IKEv2 does not work properly from home networks

Hello all,

I have a problem where I just can't figure it out.

We have a M270 firewall cluster (v12.8.1), IKEv2 in the default configuration with a Radius connection. All clients are Windows 10 Pro clients (Lenovo Thinkpads).

Before we roll out the protocol in the company, we wanted to do some testing first. The funny thing is that there was a problem in establishing a VPN connection from the home office, for example, after analysis with Wireshark it was noticed that the authentication at the firewall fails. After a research I came across a KB article, where it was said that the packet size is possibly too large due to the hash value of the Windows certificate memory. Which is why I deleted a few expired certificates from the Trusted Store. After that the login went without problems.

However, internal services like Active Directory and their network drives are accessible, but not web services, internal as well as external. The loading times are enormous, mostly they do not load at all. The problem exists in connection with the use of a wired connection as well as a wireless connection in the home network.

The problem does not occur with a mobile hotspot, everything is performant. I also tested the same with an LTE router.

Unfortunately, at the moment I have no idea what to do to solve the problem. Do any of you have any idea to debug further?

Thanks in advance.

Best Answer

  • edited November 2022 Answer ✓

    @dankoon said:
    Hello all,

    I have a problem where I just can't figure it out.

    We have a M270 firewall cluster (v12.8.1), IKEv2 in the default configuration with a Radius connection. All clients are Windows 10 Pro clients (Lenovo Thinkpads).

    Before we roll out the protocol in the company, we wanted to do some testing first. The funny thing is that there was a problem in establishing a VPN connection from the home office, for example, after analysis with Wireshark it was noticed that the authentication at the firewall fails. After a research I came across a KB article, where it was said that the packet size is possibly too large due to the hash value of the Windows certificate memory. Which is why I deleted a few expired certificates from the Trusted Store. After that the login went without problems.

    However, internal services like Active Directory and their network drives are accessible, but not web services, internal as well as external. The loading times are enormous, mostly they do not load at all. The problem exists in connection with the use of a wired connection as well as a wireless connection in the home network.

    The problem does not occur with a mobile hotspot, everything is performant. I also tested the same with an LTE router.

    Unfortunately, at the moment I have no idea what to do to solve the problem. Do any of you have any idea to debug further?

    Thanks in advance.

    Sounds like a potential issue with the home ISP. Have you tried SSL VPN to see if that's handled better? Some ISPs filter VPN traffic a lot unless it is SSL-VPN since that usually operates over 443.

    It may also be good to run a wireshark Packet capture from the computer when the traffic is misbehaving on the client network so you can see exactly what the packets are doing.

Answers

  • @Tristan.Colo said:

    @dankoon said:
    Hello all,

    I have a problem where I just can't figure it out.

    We have a M270 firewall cluster (v12.8.1), IKEv2 in the default configuration with a Radius connection. All clients are Windows 10 Pro clients (Lenovo Thinkpads).

    Before we roll out the protocol in the company, we wanted to do some testing first. The funny thing is that there was a problem in establishing a VPN connection from the home office, for example, after analysis with Wireshark it was noticed that the authentication at the firewall fails. After a research I came across a KB article, where it was said that the packet size is possibly too large due to the hash value of the Windows certificate memory. Which is why I deleted a few expired certificates from the Trusted Store. After that the login went without problems.

    However, internal services like Active Directory and their network drives are accessible, but not web services, internal as well as external. The loading times are enormous, mostly they do not load at all. The problem exists in connection with the use of a wired connection as well as a wireless connection in the home network.

    The problem does not occur with a mobile hotspot, everything is performant. I also tested the same with an LTE router.

    Unfortunately, at the moment I have no idea what to do to solve the problem. Do any of you have any idea to debug further?

    Thanks in advance.

    Sounds like a potential issue with the home ISP. Have you tried SSL VPN to see if that's handled better? Some ISPs filter VPN traffic a lot unless it is SSL-VPN since that usually operates over 443.

    It may also be good to run a wireshark Packet capture from the computer when the traffic is misbehaving on the client network so you can see exactly what the packets are doing.

    SSL VPN works perfectly. The problem is the bandwidth which is very low.

    I have already considered the problem with the ISP. Most of the time DS-Lite or Dual Stack is used. Among other things, this is probably the reason.

    According to my ISPs you should switch to IPv6, but as far as I know this is not yet supported by WatchGuard.

  • You can improve SSLVPN speed somewhat by using UDP instead of TCP on the Data Channel setting.
    For example, I use UDP port 553.
    Note that when you use a non-standard port for SSLVPN, you need to add the port number after the IP addr or DNS name.
    Example: 123.123.123.123:553

Sign In to comment.