There are two ways a mobile IKEv2 VPN client can route traffic to the Internet for mobile VPN users:
Full tunnel (default route)
Full tunnel is the most secure option because it routes all Internet traffic from a remote user through the VPN tunnel to the Firebox. Then, the traffic is sent back out to the Internet. With this configuration, the Firebox inspects all traffic, which provides increased security. Be aware that this option requires more processing power and bandwidth.
Full tunnel is the default option for all mobile VPN types on the Firebox.
Split tunnel
When you configure a split tunnel:
- Traffic destined for internal resources that you specify goes through the tunnel. The Firebox inspects this traffic.
- Other traffic, which includes Internet traffic, does not go through the VPN tunnel. The Firebox does not inspect this traffic
A split tunnel offers better performance than a full tunnel because the Firebox processes less traffic. However, a split tunnel can affect security because the Firebox does not inspect all traffic from VPN clients.
In Fireware v12.9 or higher, you can configure split tunneling in the Mobile VPN with IKEv2 configuration on the Firebox. To automatically install a split tunnel VPN connection on Windows, macOS, iOS and Android devices, you can download client configuration files from the Mobile VPN with IKEv2 configuration on the Firebox.
For information about how to configure Mobile VPN with IKEv2 on the Firebox, see Edit the Mobile VPN with IKEv2 Configuration.
In Fireware v12.8.x or lower, you cannot configure split tunneling in the Mobile VPN with IKEv2 configuration on the Firebox. Fireware v12.8.x or lower supports connections from Mobile VPN with IKEv2 clients configured for split tunneling. However, you must manually configure IKEv2 clients for split tunneling. For example, you must manually add routes on the client computer for each remote network that you require access to. For Fireboxes with Fireware v12.8.x or lower, we do not provide customer support for split tunnel configurations on IKEv2 clients. See the documentation provided by your VPN client vendor. If you require split tunneling in Fireware v12.8.x or lower, we recommend that you use Mobile VPN with SSL. For information about Mobile VPN with SSL and split tunneling, see Options for Internet Access Through a Mobile VPN with SSL Tunnel.
Configure the Firebox
You must configure your Firebox with dynamic NAT to receive traffic from an IKEv2 user. Any policy that manages traffic going out to the Internet from behind the Firebox must be configured to allow the IKEv2 user traffic.
When you configure Mobile VPN with IKEv2:
- Make sure that the IP addresses you added to the IKEv2 address pool are included in your dynamic NAT configuration on the Firebox. This allows remote users to browse the Internet when they send all traffic to the Firebox.
From Policy Manager, select Network > NAT. - Edit your policy configuration to allow connections from the IKEv2 -Users group through the external interface.
For example, if you use WebBlocker to control web access, add the IKEv2 -Users group to the proxy policy that is configured with WebBlocker enabled.
For information about dynamic NAT, see About Dynamic NAT.
For information about policies, see Policies.
Automatically Configure Clients
To configure IKEv2 VPN clients, we recommend that you download client configuration files from the Firebox. You can use these files to install pre-configured IKEv2 VPN profiles on Windows, macOS, iOS, and Android devices. The client configuration files install a full tunnel or split tunnel VPN connection based on the Mobile VPN with IKEv2 configuration on the Firebox.
For information about client configuration files, see Configure Client Devices for Mobile VPN with IKEv2.
Manually Configure Clients
If you plan to manually configure the client, we recommend that you configure a full tunnel IKEv2 VPN connection:
- Windows 10 — In the IPv4 adapter properties for the IKEv2 VPN connection, verify that Use default gateway on remote network is selected. This is the default full tunnel (default route) option.
- Windows 8.1 — Keep the default setting, which is full tunnel (default route).
- macOS — Keep the default setting, which is full tunnel (default route).
You cannot configure this setting on mobile operating systems.
- In the Windows 8.1 or Windows 10, search for the Network and Sharing Center.
- Click Change Adapter Settings.
- Right-click the VPN connection name.
- Click Properties.
The VPN Connection Properties dialog box appears. - Select the Networking tab.
- Select Internet Protocol Version 4 (TCP/IPv4) in the list and click Properties.
- On the General tab, click Advanced.
The Advanced TCP/IP Settings dialog box appears. - On the IP Settings tab, select the Use default gateway on remote network check box.
- In the Windows search bar, type powershell.
- In the search results, select Windows PowerShell.
The PowerShell command interface window appears. - To see the list of VPNs, type this command: get-vpnconnection
The configuration of all available Windows VPNs appears in the PowerShell window. - Identify the name of the mobile VPN connection you want to change, for example My Mobile VPN.
- To disable split tunneling for this VPN connection and use default route instead, type:
set-vpnconnection -Name "My Mobile VPN" -SplitTunneling $false - To exit PowerShell, type exit.
WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about configuring a non-WatchGuard product, see the documentation and support resources for that product.
See Also
Edit the Mobile VPN with IKEv2 Configuration
Troubleshoot Mobile VPN with IKEv2
Enable Default-Route in Windows 7 in the WatchGuard Knowledge Base