IKEv2 Mobile VPN - VPN User to Internal connections are OK, Internal to user are not

When a user is connected to our LAN via Mobile VPN using IKEv2, they can access all internal resources just fine, however internal servers cannot ping that user by IP and cannot access any resources on the user's computer. This isn't a problem with SSL VPN, however SSL is at least 2-4x slower than IKEv2. It doesn't look like there are any firewall policies having a negative effect here, and I've tried the policy checker and it agrees. I also have the firewall disabled on the (Windows) client PC. Any ideas?

Comments

  • Make sure that your ping policy allows access To: IKEv2-Users

    To get a response to a ping from my firewall, I needed to disable my Windows 10 Windows Defender firewall.
    I did not bother to find out what changes were needed to my Windows Defender settings to allow access without disabling it.

  • Yeah, our ping policy is the Watchguard default, which allows To: Any. The client I'm testing with presently is able to get pings over the SSL VPN and has Windows Firewall completely disabled. I've also tried just opening the ports we need on Windows Firewall and leaving it enabled but that didn't work either.

  • No idea why ping works for me and not for you.
    I'm doing the ping from my firewall using WSM Firebox System Manager -> Diagnostic tasks -> Ping

    re. SSLVPN speed - review this video
    Optimize Mobile VPN with SSL
    https://watchguard.us13.list-manage.com/track/click?u=1bcb692e17a1463ca874e0ce2&id=17a9d1168a&e=cae878f58b

  • edited April 2020

    Not that it helps your issue, I added a Windows Defender rule which allows access from my firewall, by following this example.
    No need to disable Windows Defender any more for testing.

    How to Add IP Address in Windows Firewall
    https://www.interserver.net/tips/kb/add-ip-address-windows-firewall/

  • Any Resolution on this? Im having similar problem. Mobile IKEv2 User logs in, Can access network no problem, can RDP in can ping inside no problem. Inside network cannot ping Mobile VPN User. Ping is opened up to Any Any. MVPN User gets one of the pool IPs 192.168.114.1. Cannot ping this address not even from Diagnostic Tasks! Any help would be appreciated.

  • edited May 2020

    I've been looking into the same issue. IKEv2 External User -> Internal works, Internal -> IKEv2 External User does not.

    I ran a packet capture on the External IKEv2 client machine and found that ping requests from an internal node were in fact reaching the external machine, BUT, the external machine was responding to the ping at the external interface IP of the firewall, not the internal IP address of the node that sent the ping.

    So there's the problem as I see it. How to solve? I suspect this has something to do with the NAT config.

  • Just figured it out. Disable Dynamic NAT on whatever policy you created to allow traffic back up the tunnel. Pings work now, and I was able to connect to a share on the IKEv2 user's machine.

  • What Dynamic NAT entry was causing your issue?
    I would not expect the default NAT -> Dynamic NAT entries to do anything to prevent this access, and thus I would not expect unselecting the Dynamic NAT option on a policy to help .

  • No, Bruce_Briggs, it did not help. When IKEv2 users / Service was enabled. It creates an auto policy called " Allow IKEv2-Users " In there under Advanced tab is the 1-to-1 NAT / Dynamic NAT settings. I tried all combos nothing working. Can still only ping from MVPN user into network, cannot ping from trusted network to MVPN User. This is a real brain teaser!

  • edited May 2020

    Advanced tab is the 1-to-1 NAT / Dynamic NAT settings are for outgoing packets, normally to the Internet.

    Hopefully @TerryH will post the Dynamic NAT entry that was changed

    @NetworkNinja - have you verified that the remote client firewall is not the issue?

  • @Bruce_Briggs Yes I have. I have all firewalls off, even windows own fire wall. Weird thing is, when I enable the SSL MVPN Account / settings and use the Watchguard SSL Application it seems to work ok.... Kind of want he IKEv2 to work though.

  • Any new on this I have same problem with IKEv2 VPN.
    Remote AD Domain joined laptops connecting in can access all internal resources.
    I cannot access, ping or AD manage the remote laptops while on IKEv2 VPN.
    All works well both ways using IPSEC and SSL VPN Clients.
    Wireshark on remote Laptops not showing any inbound created connection traffic coming from Internal central network.

  • Solved from a post by @indyjones "How to reach Mobile IKEv2 Users from internal Network" on March 23rd.
    The problem is NAT being applied.
    Add an "any" rule for your "Trusted internal network" --> "Network in IKev2 config"
    Solution from support: "For the policy you created to access Ikev2-Users, can you go in the advanced tab of the policy and disable Dynamic NAT"

  • Just want to Bump this post one more time. If @KerryB or @indyjones or @Bruce_Briggs have any other successes? I have a new customer now and I have 5 BOVPNs all set up and can route to eachother. The minute i add an IKEV2 Mobile VPN user and try to access something through the BOVPN, it does not work. Locally to the Box im VPN'd to all resources are available. If I hardwire myself into the Trusted side of that WG i can access all resources through the BOVPNs. Just when its a MVPN IKEv2 user Im stuck at the site im connected to. I have tried the Removing the Dynamic NAT all that does is disable my outbound traffic, Internet access is cut off. Still have local resources. Help would be apricated. Thanks!

  • Is the IKEv2 subnet included in the BOVPN Tunnel settings?

  • @Bruce_Briggs GO IT! Ok so with this customers network I decided to try Virtual BOVPNS, I must say way nicer than the other way I did it. Setting up Gateway then the tunnels. THis is all in one section!!

    I added the Virtual IP WG sets (192.168.114.0/24) for IKEv2 MOVPN Users and added it to the VPN Routes section under the BOVPN Virtual interface settings.
    So My MVPN Users will remote into SITE 1. Site 1 assigns the MVPN User 192.168.114.xxx address. In all the other sites I add that network to the BOVPNVirtual interface routes. Now the remote sites know how to talk to 192.168.114.0/24 network.

    Some things so simple.... just had to sit back and look at it from the outside not the inside of the network!

    THanks for all the responses people!

  • edited January 2021

    I had a ticket open for this issue back in May 2019.

    A WatchGuard Support Engineer got in touch with me after a long back and forth of troubleshooting.
    At the time we figured that VPN traffic didn't follow the same rules as the local adapters do.
    On my 3 Windows 10 IKEv2 setups I enabled logging for all allowed connections through the VPN and nothing showed up at all. We left it at a Windows bug and moved back to L2TP.

    I just found this post and especially @KerryB post about it being solved from a post by @indyjones.

    I can confirm that the problem is fixed by disabling Dynamic NAT on the internal IKEv2 policy. Not a Windows 10 bug after all.

    PS: Hi @Bruce_Briggs !

  • I "fixed" it for specific hosts in Trusted by adding an IP for them in the 1 to 1 NAT. I will prefer the disable DNAT outbound approach if I can get that to work. Thanks!

Sign In to comment.