How to reach Mobile IKEv2 Users from internal Network

I managed to enable Mobile VPN via IKEv2 with RADIUS Authentication.
Mobile users can connect and have access to the internal Ressources and the Internet through the vpn.
The Problem is, from the internal Networks i can't reach the clients.
I'm not able to ping the clients from the Firebox in the Diagnotics Menu.

For every client there is automatically a route Added with the external Interface and the external Adress as Gateway. I think that is the problem, but i don't know how to avoid it, or which configuration to change.
Any ideas?

Thank you!

Comments

  • edited March 2020

    There was a similar question about the ability to ping etc. SSLVPN clients.
    I disables the software firewall on my PC and then I was able to ping my SSLVPN connection from the firewall.
    Perhaps the same will be true for IKEv2.
    If so, then look at allowing access via the PC's firewall for the desired connection from the firewall network(s).

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @indyjones

    This is going to depend on where the traffic is being stopped.

    If the traffic is being denied on the firewall itself, you may need to make a rule on the firewall to allow it. You should see red deny messages in traffic monitor if that's the case.

    if it's being blocked on the PC itself, you'll need to determine what is blocking it, and allow it. This can be software firewall products, anti-virus, windows firewall, and even group policy.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • Thank you for your answers!
    The traffic is somehow blocked on the firewall. The clients answer to ping if they are in another network.
    Nevertheless i tried disabling the local firewall - made no difference.
    In the traffic monitor i get no deny messages.
    I tried to add a policy which enables the traffic from my internal network to the network of the clients - no difference too.

    Any other ideas?

  • With Windows Defender off, I get this:

    PING 192.168.114.1 (192.168.114.1) from 10.0.1.1 eth1: 56(84) bytes of data.
    64 bytes from 192.168.114.1: icmp_seq=1 ttl=128 time=3.78 ms
    64 bytes from 192.168.114.1: icmp_seq=2 ttl=128 time=3.42 ms
    64 bytes from 192.168.114.1: icmp_seq=3 ttl=128 time=3.45 ms
    64 bytes from 192.168.114.1: icmp_seq=4 ttl=128 time=3.40 ms
    64 bytes from 192.168.114.1: icmp_seq=5 ttl=128 time=3.58 ms

    In my test, I used Diagnostic Task: Ping, Advanced options with this:
    192.168.114.1 -I eth1

  • Via Windows CMD from Client (10.36.10.14) to Firewall (192.168.200.254):

    C:\Windows\system32>ping 192.168.200.254
    Ping wird ausgeführt für 192.168.200.254 mit 32 Bytes Daten:
    Antwort von 192.168.200.254: Bytes=32 Zeit=119ms TTL=64
    Antwort von 192.168.200.254: Bytes=32 Zeit=30ms TTL=64
    Antwort von 192.168.200.254: Bytes=32 Zeit=36ms TTL=64
    Antwort von 192.168.200.254: Bytes=32 Zeit=27ms TTL=64

    Via Diagnostic Task from Firewall (192.168.200.254) to Client (10.36.10.14):
    PING 10.36.10.14 (10.36.10.14) 56(84) bytes of data.

    --- 10.36.10.14 ping statistics ---
    3 packets transmitted, 0 received, 100% packet loss, time 2000ms

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @indyjones
    Bruce is making the ping from the firewall -- you're doing it from a client on your network.

    Try making a firewall rule using an any packet filter.
    From: Any-Trusted, or your test computer
    To: Network IPv4, 192.168.200.0/24

    With this in place can you ping the client?

    -James Carson
    WatchGuard Customer Support

  • In fact I tried both ways. The client (connected via mobile vpn with ikev2) can ping the firewall (And any other host in the internal network from the firewall).

    When i try to ping the client from the firewall, that's what not working.

    I tried making a rule with an any packet filter from Network 192.168.200.0/24 to network 10.36.10.0/24. But even that changed nothing.

  • If you're using the native client in Windows for your IKEv2 users and manage your own DNS server go to properties of the WAN miniport network adapter, networking tab, properties of TCP/IP v4, click the advanced button then the DNS tab. Check the box to register the connection in DNS. In your managed DNS server create a reverse lookup zone for the IP subnet you're assigning the IKEv2 clients.

  • One thing I failed to mention is to create an any packet filter policy from Any to your IKEv2 Users group. Put the policy right after the policy that was auto created when you configured IKEv2.

  • Thanks for the answer. Tried that. No change.
    Meanwhile i opened a support case with watchguard for this issue.
    Will let you know the solution.

  • Solution from support: "For the policy you created to access Ikev2-Users, can you go in the advanced tab of the policy and disable Dynamic NAT?"

    I did that and now it works.
    Thank you all.

Sign In to comment.