IKEv2 VPN

I have just created a mobile VPN with IKEv2 configuration by using its wizard, accepting the default settings on a M270 device with Fireware v12.5.1. I'm using Firebox-db auth server with a user defined account. I don't have a RADIUS auth server.

I've imported the certificate, manually created IKEv2 connection on Win 10 Pro. I can establish VPN connection from Windows 10 Pro but can not ping any internal network by either computer name, FQDN or IP addresses (ie: 192.168.1.x). Ideally, I would like to be able to access all internal network resources. Is this possible without RADIUS? I don't understand why I can't even ping internal network IP address when VPN is connected.

Comments

  • Make sure that your user ID is a member of the IKEv2-Users group.

    What you see can happen if the user enters valid user/pass but is not a member of a needed authentication group.

  • Sorry for sounding stupid... but how do I make that a member of IKEv2-Users? In Users and Groups, I see IKEv2-Users group but there's no option to edit the group to add a member.

    It sounds like you're saying it is possible to access internal network resources without AD authentication through RADIUS. Is that correct?

  • Select Authentication Servers, not Users and Groups

  • Thanks. I checked it. The username is already a member of IKEv2-Users group.

  • Nothing in Traffic Monitor to help understand this?

  • I have no issue with my IKEv2 connection.
    All I needed to do was to run the IKEv2 setup script that I downloaded from my firewall, and I can connect OK.
    Note that the auto-created Allow IKEv2-Users policy ends up near or at the bottom of your policies list - so some higher policy may be denying packets from your IKEv2 connection.

  • edited February 2020

    I see the following (date/time stamps deleted):

    admd Authentication of MUVPN user [ron@Firebox-DB] from 1.2.3.4 was accepted msg_id="1100-0004" Event

    sessiond IKEv2 VPN user ron@Firebox-DB from 1.2.3.4 logged in assigned virtual IP is 192.168.114.8 msg_id="3E00-0002" Event

    iked (66.134.50.155<->1.2.3.4)'WG IKEv2 MVPN' MUVPN IPSec tunnel is established. local:0 remote:0 in-SA:0x8d312c70 out-SA:0x4eb2d2bd role:responder msg_id="0207-0001" Event

    firewall Creation of chain parp:movpn in the filter table failed Debug

    Note:
    1.2.3.4 is the public IPv4 of my Win 10 PC
    66.134.50.155 is the public IPv4 of Watchguard external interface


    I configured my Win 10 client manually because I wanted to know exactly what needs to be configured on the client machine. I'll try using the script on another Win 10 Pro PC and test it.

    I do see Allow IKEv2-Users policy at the bottom of the firewall policy list.

  • You can turn on Logging on the Allow IKEv2-Users policy to see packets allowed by it in Traffic Monitor

  • There's a similar problem posted in October 2019:
    https://community.watchguard.com/watchguard-community/discussion/548/ikev2-vpn-cant-access-internal-resources#latest

    That user can access internal resources in a specific way. I can't even ping internal network IP address (192.168.1.x/24) . The only IP that responds to ping is WG internal IP address (192.168.1.1). Nothing else (IP, machine name) responds to ping.

    I have tried disabling auto order mode and move Allow IKEv2-Users policy to the top of the list. Same result (still can't access internal network with VPN established).

    On my old WG device (XTM330) that will be replaced soon, I've been using Mobile VPN with IPSEC successfully. I'm trying to configure IKEv2 for better security. In Mobile VPN with IPSEC settings, there's a "Resources" tab that allows me to enter my internal network IP (192.168.1.x/24) to allow access. That option does not exist in IKEv2 settings.

  • Did turn on Logging on the Allow IKEv2-Users policy ?
    If so, do you see packets in Traffic Monitor from your IKEv2 session ?

  • edited February 2020

    Not sure if this helps. Here's the result of ipconfig /all after establishing VPN:

    PPP adapter WG IKEv2:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : WG IKEv2
    Physical Address. . . . . . . . . :
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    IPv4 Address. . . . . . . . . . . : 192.168.114.11(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . : 0.0.0.0
    DNS Servers . . . . . . . . . . . : 192.168.1.8
    192.168.1.6
    Primary WINS Server . . . . . . . : 192.168.1.6
    NetBIOS over Tcpip. . . . . . . . : Enabled

    The virtual adapter does get the correct virtual IP (192.168.114.11) but the default gateway is all 0 where it should be 192.168.1.1. DNS/WINS are automatically and correctly assigned.

  • edited February 2020

    @Bruce_Briggs said:
    Did turn on Logging on the Allow IKEv2-Users policy ?
    If so, do you see packets in Traffic Monitor from your IKEv2 session ?

    I did and yes there's a ton of (ALLOW) entries when VPN gets connected.

  • I see the same Default Gateway . . . . . . . . . : 0.0.0.0
    I also see my allowed packets in Traffic Monitor, such as Ping, DNS, HTTP etc. from my IKEv2 virtual IP addr, with the policy at the top of the policy list.

    2020-02-25 18:48:04 Allow 192.168.114.5 104.17.61.6 icmp 1-Trust-VLAN 0-External Allowed 60 127 (Allow IKEv2-Users-00) proc_id="firewall" rc="100" msg_id="3000-0148" fqdn_dst_match="watchguard.com" src_ip_nat="xxx.xxx.xxx.xxx" src_user="BruceVPN@Firebox-DB" geo_dst="USA" Traffic
    2020-02-25 18:48:04 Allow 192.168.114.5 54.174.40.213 dns/udp 56738 53 1-Trust-VLAN 0-External Allowed 70 127 (Allow IKEv2-Users-00) proc_id="firewall" rc="100" msg_id="3000-0148" src_ip_nat="xxx.xxx.xxx.xxx" src_port_nat="64066" src_user="BruceVPN@Firebox-DB" geo_dst="USA" Traffic

  • edited February 2020

    When I change the policy (such as moving Allow IKEv2-Users to the top of the list or adding RADIUS auth server), do I have to re-download/distribute configuration scripts to VPN clients?

