IKEv2

erhan11erhan11
in Firebox - VPN Mobile User
Hello, I'm using IKEv2 VPN, is it possible to limit the client to login from specific ip address, for instance home static ip?

Answers

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @erhan11

    In order to do this, you'd need to disable the default IPSec policy,
    See the "Disable or Enable the Built-in IPSec Policy" section in this article:

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/global_vpn_settings_about_c.html

    You'd then need to make a policy from the specific IPs you want to be able to contact the firewall via IPSec, and make that policy to firebox.

    *Note that this policy also governs site to site VPNs, and IPSec (IKEv1) mobile VPN, so you will need to account for this in your policies.

    -James Carson
    WatchGuard Customer Support

  • greggmh123greggmh123

    In addition to limiting from IP (or instead of...), I suggest setting up MFA for all Mobile VPN access.

    Gregg Hill

  • erhan11erhan11
    Thanks guys but im a complete newbie, I have no idea how I can do these settings, any video tutorial or something like that?

    Thanks again,
  • Bruce_BriggsBruce_Briggs

    As James indicated:
    See: Disable or Enable the Built-in IPSec Policy, here

    About Global VPN Settings
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/global_vpn_settings_about_c.html

    Add an IPSec packet filter, From: desired public IP addrs To: Firebox

    MFA = multi-factor authentication
    This is a non-trivial setup process for a newbie. Something to consider down the road.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    I don't have a video for something that specific. Since people on mobile VPN are generally on the move, it's not uncommon to have them connect from any IP. Restricting it would be rare.

    If you need assistance setting this up, I'd suggest opening a support case, so that one of the support reps can assist you.

    -James Carson
    WatchGuard Customer Support

  • erhan11erhan11

    @James_Carson said:
    I don't have a video for something that specific. Since people on mobile VPN are generally on the move, it's not uncommon to have them connect from any IP. Restricting it would be rare.

    If you need assistance setting this up, I'd suggest opening a support case, so that one of the support reps can assist you.

    Thank you Im doing that now. I realise I need to register the serial numbers first.

Sign In to comment.