Limit remote IKEv2 Mobile VPN connections with Geolocation

Woodenshoe · May 27

Is there a way to limit the connections for IKEv2 Mobile clients from the WAN?

I configure the limitation for SSLVPN connectinos with the 'WatchGuard SSLVPN' policy to allow only some countries that employees are allowed to travel. But is there also a solution for the IKEv2 mobile connections? I can't find the build-in IPSec policy to do this.

Or do I need to Disable the Built-in IPSec Policy option in the Global VPN Settings and create a new policy to allow IPSec to the Firebox with some limitattions?

james.carson · May 27

Hi @Woodenshoe

To modify the inbound IPSec rule you'll need to turn off the firewall's built-in one and make your own.

See:
(Configure Inbound IPSec Pass-through with SNAT)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/ipsec_pass-through_c.html

If you're not sending IPSEC traffic elsewhere, you only need to make the second rule, "IPSec_to_Firebox" in that example. The IPSec_to_Firebox rule is where you'd apply geolocation or any other policies that you want.

Limit remote IKEv2 Mobile VPN connections with Geolocation

Comments