Display Name
Last Active
No Roles


  • @Kimmo_Pohjoisaho You were correct, sir. I had the intermediate ca cert installed, but the cert providers root ca cert was missing. That fixed the issue. Rookie mistake (and I'm sadly not a rookie). Thanks!
  • I am, but I uploaded the root ca cert when I installed the cert. Usually you can't install the cert without it. Let me compare the root certs I have in my other Firebox, maybe I'm missing one.
  • No, you can create a network policy without creating a connection policy. They aren't the same thing. While they are dependent they are also mutually exclusive. When I brought this up to support I was told that they assume the default connection policy is enabled which is why it's not in the instructions. We don't use the…
  • Seems like I created my own issue by following the directions exactly. I did not create a connection policy (we don't use the default CP on the NPS server) specifically for Watchguard since the instructions didn't include that as a step. That seemed odd to me, but I just followed the instructions.
  • Same here. Same in every possible way. Doesn't work for me. It seems like it's not passing domain information. I had the same Firebox and RADIUS server working for IPSec MUVPN, but not for IKEv2. Let me ask you something - what format do you enter user/domain information in the client? I've tried domain\user, [email protected]
  • I opened up a ticket. I'll post back the findings for future reference.
  • I have followed that to the T at least three times now with no results. One point worth making is that the documentation is conflicted on EAP-MSCHAPv2 and MSCHAPv2. The article above refers to the latter, while other documentation shows the first for IKEv2.
  • Did some additional testing and this appears to be RADIUS related. I am able to connect using a Firebox account, but not an AD account.
  • Perfect. Thank you!
  • The solution from WG support was to use SSL VPN instead.
  • Hi Bruce, I did as you suggested and internet access started working, but I can still see some traffic being routed out the other external interface (External-B) and I'm not sure why. I only have four policies that use External-B, and only for traffic coming from a completely different network. All of my policies for…
  • I'm on version 12.2.1.B572649 Sorry, my comment about Aliases referred to the From: entries. All of my outgoing policies specify To: Any-External, and then we use PBR settings to dictate which interface to use. Sounds like we're on the same page. We've not had the three default NAT entries for quite some time on this…
  • Also - it should be noted that I am not using any aliases on these policies (Any-Trusted, Any-Optional, etc.). I am using the network address. I may be confused based on some info I found in the forums and KB, but do I need to add the network address for my VPN IP pool to these policies, or is the IPSEC user group…
  • I'm aware of that. Read the next post. The forum stripped out my wildcards when I clicked submit, that's not how they were entered in the Firebox.
  • There should be wildcards (*) at both ends of those first two. Love these new forums.
  • I'll try my best to give an example of what's happening without using any trigger words. I have a site that is hosted on AWS. The site includes a document library that let's users download docs/files. The download URL is an AWS address. Something like I created…
  • These wonderful new forums won't let me post URL's, and it appears the admins are on permanent vacation because none of my previous posts have been approved or denied.
  • I narrowed this down to an issue with a wildcard in the URL in my exception list. I have no idea why that's an issue, but apparently in this instance it was.
  • Is there a reason I can't seem to post a response to this? I keep getting a message that my comments will be added once they have been approved, but its been around two and half hours and still nothing...
  • Here you go: 2019-08-23 15:18:26 Deny https/tcp 56213 443 1-Trusted 0-Corp-External ProxyDeny: HTTP Body Content Type match (HTTPS-proxy.Corp-00) HTTP-Client.Standard.Corp proc_id="http-proxy" rc="595" msg_id="1AFF-0012" proxy_act="HTTP-Client.Standard.Corp" rule_name="ZIP archive" geo_dst="USA"…
  • Also - the appliance is a M500 running 12.2.1.B572649