IKEv2 VPN - Can't access internal resources

Hi All,

Forgive me for the rookie question. I set up an IKEv2 VPN via the Watchguard configuration wizard on the firebox web UI. The firebox is doing the authentication and all of the users are in the proper IKEv2 group. When I run the client configuration script on a Win 10 machine, the VPN successfully connects. However, the client can still not access any internal resources/folders.

Is there a simple step I'm missing? Do I need to create a new SNAT or a different policy? It seems that the IKEv2 policy is created automatically, but I still feel like I'm missing something.

Thanks for the help.

Comments

  • How are clients trying to access folders?
    What other internal resources are they trying to access ? By IP addr or by a name ?

  • @Bruce_Briggs said:
    How are clients trying to access folders?
    What other internal resources are they trying to access ? By IP addr or by a name ?

    Hey Bruce. We have internal smb shares from a file server that are pushed via group policy.

  • FYI - a VPN connection does not log the user into the AD domain, so make sure that VPN users can access the share without needing AD credentials.

    To access a share via, you can use the IP addr, the fully qualified domain name, or a short name.
    The last 2 require the VPN client to have a DNS entry for your internal AD DNS server during the VPN connection.
    The 3rd one requires the VPN client to have a Domain Name suffix entry for your AD domain during the VPN connection.
    Adding the DNS server and the domain name suffix to the Network -> Connection -> WINS/DNS tab should provide those for the IKEv2 VPN session.

  • I know some of this is just out of my depth, so I apologize for the dumb questions, but when I set up an SSL VPN (I understand different product) clients can connect to internal resources just fine, albeit with a less than great connection.

    I added our internal DNS server address to the configuration and redeployed the config to a client and still no luck. Trying to access one of our shared drives just results in a timeout.

  • @Bruce_Briggs said:
    FYI - a VPN connection does not log the user into the AD domain, so make sure that VPN users can access the share without needing AD credentials.

    To access a share via, you can use the IP addr, the fully qualified domain name, or a short name.
    The last 2 require the VPN client to have a DNS entry for your internal AD DNS server during the VPN connection.
    The 3rd one requires the VPN client to have a Domain Name suffix entry for your AD domain during the VPN connection.
    Adding the DNS server and the domain name suffix to the Network -> Connection -> WINS/DNS tab should provide those for the IKEv2 VPN session.

    Okay wait maybe I'm getting somewhere. I added the local DNS server and if I open up a File Explorer window and type the FQDN of our file server I CAN indeed access the server. However, if I try to access the shares from just \SERVER\Share, they're inaccessible, with a message stating the "local device name is already in use," and "This connection has not been restored."

  • What are you entering for SERVER ?
    FQDN, IP addr or short name.
    If short name, you need the Domain Name suffix = Domain Name on the WINS/DNS tab

  • @Bruce_Briggs said:
    What are you entering for SERVER ?
    FQDN, IP addr or short name.
    If short name, you need the Domain Name suffix = Domain Name on the WINS/DNS tab

    The short name. Another dumb question, but the system doesn't seem to let me add a suffix or short name in that field? Only an IP?

  • Exactly where are you looking?

    WSM Policy Manager: Network -> Connection -> WINS/DNS tab -> Domain Name field
    Web UI: Network -> Interfaces -> WINS/DNS tab -> Domain Name field

    Enter your domain name suffix to be appended to the short name being used

  • @Bruce_Briggs said:
    Exactly where are you looking?

    WSM Policy Manager: Network -> Connection -> WINS/DNS tab -> Domain Name field
    Web UI: Network -> Interfaces -> WINS/DNS tab -> Domain Name field

    Enter your domain name suffix to be appended to the short name being used

    I was looking in the DNS/WINS settings for the Ikev2 config page itself, not under interfaces.

    I went to the area you pointed out and entered the domain name suffix under the domains field and still no dice. I may just be a lost cause here, but I appreciate all the help you're trying to give.

  • Make sure that you did not change the radio button on the IKEv2 setup from "Assign the Network DNS/WINS settings to mobile clients" to another option.

    Make sure that you have your internal DNS server on the Network WINS/DNS tab.

  • AFAIK, the IKEv2 session will get the domain name suffix from the WINS/DNS tab entry.

  • You do this on the BOVPN Tunnel settings:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/bovpn_use_1to1_nat_c.html

    Local = your internal device real IP addr
    1:1 NAT = the desired public IP addr

  • Hey Bruce. Whelp, tried again with what you had given and still no luck. I think at this point due to all the changes I made, I'm going to scrap and start the wizard fresh with the additional advice that you've given and see if I get anywhere. I'll let you know if I do!

  • You can always open a support incident to get WG help with this.
    Just click the Support Center button above and sign in to do that.

Sign In to comment.