Lock down IKEv2 VPN by only allowing only certain IPs to connect

I would like to lock down my IKEv2 VPN connections so only certain IPs can connect. We have users who are at home and although there IPs could change it happens very rarely. I don't see any options for this like every other policy in WatchGuard system manager, am I able to do it?
Thanks for your help


  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Kucster

    All IKE/IPSec traffic is governed by a hidden rule. You can turn it off and create your own rule, but you must account for any IPSec connection (including site to site/Branch Office VPNs.)

    (jump down to the section labeled "Disable or Enable the Built-in IPSec Policy"

    Once that built in rule is disabled, you can make a rule
    -Create a new policy.
    -Use a packet filter, there should be a predefined one called "IPSec" in the packet filter list with the ports you'll need.
    -Make the FROM field the IPS you want to allow IPSec traffic from.
    -Make the TO field "Firebox."

    If you make this change, you will need to update the FROM list every time you need to allow a new IP. Residential ISPs are usually DHCP based so this may happen frequently.

    -James Carson
    WatchGuard Customer Support

  • Options

    Thank you, that is exactly what I'm looking for, are there any docs on how to also add a policy for BOVPN?

  • Options

    Add the IP addr(s) or domain names of the remote BOVPN endpoint to the above IPSec policy

  • Options

    Thank you for your help, just the info I was looking for

Sign In to comment.