IKEv2 VPN Not Connecting - IKE_Auth Packet Fragmentation

BazMac

Hoping someone can shed some light.

We have a number of users all on Windows 10. Intermittently the client will fail to connect to IKEv2 VPN. Having raised with WG Support and ran some testing with them, they have advised that issues can arise when IKE_AUTH packets arrive as fragments.

They offered the following KB:

https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA16S000000XeNxSAK&lang=en_US

Following the KB, we have been looking into the different scenarios of what works and what doesn't.

So far:

1. Removing all expired certs for the Trusted CA Authority on the local machine resolves the issue. - the issue with this is 2 fold; firstly this is not a manageable solution and secondly, some expired certs that were deleted come back again.

2. Proved that if the # of cert <=56 the connection works. >56 the connection won't work. (However Windows 11 devices that have 60/70+ certs never have any issues.)

Has anyone else come across this and offer any solutions?

james.carson

If the packets are already arriving at the firebox fragmented/dropped, the only real solution will be to modify how (big) the client is making the authentication request. It may be possible for Microsoft to update the client to not do this in the future, but as far as I'm aware the only way to correct this currently is to delete the certs.

If it's not feasible to do this, you may wish to look into the SSLVPN, which manages its certificates via a package the client downloads after authenticating.