About Mobile VPN with IKEv2 User Authentication

When you configure Mobile VPN with IKEv2, you select authentication servers and configure users and groups for authentication. The users and groups you specify must exist on the selected authentication server.

Authentication Methods

Mobile VPN with IKEv2 supports two authentication methods:

Local authentication on the Firebox (Firebox-DB)

You can use the local authentication server on the Firebox for IKEv2 user authentication. If you use Firebox-DB for authentication, you must use the IKEv2-Users group that is created by default when you configure Mobile VPN with IKEv2. You can also add other users and groups in the IKEv2 configuration. The users and groups you add to the IKEv2 configuration are automatically included in the IKEv2-Users group.


You can use a RADIUS server for IKEv2 user authentication. If you use a RADIUS server for authentication, you can use the default IKEv2-Users group (if you also add that group on the RADIUS authentication server), or you can add the names of users and groups that exist in the RADIUS authentication server database.

If you want to use an Active Directory database for authentication, you can configure your RADIUS server to use the Active Directory database. Then you can configure the RADIUS server on the Firebox, select RADIUS as the authentication method for Mobile VPN with IKEv2, and add the users and groups from your Active Directory database to the Mobile VPN with IKEv2 configuration. To configure your Active Directory server, see the documentation for your Microsoft operating system.

To configure NPS, which is the Microsoft implementation of RADIUS, see Configure Windows Server 2016 or 2012 R2 to authenticate mobile VPN users with RADIUS and Active Directory in the WatchGuard Knowledge Base.

Multi-Factor Authentication

Mobile VPN with IKEv2 supports multi-factor authentication for MFA solutions that support MS-CHAPv2.

AuthPoint, the WatchGuard MFA service, supports MS-CHAPv2 RADIUS authentication. To authenticate Mobile VPN with IKEv2 users to Active Directory through NPS and AuthPoint, see Firebox Mobile VPN with IKEv2 Integration with AuthPoint. You must configure AuthPoint push-based authentication; you cannot use AuthPoint OTP.

To authenticate mobile users who have third-party IKEv2 VPN clients, see Mobile VPN with IKEv2 Integration with AuthPoint.

For more information about AuthPoint, see About AuthPoint.

Android users who connect through the strongSwan VPN client receive AuthPoint push notifications only if you configure strongSwan for split tunneling. When configured for full tunneling, strongSwan cannot receive AuthPoint push notifications. This limitation applies to local AuthPoint user accounts and LDAP user accounts. To configure split tunneling in strongSwan, see the documentation provided by strongSwan.

See Also

RADIUS Authentication with Active Directory For Mobile VPN Users

Configure RADIUS Server Authentication

Mobile VPN with IKEv2

Troubleshoot Mobile VPN with IKEv2