IPSec Mobile VPN Setup

Any advice is greatly helpful. I am learning networking here as a relative newbie with some basic experience in web development and some AWS services so this is all very new to me.

I have read all of the documentation available from watchguard on setting up an IPSEC Mobile VPN, but cannot seem to get it working. I think it has something to do with incoming traffic policies on the firewall, but even when I open all ports to all external traffic, I still am not able to connect to the VPN. I'm sure I'm just missing something silly but its really slowing my progress.

These are my Firewall Policies:

And My IPSEC Policy:

When I attempt to connect to the VPN using the WatchGuard Mobile VPN for IPSec, it just says "server unreachable"

Comments

  • Does your firewall have a public IP addr?
    If not, you probably need to enable IPSec or VPN pass through on the device in front of your firewall.

    What do you see in Traffic Monitor when this connection is tried?

    You can turn on diagnostic logging for IKE which may show something to help:
    In the Web UI: System -> Diagnostic Log -> VPN -> IKE
    Click the down arrow and select Information

  • I'm not sure how to check if my firewall has a public IP address. My assumption is that it does not. When I go to whatismyip.com (while plugged into the firewall), it shows an IP address, which is the same public IP for all devices on my network.

    Traffic Monitor is a bit of an annoyance at the moment. When I try to use it, it sometimes works, other times it just shows a black screen and logs me out of the web ui. Most often it just shows me a black screen and throws me back to the login screen.

    When it does work, I have tested and do not see any activity from the IP address I am attempting to connect from.

  • For the record, what firewall model do you have and what version of Fireware is on it?
    You can see the version on Web UI -> Dashboard -> Front Panel

    Have you registered this firewall and applied the Feature Key?

    You can see the external IP addr of your firewall on Web UI -> Dashboard -> Interfaces.

    What is your firewall external interface connected to?
    Is it an ISP device?
    Do you have config access to it?
    Brand & model info ?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    If your firewall has an external address, it'll show up on your interface details. Go to Dashboard -> Interfaces, and look for whichever interface is your external.

    (Mine is blanked out, but you should see the same IP as when you go to whatsmyIP type sites here.

    If it's something else, there's a router in front of your firebox, and you'll need to forward traffic on that device to your firebox. IPSec uses ports 500 UDP, 4500 UDP, and ESP.

    -James Carson
    WatchGuard Customer Support

  • @Bruce_Briggs said:
    For the record, what firewall model do you have and what version of Fireware is on it?
    You can see the version on Web UI -> Dashboard -> Front Panel

    Have you registered this firewall and applied the Feature Key?

    You can see the external IP addr of your firewall on Web UI -> Dashboard -> Interfaces.

    What is your firewall external interface connected to?
    Is it an ISP device?
    Do you have config access to it?
    Brand & model info ?

    It is a Firebox T20, Fireware version is 12.6.4.B635642

    It is not registered nor feature key applied, as I am using it for training. I can ask my boss for details on how to do that.

    The external IP address does not match the IP address I see on whatismyip

    I am not totally sure of the details on the connected device, I know it is a Ubiquity router, that is all.

    I have mentioned port-forrwarding to my boss, he said he would port-forward for me using ports 500 & 4500 UDP, I'll update here once I've tested.

  • Many things do not work without installing a Feature Key, which requires the firewall to be registered.

  • Okay I was able to connect to the server using SSL Mobile VPN Connection with port-forwarding.

    I now need to set up the permissions for the user so that I am able to access a folder on the connected machine.

    Currently the SSL VPN Users are allowed access to any resources, but when I attempt to connect to the connected machine, the connection times out. I assume I have to do some kind of setup on the machine itself to allow network devices to access the folder...

    I also need to make the reverse possible, so that I can access a folder on the connected VPN User device.

  • What is the server type being accessed? Windows?
    If so, is this server part of a Windows domain?
    If so, is the SSLVPN client end providing domain user credentials when trying to connect?

    Check the server logs to see what the issue might be.

  • @Bruce_Briggs said:
    What is the server type being accessed? Windows?
    If so, is this server part of a Windows domain?
    If so, is the SSLVPN client end providing domain user credentials when trying to connect?

    Check the server logs to see what the issue might be.

    Currently there is no actual server connected to it, just a windows desktop running windows 11 home . It is not part of a windows domain.

  • So you are asking about connecting to the SSLVPN client machine when there is a connection to your main site?

  • edited February 7

    I think so? I'm sorry I'm fairly new to networking and still getting a grasp of things.

    Essentially what I need to do is be able to:
    1. Connect to the VPN (done)
    2. Access a specific folder on a windows desktop computer which is connected to a non-VLAN port on the network, while connected to the SSLVPN from a different machine on a different network. (so VPN client connects to non-vpn device, and accesses a folder on the device)

    I've looked around the knowledgebase and I cannot find anything specifically mentioning how to do this.

  • You need to set up a Windows share for the desired folder on that PC.
    Then it can be accessed from other PCs, including from a remote SSLVPN client.

    Once the share is set up, you can test the access from some other PC on the same network.

    File sharing over a network in Windows
    https://support.microsoft.com/en-us/windows/file-sharing-over-a-network-in-windows-b58704b2-f53a-4b82-7bc1-80f9994725bf

  • Yes, I have the folder setup to be shared with the network.

    When I attempt to connect to the computer, however, it does not work. I'm not sure if I'm using the right IP address. I assume it is the private IP address for the device on the network (in this case 10.0.10.2), and to get to the specified folder on the root of my C drive, it should just be 10.0.10.2/{insertfoldername} right?

  • Are you doing a Windows Map Network Drive?

    The format is:
    \IP addr\share name

  • You can test this from the office PC

  • edited February 7

    I have figured out the connection problem, the computer was not sharing itself with the network, it was treating the network like a public network.

    I'm able to connect to the computer now, but it is asking for an additional windows user login. Obviously this is fine for me to use as I know the login, but the idea is for anyone to be able to connect. I have the folder set to be shared with everyone having read access.

    Is there a way to bypass or i guess really DISABLE the login when connecting to the shared folder? I am already connected via the VPN authentication, but it is requiring an additional login (windows user) to actually connect to the specified folder.

    Also, if I attempt to connect with the watchguard Mobile VPN SSL Client, I am unable to connect successfully, however if I import the .ovpn file into openvpn, I am able to connect with no issues.

  • Thank you so much for your help.

    I had this working yesterday, but when I came into the office today, I attempted to connect again to the folder on my computer and was unable to access it. When I'm plugged in to the host machine, I cannot see any other network devices, even though I am positive that it is setup to view and share on the network.

    Currently the only device I have to test the connection with is an iMac connected to my phone's mobile hotspot, that way it is not on the same network, thus requiring the VPN connection.

    When I connect to the VPN, the connection works as expected. Then I right-click on finder, select "Connect to a Server" and input the private IPV4 of the host computer (10.0.10.2). This was working fine yesterday, and allowed me to access the shared folders. But today when I attempt to connect to a server, it says "the server may not exist or it is unavailable at this time"

    This seems like a network discoverability issue, but I've checked both the host and the client machine and both are discoverable on the network.

  • Discovery works based on broadcast packets.
    Broadcast packets don't normally cross routed interfaces such as from a client VPN connection to a LAN interface or from 1 LAN interface to another.
    So this is why you don't see results in Finder type apps.
    However, I would expect that entering an IP addr would work.

    Can you ping the computer IP addr? If not, then perhaps the computer is offline.

Sign In to comment.