
    I would suggest a support case so that we can look at see what might be happening. You can create a support case by going to support center at the top right of this page.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.