IKEv2 Mobile VPN Problems Authorization AD

Hello,

I configured Mobile VPN with IKEv2 on the Firebox M370. For authentification, in the first step we configured users of the Firebox-DB. After installing the batch file on a Windows 10 client, the connection was successful. I'm able to ping all Clients and Server (including domain controller), that I want to reach. But there is still a problem with the connection to the domain controller. I can't authentificate my AD user. If I want to access shares, outlook (exchange), printserver etc. I have to authenficate with username and password. Also I can't update user group policies with gpupdate.
After a new Windows login, everthing works fine.
We use DNS server of the domain controller at the IKEv2 VPN profile.

Does somebody have any idea?

Answers

  • Yeah, unfortunately the IKEv2 VPN doesn't allow the use of AD for authentication unlike the SSL or IPSec VPN's do. Thus requiring you to re-authenticate with your AD credentials after the VPN connection if you wish to access any Domain resources. File shares, Exchange etc.....

    Personally I've found the IKEv2 VPN is great for users utilizing their own home pc to access the network strictly for RDP connections onto their work PC.
    No software to install.

    • Doug

    It's usually something simple.

  • That's odd. I have never been asked to authenticate to AD after establishing IKEv2 VPN connection and I can access network resources just fine. The login to the AD domain happens before establishing VPN (I suppose by cached credential).

    I'm only asked to authenticate when IKEv2 username is different than AD username, for example: JohnDoe (Firebox-DB username), JDoe (AD username). For that reason, I create the same username but different password on Firebox-DB.

  • The next step is to change the authentification via AD / NPS.
    Exactly, currently the login to the AD happens before establishing VPN. Then I do a logout and login in Windows. After that I have access. But sometimes I can't login into Windows "the account addressed is currently blocked"(translation from Germany).
    IKEv username and AD username are same (JDoe), passwords are different.
    Watchguard Traffic Monitor allows the ports for the AD authentification.

    Currently our user use the SSL client. It works fine. But we want to change because of the pre logon. So the users doesn't have any error message after Windows login.

    Does anybody have an advice? Or should I continue with the AD registration first?

Sign In to comment.