IKEv2 Routing to Remote Network

M470
12.5.3
FSM 12.6.1

When I create a IKEv2 connection on a Windows 10 machine by downloading the Client Profile from the Firebox and run the batch file that creates the connection everything works as designed.
Problems occur when an end user doesn't have permissions to install the certificate and/or run the PowerShell script without getting an error about the script being digitally signed.
I get around this by having Group Policy install the certificate file (via SSL-VPN authenticating to AD), but the problem is manually creating the IKEv2 connection. It is straightforward and simple, just follow the Readme.txt in the downloaded Client Profile right?
After doing so, click connect and in less than a second your IKEv2 connection is up and running.
Now why can't I access anything on the remote network? Because there is no route to the remote network via the IKEv2 connection.
The routing table should look like this in the first couple lines:

IPv4 Route Table

Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.1.1 10.0.1.25 4250
0.0.0.0 0.0.0.0 On-link 192.168.114.26 26

But on a manually created connection the second entry is missing, so there is no default route with a lower metric to send traffic through the VPN.

IPv4 Route Table

Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.1.1 10.0.1.25 25
10.0.1.0 255.255.255.0 On-link 10.0.1.25 281

Looking at the scripts in the Client Profile I see no code that adds routes during the creation process.

I'm missing something here and it is probably right in front of me. Just like the milk in the refrigerator.

Any thoughts out there?

Thanks,

  • Doug

It's usually something simple.

Comments

  • From the docs, in the circle with an I in it section:

    "If you manually configure the client, we recommend that you configure a default-route (full tunnel) VPN. In Windows 10, you might need to change the IPv4 adapter properties for the IKEv2 VPN connection so that Use default gateway on remote network is selected. This is the default-route (full tunnel) option. "

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ikev2/mvpn_ikev2_windows_client.html?Highlight=ikev2 script

  • Is that next to the milk Bruce? :-)

    I just tested that and it does resolve the issue. More of a workaround IMHO though.

    That information should be part of the Readme.txt file which is what people will be reading, also my opinion.

    Now that I'm on my soapbox, why do the two recommended VPN solutions (IKE & SSL) require Administrative access to one's PC in order to install?
    Due to COVID 95% of my users are working remotely with a company supplied, domain joined laptop or PC they took from their desk to bring home.

    They have no access to any network settings to make this type of change for the IKEv2 solution, and forbid me if I update my Firebox to 12.6.1 because this would require a new SSL-VPN client which now takes admin privileges to install on the client.

    Through Group Policy I may be able to use a System account to mitigate some of these issues, but boy howdy is it frustrating sometimes. I have all these end users asking for the local admin user/pass on their pc just so they can connect and work.

    Sorry to vent, just seems to be getting more difficult instead of easier.

    Once again Bruce, thanks for the help.

    • Doug

    It's usually something simple.

  • No, I found it on the shelf below the milk, towards the back, near the relish ;-)

    Admin requirements are caused by the OS provider - MS & Apple.
    Presumably to prevent the average user to not do really stupid/bad things.

    Do note that admin privs are needed to install SSLVPN on a Mac from what I have seen posted here (I'm not a Mac user...)

  • From the following post, it appears that the "Use Default gateway on remote network" option on the IKEv2 network adapter is created when the powershell method is used.
    It is not set when following the manual method.

    https://community.spiceworks.com/topic/2269333-ikev2-split-tunneling-on-watchguard-windows-10

  • Mixed bag of results with the powershell method. As a local or domain admin it seems to work pretty well. A couple times I've had to run it more than once to get everything working. End users with no admin privileges can get it to run, but no default gateway is created and hence my dilemma.
    The users connecting via the IKEv2 method like it better though.

    • Doug

    It's usually something simple.

Sign In to comment.