  • Policy move - no
    RADIUS - no idea - see if the .bat file etc. changes

  • edited February 2020

    @Ron said:

    @Bruce_Briggs said:
    Did turn on Logging on the Allow IKEv2-Users policy ?
    If so, do you see packets in Traffic Monitor from your IKEv2 session ?

    I did and yes there's a ton of (ALLOW) entries when VPN gets connected.

    Most of these packets are DNS/UDP (port 53) from 192.168.114.x (VPN virtual IP) to internal DNS IPs (Windows Server DNS). Some are https packets when I access websites. Web access over VPN works fine. WebBlocker policy is blocking sites (that I want to block) so that tells me web traffic is routed through the tunnel.

    The bigger problem is not being able to access shared folders on the server which is the whole point of having VPN tunnel to internal network. Accessing a shared folder times out with the following message (F drive is mapped to a shared folder on a server):

    An error occured when reconnecting F: to
    \\server-name\shared-folder
    Microsoft Windows Network: The local device name is already in use.

  • Does ping to 92.168.1.x work now or not?

    On your share mapping issue - there are a number of posts related to this on the Internet.
    Some suggest that it is a DNS issue - unable to resolve server-name
    Does the mapping work if using the IP addr of the server?

  • edited February 2020

    Only 1 IP address in the 192.168.1.0/24 (LAN) responds to ping. It happens to be the internal IP address of M270 (192.168.1.1). Nothing else responds to ping. I can't even get a reply when pinging DNS IP addresses. I can't access any shared folder by IP, computer name or FQDN.

    I've been using Mobile VPN with IPSec (Shrewsoft client) for years without any issue. As soon as VPN gets established, I can access all shared resources in the LAN.

    I wonder if this is Windows 10 related. I'll try it with a Win 7 PC later today.

  • I found the culprit. It is me. I'm configuring an M270 to replace the aging XTM330. I completely forgot the gateway on all (DNS/Windows) servers are still pointing to the old firewall. I had a light bulb moment and changed the gateway to point to M270 internal IP. Re-establish VPN... voila, I'm in the network and I can browse shared folders. Problem solved.

  • I'm currently having a similar issue like @Ron had...

    I want to preface this with this is my first time doing VPN through WatchGuard's firewall.

    I have a M670 that I just configured for IKEv2 with RADIUS / NPS authentication. My Windows 10 laptop is able to make the connection, I'm authenticated and connected. I get a similar DHCP as Ron ( provided by the M670 )

    PPP adapter IKEv2:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : IKEv2
    Physical Address. . . . . . . . . :
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    IPv4 Address. . . . . . . . . . . : 192.168.114.3(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . : 0.0.0.0
    DNS Servers . . . . . . . . . . . : 192.168.2.4
    192.168.2.5
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Once connected, I'm unable to ping anything inside my internal network. I'm unable to even ping anything in the outside world ( google.com, abc.com, etc. ).

    I don't know if this is my lack of VPN knowledge, but I noticed that the DHCP settings that are handed down by the M670 uses a broadcast address for the subnet mask. There's also no Default Gateway listed. Those two things alone make me think this is why I can't ping, get to internal network devices, or surf the internet while connected.

    On my internal network, I have a router that sits just before my WatchGuard M670. It's used to route all of my internal VLANs. So none of my workstations or network peripherals are using the M670 as the gateway. The router has a rule in it that sends all the traffic for the outside world through the M670.

    Any help that anyone can give is greatly appreciated!

  • Does you router know about the 192.168.114.0/24 subnet and does it forward reply packets to the firewall?

    The Subnet Mask = 255.255.255.255 & Default Gateway = 0.0.0.0 are to be expected. That is what I see for my IKEv2 connection That basically says route all packets down the VPN tunnel - not split tunneling.

    Because your DNS server is 192.168.2.4, which presumably is behind your internal router - look at the router's settings 1st.

    For debugging, you can turn on Logging on any policies which allow packets from IPSec-Users or 192.168.114.0/24, to see packets allowed by those policies in Traffic Monitor.

  • Also try doing a tracert to an IP addr out on the Internet from a VPN client.
    If you get replies for Internet IP addrs, then you know that the firewall settings are not the issue.

    If you don't - look at your Dynamic NAT settings. There should be 3 default entries for the 3 private subnets.
    192.168.0.0/16
    172.16.0.0/12
    10.0.0.0/8

    If the 192.168.0.0/16 entry is missing, then that will be an issue as outgoing packets from 192.168.114.0/24 will not be NATed to the public IP addr of your firewall, and thus reply packets can't be routed back.

  • Hi Guys
    I just had this issue and thought I would share the fix.

    A valid VPN user was connecting to my T30 FW, they would connect then instantly get disconnected. On the FW the error was:

    firewall Creation of chain parp:movpn in the filter table failed

    The issue was: the VPN client needed to be reinstalled using Run as Administrator in Windows 10. The TAP driver didn't install correctly.

    Hope this helps someone,
    Bish.

Sign In to comment.