Always on VPN
Good Morning
I´m looking for a solution, to use ikv2 WG vpn, always on.
So before login, vpn conects, and reconects if conection is droped after, if no vpn is connect no internet access is allowed.
does any one has a solution for this ?
Best Regards
0
Sign In to comment.
Comments
Hi @Nuno_Carreira
Please check out the KB article here that goes over a few options:
( Custom IKEv2 and L2TP VPN profiles for Windows computers)
https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000bopASAQ
-James Carson
WatchGuard Customer Support
WG supports IKEv2 Always on VPN, sort of….
With the built-in Windows IKEv2 client Firebox firewall supports Microsoft AOVPN user tunnels with mschapv2 authentication (username & password). This tunnel starts after Win login.
Unfortunately, Firebox does not support certificate authentication that is needed for the Microsoft AOVPN device tunnels,
check: https://directaccess.richardhicks.com/2020/03/30/always-on-vpn-device-tunnel-operation-and-best-practices/
AOVPN is more Windows configuration than Firebox IKEv2 vpn configuration, so if you have an already a working Firebox IKEv2 vpn configuration you can configure windows machines to do IKEv2 AOVPN user tunnels with PowerShell and/or intune…
You can also buy from WG the NCP IPSec Mobile VPN Client software that supports IKEv2, this client has also support for Always on / Pre-logon options.
but it’s still user tunnels with mschapv2 authentication (username & password)…
For what it's worth a while back I opened a ticket re use of certificate authentication for IKEv2 MUVPN - my case was tagged against enhancement FBX-7518 and still is open.
The bit that the OP mentions about dropping Internet access without the VPN is not one I'm aware the inbuilt Windows VPN client can handle, but then again haven't had that scenario before (some third party clients can do this).