IKEv2 Mobile VPN connection from Intune drop when data is transferred

kraegkraeg
in Firebox - VPN Mobile User

Hello!

We have a strange problem: We deploy IKEv2 vpn connections to Windows clients via Intune. This works perfectly fine!

The users can connect and work via RDP etc. But as soon as they transfer larger files the vpn connection drops suddenly and they have to reconnect.

In the log of the firewall we find entries like this:

drop the received IKEv2 message from aaa.bbb.ccc.ddd:1040 - reason="no IkeV2SA is found"

The problem happens also internally if I'm in an optional network (guest wifi) and connect via VPN to the trusted network.

Interestingly: When we deploy the same connection via powershell it works perfectly!

Does anybody know which Intune settings can cause this "no IkeV2SA is found" problem?

I cant find anything in the net.

Thanks

Axel

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @kraeg
    It sounds like there's a mismatch between the SA time the firewall expects and what the VPN client uses when applied this way.

    If it's working via the PowerShell script, I'd suggest checking that the settings Intune pushes out are up to date and match what is in the PowerShell script.

    Windows doesn't give you a great way to view what the proposals are for phase 1 and 2 (including SA (security association life)), so it's likely easiest to compare with what Intune is pushing out.

    If you continue to run into issues with this, I'd suggest opening a support case.

    -James Carson
    WatchGuard Customer Support

  • kraegkraeg

    Hi

    I have compared the settings with this script https://github.com/richardhicks/aovpn/blob/master/Show-VpnConnectionIPsecConfiguration.ps1

    via Powershell I have:

    AuthenticationTransformConstants : SHA256128
    CipherTransformConstants : AES256
    DHGroup : Group14
    IntegrityCheckMethod : SHA256
    PfsGroup : None
    EncryptionMethod : AES256

    via Intune:

    AuthenticationTransformConstants : SHA256128
    CipherTransformConstants : AES256
    DHGroup : Group14
    IntegrityCheckMethod : SHA256
    PfsGroup : PFS1
    EncryptionMethod : AES256

    the only difference is the PFSGroup - this can not be set to 0 via Intune

    In the firebox we have the following

    Phase1: SHA2-256-AES (256-bit) / DH Group 14
    Phase2: ESP-AES256-SHA-256 / No PFF

    Could this be the reason?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @kraeg
    The PFS group would cause the proposal to be rejected.

    If modifying what intune is pushing to match the proposal on the firewall, you can change the IKEv2 shared proposals for the VPN and the Firebox:

    (Edit the Mobile VPN with IKEv2 Configuration)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ikev2/mvpn_ikev2_config_edit.html#Phases

    -James Carson
    WatchGuard Customer Support

Sign In to comment.