IKEv2 Mobile VPN - VPN User to Internal connections are OK, Internal to user are not

When a user is connected to our LAN via Mobile VPN using IKEv2, they can access all internal resources just fine, however internal servers cannot ping that user by IP and cannot access any resources on the user's computer. This isn't a problem with SSL VPN, however SSL is at least 2-4x slower than IKEv2. It doesn't look like there are any firewall policies having a negative effect here, and I've tried the policy checker and it agrees. I also have the firewall disabled on the (Windows) client PC. Any ideas?

Comments

  • Make sure that your ping policy allows access To: IKEv2-Users

    To get a response to a ping from my firewall, I needed to disable my Windows 10 Windows Defender firewall.
    I did not bother to find out what changes were needed to my Windows Defender settings to allow access without disabling it.

  • Yeah, our ping policy is the Watchguard default, which allows To: Any. The client I'm testing with presently is able to get pings over the SSL VPN and has Windows Firewall completely disabled. I've also tried just opening the ports we need on Windows Firewall and leaving it enabled but that didn't work either.

  • No idea why ping works for me and not for you.
    I'm doing the ping from my firewall using WSM Firebox System Manager -> Diagnostic tasks -> Ping

    re. SSLVPN speed - review this video
    Optimize Mobile VPN with SSL
    https://watchguard.us13.list-manage.com/track/click?u=1bcb692e17a1463ca874e0ce2&id=17a9d1168a&e=cae878f58b

  • edited April 20

    Not that it helps your issue, I added a Windows Defender rule which allows access from my firewall, by following this example.
    No need to disable Windows Defender any more for testing.

    How to Add IP Address in Windows Firewall
    https://www.interserver.net/tips/kb/add-ip-address-windows-firewall/

  • Any Resolution on this? Im having similar problem. Mobile IKEv2 User logs in, Can access network no problem, can RDP in can ping inside no problem. Inside network cannot ping Mobile VPN User. Ping is opened up to Any Any. MVPN User gets one of the pool IPs 192.168.114.1. Cannot ping this address not even from Diagnostic Tasks! Any help would be appreciated.

  • edited May 8

    I've been looking into the same issue. IKEv2 External User -> Internal works, Internal -> IKEv2 External User does not.

    I ran a packet capture on the External IKEv2 client machine and found that ping requests from an internal node were in fact reaching the external machine, BUT, the external machine was responding to the ping at the external interface IP of the firewall, not the internal IP address of the node that sent the ping.

    So there's the problem as I see it. How to solve? I suspect this has something to do with the NAT config.

  • Just figured it out. Disable Dynamic NAT on whatever policy you created to allow traffic back up the tunnel. Pings work now, and I was able to connect to a share on the IKEv2 user's machine.

  • What Dynamic NAT entry was causing your issue?
    I would not expect the default NAT -> Dynamic NAT entries to do anything to prevent this access, and thus I would not expect unselecting the Dynamic NAT option on a policy to help .

  • No, Bruce_Briggs, it did not help. When IKEv2 users / Service was enabled. It creates an auto policy called " Allow IKEv2-Users " In there under Advanced tab is the 1-to-1 NAT / Dynamic NAT settings. I tried all combos nothing working. Can still only ping from MVPN user into network, cannot ping from trusted network to MVPN User. This is a real brain teaser!

  • edited May 13

    Advanced tab is the 1-to-1 NAT / Dynamic NAT settings are for outgoing packets, normally to the Internet.

    Hopefully @TerryH will post the Dynamic NAT entry that was changed

    @NetworkNinja - have you verified that the remote client firewall is not the issue?

  • @Bruce_Briggs Yes I have. I have all firewalls off, even windows own fire wall. Weird thing is, when I enable the SSL MVPN Account / settings and use the Watchguard SSL Application it seems to work ok.... Kind of want he IKEv2 to work though.

  • Any new on this I have same problem with IKEv2 VPN.
    Remote AD Domain joined laptops connecting in can access all internal resources.
    I cannot access, ping or AD manage the remote laptops while on IKEv2 VPN.
    All works well both ways using IPSEC and SSL VPN Clients.
    Wireshark on remote Laptops not showing any inbound created connection traffic coming from Internal central network.

  • Solved from a post by @indyjones "How to reach Mobile IKEv2 Users from internal Network" on March 23rd.
    The problem is NAT being applied.
    Add an "any" rule for your "Trusted internal network" --> "Network in IKev2 config"
    Solution from support: "For the policy you created to access Ikev2-Users, can you go in the advanced tab of the policy and disable Dynamic NAT"

Sign In to comment.