Mobile VPN with IKEv2

Mobile Virtual Private Networking (Mobile VPN) with IKEv2 (Internet Key Exchange v2) creates a secure connection between a remote computer and the network resources behind the Firebox. Mobile VPN with IKEv2 uses IPSec to provide strong encryption and authentication. In Fireware v12.1 and higher, you can configure Mobile VPN with IKEv2 on the Firebox.

Mobile VPN with IKEv2 supports connections from native IKEv2 VPN clients on iOS, macOS, and Windows mobile devices. Android users can configure an IKEv2 VPN connection with the third-party strongSwan app.

For information about how to set up Mobile VPN with IKEv2 on the Firebox and connect from an IKEv2 client, see:

• Use the WatchGuard IKEv2 Setup Wizard
• Edit the Mobile VPN with IKEv2 Configuration
• Configure Client Devices for Mobile VPN with IKEv2

User Authentication

Mobile VPN with IKEv2 supports local authentication on the Firebox (Firebox-DB) and RADIUS authentication servers.

If your users authenticate to network resources with Active Directory, we recommend that you configure RADIUS authentication so the IKEv2 VPN can pass through Active Directory credentials.

For more information about authentication, see About Mobile VPN with IKEv2 User Authentication.

Multi-Factor Authentication (MFA)

Mobile VPN with IKEv2 supports multi-factor authentication for MFA solutions that support MS-CHAPv2.

AuthPoint, the WatchGuard MFA service, supports MS-CHAPv2 RADIUS authentication. To authenticate Mobile VPN with IKEv2 users to Active Directory through NPS and AuthPoint, see Firebox Mobile VPN with IKEv2 Integration with AuthPoint. You must configure AuthPoint push-based authentication; you cannot use AuthPoint OTP.

To authenticate mobile users who have third-party IKEv2 VPN clients, see Mobile VPN with IKEv2 Integration with AuthPoint.

For more information about AuthPoint, see About AuthPoint.

Android users who connect through the strongSwan VPN client receive AuthPoint push notifications only if you configure strongSwan for split tunneling. When configured for full tunneling, strongSwan cannot receive AuthPoint push notifications. This limitation applies to local AuthPoint user accounts and LDAP user accounts. To configure split tunneling in strongSwan, see the documentation provided by strongSwan.

For more information about MFA and mobile VPNs, see Use Multi-Factor Authentication (MFA) with Mobile VPNs.

See Also

About Mobile VPN with IKEv2 Licensing

Mobile VPN with IKEv2 Connections

Internet Access Through a Mobile VPN with IKEv2 Tunnel

Certificates for Mobile VPN with IKEv2 Tunnel Authentication

Configure Windows Devices for Mobile VPN with IKEv2

Configure iOS and macOS Devices for Mobile VPN with IKEv2

Configure Android Devices for Mobile VPN with IKEv2

Troubleshoot Mobile VPN with IKEv2