IKEv2 W10 client connects but no default gateway and /32 netmask
I just tried (again) to configure IKEv2 muvpn for W10 clients. Used the wizard and took everything default.
Client connects without problems. But I can't reach anything.
Client gets a 192.168.114.2 ip, a 255.255.255.255 netmask, no default gateway, and the ips of my internal DNS.
route print
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.3.21 4280
0.0.0.0 0.0.0.0 On-link 192.168.114.2 46
10.0.0.0 255.255.252.0 On-link 10.0.3.21 4536
10.0.3.21 255.255.255.255 On-link 10.0.3.21 4536
10.0.3.255 255.255.255.255 On-link 10.0.3.21 4536
127.0.0.0 255.0.0.0 On-link 127.0.0.1 4556
127.0.0.1 255.255.255.255 On-link 127.0.0.1 4556
127.255.255.255 255.255.255.255 On-link 127.0.0.1 4556
192.168.114.2 255.255.255.255 On-link 192.168.114.2 301
194.78.35.10 255.255.255.255 10.0.0.1 10.0.3.21 4281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 4556
224.0.0.0 240.0.0.0 On-link 10.0.3.21 4536
224.0.0.0 240.0.0.0 On-link 192.168.114.2 46
255.255.255.255 255.255.255.255 On-link 127.0.0.1 4556
255.255.255.255 255.255.255.255 On-link 10.0.3.21 4536
255.255.255.255 255.255.255.255 On-link 192.168.114.2 301
===========================================================================
Persistent Routes:
None
I tried with adding the 192.168.114.1/24 network to a trusted interface, but to no avail.
I can't get my head around a /32 mask so I guess I miss something.
So I'm stuck, anyone an idea where I went wrong?
Thanks, Patrick
M200, OS v12.5.2.B609628
W10 1909 Enterprise
Comments
Did you run the script on the client?
Configure Client Devices for Mobile VPN with IKEv2
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ikev2/mvpn_ikev2_client_config.html
You can turn on Logging on the Allow IKEv2-Users policy to see packets allowed by it in Traffic Monitor.
Yes I ran the script.
It should be full tunnel, but I can't reach internet either.
No packets are being logged.
Only '2020-03-03 15:19:47 sessiond IKEv2 VPN user x@Firebox-DB from [ip4] logged in assigned virtual IP is 192.168.114.3 msg_id="3E00-0002" '
Move this policy to the top of the policy list and test again
Make sure that there is no Windows software blocking this access
aha, you are right.
I think it's Windows Defender Firewall. I can't really disable it, because the policy reenables it after 2 seconds, but in that time some packets are listed in the traffic monitor.
OK, time to sift trough those rules.
Thank you very much.
Default gateway of 0.0.0.0 is normal. That's what I'm getting too. Take a look at this article:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ikev2/mvpn_ikev2_internet_access.html
specifically this:
Any policy that manages traffic going out to the Internet from behind the Firebox must be configured to allow the IKEv2 user traffic.
The default Allow IKEv2-Users policy will allow access to the Internet.
The issue for the OP seems to be Windows Defender settings.