Internet Access Through a Mobile VPN with IKEv2 Tunnel

There are two ways a mobile IKEv2 VPN client can route traffic to the Internet for mobile VPN users:

Default-route (full tunnel)

Default-route is the most secure option because it routes all Internet traffic from a remote user through the VPN tunnel to the Firebox. Then, the traffic is sent back out to the Internet. With this configuration, the Firebox can examine all traffic and provide increased security. Be aware that this option requires more processing power and bandwidth.

Default-route is the default option for all mobile VPN types on the Firebox.

Split tunnel

The Firebox supports connections from Mobile VPN with IKEv2 clients configured for split tunneling. However, you must manually configure IKEv2 clients for split tunneling. For example, you must manually add routes on the client computer for each remote network that you require access to. We do not provide customer support for split tunnel configurations on IKEv2 clients. See the documentation provided by your VPN client vendor.

If you require split tunneling, we recommend that you use Mobile VPN with SSL. For information about Mobile VPN with SSL and split tunneling, see Options for Internet Access Through a Mobile VPN with SSL Tunnel.

Firebox Configuration

Your Firebox must be configured with dynamic NAT to receive the traffic from an IKEv2 user. Any policy that manages traffic going out to the Internet from behind the Firebox must be configured to allow the IKEv2 user traffic.

When you configure your default-route VPN:

  • Make sure that the IP addresses you have added to the IKEv2 address pool are included in your dynamic NAT configuration on the Firebox. This allows remote users to browse the Internet when they send all traffic to the Firebox.
    From Policy Manager, select Network > NAT.
  • Edit your policy configuration to allow connections from the IKEv2 -Users group through the external interface.
    For example, if you use WebBlocker to control web access, add the IKEv2 -Users group to the proxy policy that is configured with WebBlocker enabled.

Client Configuration

To configure the client, we recommend that you download IKEv2 client configuration files from the Firebox. For information about client configuration files, see Configure Client Devices for Mobile VPN with IKEv2.

If you manually configure the client, we recommend that you configure IKEv2 clients for default-route (full tunnel) VPN:

  • Windows 10 — In the IPv4 adapter properties for the IKEv2 VPN connection, verify that Use default gateway on remote network is selected. This is the default-route (full tunnel) option.
  • Windows 8.1 — Keep the default setting, which is default-route.
  • macOS — Keep the default setting, which is default-route.

You cannot configure this setting on mobile operating systems.

WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about configuring a non-WatchGuard product, see the documentation and support resources for that product.

Enable Default-Route (Full Tunnel) in Windows

See Also

Add Network Dynamic NAT Rules

Mobile VPN with IKEv2

Edit the Mobile VPN with IKEv2 Configuration

Troubleshoot Mobile VPN with IKEv2

Enable Default-Route in Windows 7 in the WatchGuard Knowledge Base