Firewall rules for IKEv2 and Authpoint
Hello everyone. I've got a T80 on 12.11.2 that was using SSL mobile VPN client. I've just enabled IKEv2 mobile VPN and tied it into AuthPoint for MFA on the connections, which is intended to replace SSL. Authentication via AuthPoint is working fine, I'm able to connect to the VPN server (Firebox) and work with the Firebox itself, but I'm unable to talk to anything on the internal trusted network from the outside using this connection method.
Existing SSL client VPN is fine, and to make things more interesting if I connect using IKEv2 but authenticate against Firebox-DB instead of AuthPoint everything is fine. The FireBox is behaving like it doesn't recognize AuthPoint users as members of the IKEv2-Users group nor the IKEv2-VPN-AuthPoint-Users group which is the group defined in AuthPoint and mirrored on the Firebox.
Anyone have any ideas what I'm missing in the firewall conditions to have the FireBox recognize an AuthPoint user coming in over IKEv2?
Comments
Ok, very unexpected solution. While investigating some of the VPN client parameters (trying to have it prompt for username & PW with every connection) I found something weird in the AddVPN.ps1 script; it had parameter -DestinationPrefix 192.168.2.1/32 which is odd as the subnet we're connecting to is a /24. I updated that to 192.168.2.0/24 and now everything is behaving as expected. No idea where it got /32 from.
Hi @jostafew_jet
If you'd like to know more, We'd need to look at the firewall config to figure out where it derived that route from. If you'd like us to look into it, please create a support case. If you have either available, please include the config at the time it generated that issue, or if it's still configured that way, please enable support access. The technician assigned to the case can help get those with you.
-James Carson
WatchGuard Customer Support