Edit the Mobile VPN with IKEv2 Configuration

This topic explains how to edit an existing Mobile VPN with IKEv2 configuration. You can configure:

If you have not already configured Mobile VPN with IKEv2, we recommend that you use the Setup Wizard. The Setup Wizard helps you to set up a basic Mobile VPN with IKEv2 configuration. For more information, see Use the WatchGuard IKEv2 Setup Wizard.

Edit Network Settings

On the Networking tab, in the Firebox Addresses section, specify an IP address or domain name for connections from Mobile VPN with IKEv2 users. If your Firebox is behind a NAT device, you must specify the public IP address or domain name of the NAT device.

Edit the Virtual IP Address Pool

On the Networking tab, the Virtual IP Address Pool shows the internal IP addresses that are used by Mobile VPN with IKEv2 users over the tunnel. The virtual IP address pool must contain at least two IP addresses. By default, the Firebox assigns addresses in the 192.168.114.0/24 range to Mobile VPN with IKEv2 clients.

We recommend that you do not use the private network ranges 192.168.0.0/24 or 192.168.1.0/24 on your corporate or guest networks. These ranges are commonly used on home networks. If a mobile VPN user has a home network range that overlaps with your corporate network range, traffic from the user does not go through the VPN tunnel. To resolve this issue, we recommend that you Migrate to a New Local Network Range.

For more information about virtual IP addresses, see Virtual IP Addresses and Mobile VPNs.

To add to the virtual IP address pool:

  1. Click Add.
    The Add Address Pool dialog box appears.
  2. From the Choose Type drop-down list, select Network IPv4 or Host IPv4.
  3. In the adjacent text box, type an IP address or network IP address.

Edit Authentication Settings

On the Authentication tab you can configure authentication servers and the authorized users and groups.

If your users authenticate to network resources with Active Directory, we recommend that you configure RADIUS authentication so the IKEv2 VPN can pass through Active Directory credentials.

Configure Authentication Servers (Fireware v12.5 or Higher)

Configure Authentication Servers (Fireware v12.4.1 or Lower)

Configure Users and Groups

If you use Firebox-DB for authentication, you must use the IKEv2-Users group that is created by default. You can add the names of other groups and users that use Mobile VPN with IKEv2. For each group or user you add, you can select the authentication server where the group exists or select Any if that group exists on more than one authentication server. The group or user name you add must exist on the authentication server. The group and user names are case sensitive and must exactly match the name on your authentication server.

For more information about user authentication, see About Mobile VPN with IKEv2 User Authentication.

For more information about how to add Firebox-DB users, see Define a New User for Firebox Authentication.

For more information about how to add Firebox-DB groups, see Define a New Group for Firebox Authentication.

For more information about how to add RADIUS users and groups, see Use Users and Groups in Policies.

Configure a Certificate for Authentication

You can select a Firebox certificate or a third-party certificate for Mobile VPN with IKEv2 authentication. Firebox and third-party certificates have these requirements:

  • Extended Key Usage (EKU) flags "serverAuth" and "IP Security IKE Intermediate” (OID 1.3.6.1.5.5.8.2.2)
  • IP address or DNS name as a Subject Alternative Name value

In Fireware v12.5 or higher, the Firebox supports ECDSA (EC) certificates for Mobile VPN with IKEv2. Your IKEv2 client must also support EC certificates. Support varies by operating system. For more information, see About Elliptic Curve Digital Signature Algorithm (ECDSA) certificates.

To select a certificate for authentication:

  1. Click the Security tab.
  2. To specify a certificate for authentication, click Edit.
    The Firebox Address and Certificate Settings dialog box appears.
  3. In the Type drop-down list, select Firebox-Generated Certificate or Third-Party Certificate.

Configure the Phase 1 and 2 Settings

To configure the Phase 1 settings, select VPN > IKEv2 Shared Settings. For more information about IKEv2 Shared Settings, see Configure IKEv2 Shared Settings.

