Configure Windows Devices for Mobile VPN with IKEv2

You can configure the native IKEv2 VPN client on Windows devices for a VPN connection to your Firebox. To add the VPN connection on your device, you can use the WatchGuard automatic configuration script or manually configure settings on the device.

To install the CA certificate, you must have Administrator permissions on your Windows device. The WatchGuard configuration script automatically requests Administrator permissions to install the required CA certificate for the new IKEv2 VPN connection.

Mobile VPN with IKEv2 is supported on Fireboxes with Fireware v12.1 and higher.

WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about configuring a non-WatchGuard product, see the documentation and support resources for that product.

Automatically Configure VPN Settings

To configure a VPN connection with the WatchGuard automatic configuration script, you must download a compressed .TGZ file from your Firebox. This file contains instructions and configuration scripts for different operating systems. For information about how to download this file, see Configure Client Devices for Mobile VPN with IKEv2.

The automatic configuration script creates a new IKEv2 VPN connection. The script configures the connection to be default-route (full tunnel), which means all traffic is sent over the VPN connection. The configuration script also installs the required CA certificate for the VPN connection. For information about default-route and split tunnel VPN connections, see Internet Access Through a Mobile VPN with IKEv2 Tunnel.

To add a new VPN connection in Windows 10 with the automatic configuration script:

  1. From the .TGZ file you downloaded from the Firebox, find the Windows_8.1_10 folder. This folder contains an automatic configuration file and the required CA certificate.
  2. Copy the folder to your Windows device.
  3. To start the configuration process, double-click the WG IKEv2.bat file.
    Two PowerShell windows appear.
  4. In both PowerShell windows, press any key to continue. The setup process completes.
  5. To find the new VPN connection, select Settings > Network & Internet > VPN.
  6. To start a VPN connection to the Firebox, right-click the new VPN connection you added and click Connect.

For computers with Windows 7, you must manually configure the VPN connection. The automatic configuration script is not supported. For more information, see Configure Windows 7 Devices for Mobile VPN with IKEv2 in the WatchGuard Knowledge Base.

If your configuration includes a RADIUS server, and you upgrade from Fireware v12.4.1 or lower to Fireware v12.5 or higher, the Firebox automatically uses RADIUS as the domain name for that server. To authenticate to that server, you must specify RADIUS as the domain name.

Manually Configure VPN Settings

To manually add a new VPN connection in Windows 10:

  1. From the .TGZ file you downloaded from the Firebox, find the Windows_8.1_10 folder .This folder contains the required CA certificate.
  2. Send the rootca.crt file to your Windows 10 device.
  3. To install the certificate, right-click the rootca.crt file.
  4. Click Install Certificate.
  5. Select the Local Machine store location and click Next.
  6. Select Place all certificates in the following store.
  7. Select Trusted Root Certificate Authorities and then click Next.
  8. Click Finish to complete the certificate installation process.
  9. Select Settings > Network & Internet > VPN.
  10. Click Add a VPN connection.
  11. Specify these settings:
    • VPN provider — Windows (built-in)
    • Connection name — Select a connection name (for example, WG IKEv2 VPN)
    • Server name or address— Host name or IP address of the server
    • VPN Type— IKEv2
    • Type of sign-in info— User name and password
    • Password (optional)— Your Firebox password
  12. Click Save.
  13. To start a VPN connection to the Firebox, right-click the new VPN connection you added and click Connect.

If you manually configure the client, we recommend that you configure a default-route (full tunnel) VPN. In Windows 10, you might need to change the IPv4 adapter properties for the IKEv2 VPN connection so that Use default gateway on remote network is selected. This is the default-route (full tunnel) option.

See Also

About Mobile VPN with IKEv2

Configure Client Devices for Mobile VPN with IKEv2

Configure iOS and macOS Devices for Mobile VPN with IKEv2

Configure Android Devices for Mobile VPN with IKEv2

Internet Access Through a Mobile VPN with IKEv2 Tunnel

Troubleshoot Mobile VPN with IKEv2