IKEv2 mobile VPN accessing internal network
I am running a T35 (12.5.11) Firebox in a small office. I am trying to set up a IKEv2 mobile VPN to allow a single remote user to access our internal network for the purpose of using our dental software (Dentrix) remotely. I was able to successfully set up a SSL VPN, however, the dental software was completely unusable due to being so slow. Things that should take < 1 second were taking around 15. However, I was able to see all of the internal network (other computers, server) when using the SSL connection. I decided to try IKEv2 under the assumption it might be faster.
I had no difficulty setting up the IKEv2 mobile VPN and my client computer can connect to the Firebox and I'm able to browse the internet and can log into the Firebox from the client computer. However, I can't see (View network computers) or ping other computers on the network.
I set up the IKEv2 to use the same subnet (192.168.1.xxx) as the trusted network. However, I noticed my subnet mask does not match the other computers on the network with the VPN's mask being x.255 and the others are x.000.
Help files indicated that IKE VPNs are not trusted and policies need to be changed to make them trusted, but it does not explain how to do that. I added my IKE user to every policy in the Firewall with "Any Trusted" to also include the user, but that did not solve the issue.
I feel like this is probably a pretty simple problem and I just need to change a single setting to fix it, but I don't know what that setting is. I would rate my networking knowledge about a 2/10. I found some other posts with similar issues but no resolution. Any assistance would be appreciated.
Comments
https://www.watchguard.com/help/video-tutorials/Set_Up_Mobile_VPN_with_IKEv2/index.html
I deleted my additional Virtual IP pool entries and left the default. Still the same problem upon reconnecting.
However, I did realize the client computer thought the network was public and was not discoverable. Changing it to private and recreating the IP addresses in the trusted pool allowed me to ping the other computers successfully. I still cannot see the other computers in the network via the windows explorer.
Windows Explorer uses SMB broadcasts to find out about Windows devices.
Broadcast packets won't cross a routed interface - so they won't go to your IKEv2 client when using a different virtual IP addr pool.
You should be able to connect to Windows shares using "net use" commands or via "Map network drive" by providing the destination IP addr & share info.
net use [drive letter:] \[ip address][drive letter]$ /User:[ Windows User Name] [Password]
Right-click the Computer icon and click on the Map network drive… option.
IKEv2 doesn’t download the settings from the Firebox every time you connect with IKEv2 like example the sslvpn client does.
With IKEv2 you need to manually give these settings or edit the “AddVPN.ps1” in the IKEv2 *.bat file.
In Fireware v12.2 or lower, you cannot configure DNS and WINS settings in the Mobile VPN with IKEv2 configuration. Clients automatically receive the DNS and WINS servers specified in the Network (global) DNS/WINS settings on the Firebox. The domain name suffix is not inherited.
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ikev2/mvpn_ikev2_wins-dns_config.html
To check that the IKEv2 DNS suffix is correct, open PowerShell (run as admin) window and run:
”Get-VpnConnection” this shows the IKEv2 settings the Windows client have.
With following command, you can add the DNS suffix to the IKEv2 configuration:
Set-VpnConnection -Name ”WG IKEv2” – DnsSuffix domain.local
more IKEv2 commads:
https://docs.microsoft.com/en-us/powershell/module/vpnclient/?view=windowsserver2019-ps
Also check this if you are using Firebox-DB authentication:
https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000bpLuSAI&lang=en_US