The IPSec Phase 2 proposals used for Mobile VPN with IKEv2 are the same proposals you configure to use with an IPSec branch office VPN. If you want to configure a new Phase 2 proposal to use with Mobile VPN with IKEv2, you must add it in the Phase 2 Proposals page. Then you can add it to the Mobile VPN with IKEv2 configuration.

Configure the DNS and WINS Settings

In Fireware v12.2.1 or higher, you can specify DNS and WINS servers in the Mobile VPN with IKEv2 configuration.

You cannot specify a domain suffix in the Mobile VPN with IKEv2 configuration on the Firebox. Mobile IKEv2 clients do not inherit the domain suffix specified in the Network (global) DNS server settings. To manually configure a domain suffix in the Windows IKEv2 VPN client settings, see Configure DNS settings for L2TP or IKEv2 VPN clients in the WatchGuard Knowledge Base.

For detailed information about DNS settings for Mobile VPN with IKEv2, see Configure DNS and WINS Servers for Mobile VPN with IKEv2.

In Fireware v12.2 or lower, you cannot configure DNS and WINS settings in the Mobile VPN with IKEv2 configuration. Clients automatically receive the DNS and WINS servers specified in the Network (global) DNS/WINS settings on the Firebox. The domain name suffix is not inherited. Although you can specify up to three Network DNS servers, mobile VPN clients use only the first two in the list. For information about the Network DNS/WINS settings, see Configure Network DNS and WINS Servers.

Timeout Setting for User Authentication

In Fireware v12.5.4 or higher, you can specify a custom timeout value for Mobile VPN with IKEv2 EAP user authentication. You might specify a custom timeout value if your mobile IKEv2 users authenticate with multi-factor authentication (MFA) and require more time to respond to MFA prompts. The default timeout value is 20 seconds.

Before you change the user authentication timeout setting, consider other timeout settings that might affect Mobile VPN with IKEv2:

  • Firebox RADIUS settings—The default timeout setting is 30 seconds (10 seconds and 3 retries). If you specify a Mobile VPN with IKEv2 user authentication timeout greater than 30 seconds, and your mobile IKEv2 users authenticate through RADIUS, you must also increase the default RADIUS timeout setting so that it is greater than 30 seconds.
  • AuthPoint—The default timeout setting is 60 seconds and cannot be changed. If your mobile IKEv2 users authenticate through AuthPoint, the user authentication timeout for Mobile VPN with IKEv2 must not exceed 60 seconds.
  • Microsoft NPS (RADIUS server)—The default timeout is 30 seconds.

For more information about timeout settings for mobile IKEv2 users who authenticate through AuthPoint and RADIUS, see Firebox Mobile VPN with IKEv2 Integration with AuthPoint.

Configure the timeout setting

You must use Fireware CLI to configure this setting. Use this command:

WG#diagnose vpn "/ike/param/set ikev2_eap_timeout=[xxx] action=now"

For example, to configure a custom timeout value of 40 seconds, specify the following:

WG#diagnose vpn "/ike/param/set ikev2_eap_timeout=40 action=now"

You can specify a timeout value between 20 and 300 seconds. If you specify action=now, you do not have to restart the Firebox for this setting to take effect and the tunnel will not be rekeyed. The new timeout value that you specify will apply to new IKEv2 connections.

See Also

Use the WatchGuard IKEv2 Setup Wizard

Mobile VPN with IKEv2

Configure iOS and macOS Devices for Mobile VPN with IKEv2

Configure Windows Devices for Mobile VPN with IKEv2

Configure Android Devices for Mobile VPN with IKEv2

Configure Client Devices for Mobile VPN with IKEv2

Internet Access Through a Mobile VPN with IKEv2 Tunnel

Certificates for Mobile VPN with IKEv2 Tunnel Authentication

Troubleshoot Mobile VPN with IKEv2