IKEv2 and SSL VPN

We have a T50, latest updates. It is already running SSLVPN. As a test for a user that has slow internet, i wanted to enable IKEv2 to see if it speeds things up.

When adding the radius server for IKEv2, it asks for a domain name. I add our domain (company.local). It comes back with an the error - Domain name company.local already exists. Enter a different domain name.

Is it possible to run both types of VPN at the same time?

Comments

  • It is possible to have all VPN client types enabled on an XTM firewall, and to have different client types connected to an XTM firewall simultaneously.

    It is possible to have multiple VPN client types installed on a client, (ie PC) such as SSLVPN & IPSec or IKEv2, although I doubt that you can run multiple VPN clients simultaneously.

    Try using a domain name of RADIUS
    which is suggested here:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/authentication/radius_server_auth_about_c.html

  • I never could get IKEv2 working with RADIUS and Duo Security for 2FA. I wonder if the domain name is the issue. Without Duo as 2FA, it worked great. Wonderful! Yet another thing to add to my list.

    Gregg Hill

  • When adding the radius server for IKEv2, it asks for a domain name. I add our domain (company.local). It comes back with an the error - Domain name company.local already exists. Enter a different domain name.

    That's because you probably have this domain under "active directory" too. Not sure if you can use both Radius and AD at the same time, but if you can configure Radius, I don't think there's a need to have the active directory set up on your box, anymore. Don't forget there's a procedure to follow to activate NPS/Radius on your DC's too.

    Is it possible to run both types of VPN at the same time?

    Yes, no problem at all. Just not the same user/client with both vpn's at the same time, which, of course, makes no sense...

  • IKEv2 can’t use the AD LDAP for user authentication.

    If you need to authenticate with AD users you need to setup example microsoft’s NPS radius server.
    https://watchguardsupport.secure.force.com/publicKB?type=KBArticle&SFDCID=kA22A000000XZlhSAG&lang=en_US

    the domain name can be whatever, example just; NPS or NPS.radius etc….

  • edited March 2020

    @Kimmo said:
    IKEv2 can’t use the AD LDAP for user authentication.

    If you need to authenticate with AD users you need to setup example microsoft’s NPS radius server.
    https://watchguardsupport.secure.force.com/publicKB?type=KBArticle&SFDCID=kA22A000000XZlhSAG&lang=en_US

    the domain name can be whatever, example just; NPS or NPS.radius etc….

    If the "domain name" mentioned is the one in step 4 of the article Kimmo linked about setting up NPS, that needs to be the LAN IP address of the Firebox or a LAN-resolvable FQDN of the Firebox. The NPS server needs to know what device will be sending RADIUS requests to it.

    @cblair, if the Domain Name is in the RADIUS setup of the Firebox for a new RADIUS server, that can be anything that isn't already in another authentication server's properties. "Domain name" is the name that will appear on authentication pages, for example, the SSLVPN box if you have the new RADIUS applied to it, port 4100 auth page.

    Gregg

    Gregg Hill

  • @Thibaud said:

    Is it possible to run both types of VPN at the same time?

    Yes, no problem at all. Just not the same user/client with both vpn's at the same time, which, of course, makes no sense...

    Actually, one CAN run both SSLVPN and IKEv2 VPN simultaneously, even with the same user from the same computer. As you noted, it doesn't make much sense, but it does connect to both!

    Gregg Hill

  • I set up my authentication server RADIUS domain names as the method that will be used when authenticating. For using plain RADIUS without any 2FA, I use "RADIUS" domain name (which is the default); for use with AuthPoint 2FA, I use "AuthPoint" domain name; for Duo Security 2FA, I use "DuoSecurity" domain name.

    I set AuthPoint as the default authentication server in both my SSLVPN and IKEv2 VPN setup's Authentication tab. Then when I go to log in, I just use my name and password and it uses AuthPoint, or if I want to use Duo 2FA, I log in with DuoSecurity\username and password. Same thing for plain RADIUS, but I only use that for testing.

    Gregg Hill

Sign In to comment.