How to reach Mobile IKEv2 Users from internal Network

I managed to enable Mobile VPN via IKEv2 with RADIUS Authentication.
Mobile users can connect and have access to the internal Ressources and the Internet through the vpn.
The Problem is, from the internal Networks i can't reach the clients.
I'm not able to ping the clients from the Firebox in the Diagnotics Menu.

For every client there is automatically a route Added with the external Interface and the external Adress as Gateway. I think that is the problem, but i don't know how to avoid it, or which configuration to change.
Any ideas?

Thank you!


  • Options
    edited March 2020

    There was a similar question about the ability to ping etc. SSLVPN clients.
    I disables the software firewall on my PC and then I was able to ping my SSLVPN connection from the firewall.
    Perhaps the same will be true for IKEv2.
    If so, then look at allowing access via the PC's firewall for the desired connection from the firewall network(s).

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative


    This is going to depend on where the traffic is being stopped.

    If the traffic is being denied on the firewall itself, you may need to make a rule on the firewall to allow it. You should see red deny messages in traffic monitor if that's the case.

    if it's being blocked on the PC itself, you'll need to determine what is blocking it, and allow it. This can be software firewall products, anti-virus, windows firewall, and even group policy.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • Options

    Thank you for your answers!
    The traffic is somehow blocked on the firewall. The clients answer to ping if they are in another network.
    Nevertheless i tried disabling the local firewall - made no difference.
    In the traffic monitor i get no deny messages.
    I tried to add a policy which enables the traffic from my internal network to the network of the clients - no difference too.

    Any other ideas?

  • Options

    With Windows Defender off, I get this:

    PING ( from eth1: 56(84) bytes of data.
    64 bytes from icmp_seq=1 ttl=128 time=3.78 ms
    64 bytes from icmp_seq=2 ttl=128 time=3.42 ms
    64 bytes from icmp_seq=3 ttl=128 time=3.45 ms
    64 bytes from icmp_seq=4 ttl=128 time=3.40 ms
    64 bytes from icmp_seq=5 ttl=128 time=3.58 ms

    In my test, I used Diagnostic Task: Ping, Advanced options with this: -I eth1

  • Options

    Via Windows CMD from Client ( to Firewall (

    Ping wird ausgeführt für mit 32 Bytes Daten:
    Antwort von Bytes=32 Zeit=119ms TTL=64
    Antwort von Bytes=32 Zeit=30ms TTL=64
    Antwort von Bytes=32 Zeit=36ms TTL=64
    Antwort von Bytes=32 Zeit=27ms TTL=64

    Via Diagnostic Task from Firewall ( to Client (
    PING ( 56(84) bytes of data.

    --- ping statistics ---
    3 packets transmitted, 0 received, 100% packet loss, time 2000ms

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @indyjones
    Bruce is making the ping from the firewall -- you're doing it from a client on your network.

    Try making a firewall rule using an any packet filter.
    From: Any-Trusted, or your test computer
    To: Network IPv4,

    With this in place can you ping the client?

    -James Carson
    WatchGuard Customer Support

  • Options

    In fact I tried both ways. The client (connected via mobile vpn with ikev2) can ping the firewall (And any other host in the internal network from the firewall).

    When i try to ping the client from the firewall, that's what not working.

    I tried making a rule with an any packet filter from Network to network But even that changed nothing.

  • Options

    If you're using the native client in Windows for your IKEv2 users and manage your own DNS server go to properties of the WAN miniport network adapter, networking tab, properties of TCP/IP v4, click the advanced button then the DNS tab. Check the box to register the connection in DNS. In your managed DNS server create a reverse lookup zone for the IP subnet you're assigning the IKEv2 clients.

  • Options

    One thing I failed to mention is to create an any packet filter policy from Any to your IKEv2 Users group. Put the policy right after the policy that was auto created when you configured IKEv2.

  • Options

    Thanks for the answer. Tried that. No change.
    Meanwhile i opened a support case with watchguard for this issue.
    Will let you know the solution.

  • Options

    Solution from support: "For the policy you created to access Ikev2-Users, can you go in the advanced tab of the policy and disable Dynamic NAT?"

    I did that and now it works.
    Thank you all.

Sign In to comment.