IKEV2 with ISP NAT problems


Recently our ISP changed our private and public IP and now we have a private ISP IP with a public IP in 1:1 NAT. Before we had the same private/public

Private IP: 10.xx.xx.xx
Public IP: 189.xx.xx.xx

I already configured IKEV2 vpn with both IPs. I can connect via the same ISP to the private IP. I cannot connect via the public IP from within the same ISP or any other ISP.

SSL VPN works correctly with the public IP from any ISP, just the IKEv2 is having problems.

Is there an aditional configuration that I am missing? The ISP modem is in bridge mode. The interface IP is the private IP. I dont know if that is the problem.

Can someone help me figure this out?


  • Options

    Perhaps turning on diagnostic logging for IKE will show something to help.

    In WSM Policy Manager: Setup -> Logging -> Diagnostic Log Level -> VPN -> IKE
    Set the slider to Information or higher

    In the Web UI: System -> Diagnostic Log -> VPN -> IKE
    Click the down arrow and select Information

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    I'm not exactly sure what you mean when you say the ISP changed your private IP. If your ISP is now NATing your connection, they're likely doing something like carrier-grade NAT (CG-NAT)
    If nothing was done on the ISP's equipment to forward the ports for IKEv2 to your firewall via that scheme, it won't make it to your firebox. You'll need to contact your ISP to see if this can be set up.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.