Configure Windows Devices for Mobile VPN with IKEv2

You can configure the native IKEv2 VPN client on Windows devices for a VPN connection to your Firebox. To add the VPN connection on your device, you can use the WatchGuard automatic configuration script or manually configure settings on the device.

To install the CA certificate, you must have Administrator permissions on your Windows device. The WatchGuard configuration script automatically requests Administrator permissions to install the required CA certificate for the new IKEv2 VPN connection.

Mobile IKEv2 clients do not inherit a domain suffix from the Firebox. To manually configure a domain suffix in Windows, see Configure DNS server and suffix settings in IKEv2 and L2TP VPN clients in the WatchGuard Knowledge Base.

Mobile VPN with IKEv2 is supported on Fireboxes with Fireware v12.1 and higher.

For information about which operating systems are compatible with each mobile VPN type, see the Operating System Compatibility list in the Fireware Release Notes. You can find the Release Notes for your version of Fireware OS on the Fireware Release Notes page of the WatchGuard website.

WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about configuring a non-WatchGuard product, see the documentation and support resources for that product.

Automatically Configure VPN Settings

To configure a VPN connection with the WatchGuard automatic configuration script, you must download a compressed .TGZ file from your Firebox. This file contains instructions and configuration scripts for different operating systems. For information about how to download this file, see Configure Client Devices for Mobile VPN with IKEv2.

The automatic configuration script creates a new IKEv2 VPN connection. The script configures the connection to be default-route (full tunnel), which means all traffic is sent over the VPN connection. The configuration script also installs the required CA certificate for the VPN connection. For information about default-route and split tunnel VPN connections, see Internet Access Through a Mobile VPN with IKEv2 Tunnel.

To automatically add a new IKEv2 VPN connection in Windows:

  1. Download or copy the Windows_8.1_10 folder to your device. This folder contains the automatic configuration file and the required CA certificate.
  2. In the Windows_8.1_10 folder, double-click the .bat file.
  3. If a User Account Control dialog box opens, select Yes.
    Two PowerShell windows open; one closes automatically.
  4. If your account does not have Administrator permissions, specify the Administrator credentials when prompted. The Run as Administrator option is not supported.
  5. In the open PowerShell window, press any key to continue. The setup process completes.
  6. To find the new VPN connection, select Settings > Network & Internet > VPN.
  7. To connect to the VPN, click the VPN connection that you added and click Connect.

For computers with Windows 7, you must manually configure the VPN connection. The automatic configuration script is not supported. For more information, see Configure Windows 7 Devices for Mobile VPN with IKEv2 in the WatchGuard Knowledge Base.

Manually Configure VPN Settings

To manually add a new IKEv2 VPN connection in Windows 10:

  1. In the Windows_8.1_10 folder, right-click the rootca.crt file.
  2. Click Install Certificate.
    The Certificate Import Wizard appears.
  3. Select the Local Machine store location and click Next.
  4. If a User Account Control dialog box opens that asks whether to allow this app to make changes to your device, select Yes.
  5. Select Place all certificates in the following store.
  6. Click Browse.
  7. From the Select Certificate Store list, select Trusted Root Certificate Authorities.
  8. Click Ok > Next > Finish.
  9. If a Security Warning dialog box opens that asks whether to install the certificate, select Yes.
  10. Click the Start button and select Settings > Network & Internet > VPN.
  11. Click Add a VPN connection.
  12. Specify these settings:
  • VPN provider: Windows (built-in)
  • Connection name: [Descriptive name such as MyCompany IKEv2 VPN]
  • Server name or address: [Host name or IP address of your Firebox]
  • VPN Type: IKEv2
  • Type of sign-in info: User name and password
  • (Optional) To save your user name and password for later use, specify those credentials now. If the Mobile VPN with IKEv2 configuration on the Firebox includes more than one authentication server, and you want to authenticate to an authentication server that is not the default authentication server, specify an authentication server name before the user name. For example, specify RADIUS\jsmith. For more information aboutthe user name format, see the User Name Format section.
  1. Click Save.

To manually add a new IKEv2 VPN connection in Windows 8.1:

  1. In the Windows_8.1_10 folder, right-click the rootca.crt file.
  2. Click Install Certificate.
    The Certificate Import Wizard appears.
  3. Select the Local Machine store location and click Next.
  4. If a User Account Control dialog box opens that asks whether to allow this app to make changes to your device, select Yes.
  5. Select Place all certificates in the following store.
  6. Click Browse.
  7. From the Select Certificate Store list, select Trusted Root Certificate Authorities.
  8. Click Ok > Next > Finish.
  9. If a Security Warning dialog box opens that asks whether to install the certificate, select Yes.
  10. Click the Start button and select PC Settings > Network > VPN.
  11. Click Add a VPN connection.
  12. Specify these settings:
  • VPN provider: Microsoft
  • Connection name: [Descriptive name such as MyCompany IKEv2 VPN]
  • Server name or address: [Host name or IP address of your Firebox]
  • (Optional) Type of sign-in info: User name and password
  • (Optional) To save your user name and password for later use, specify those credentials now. If the Mobile VPN with IKEv2 configuration on the Firebox includes more than one authentication server, and you want to authenticate to an authentication server that is not the default authentication server, specify an authentication server name before the user name. For example, specify RADIUS\jsmith. For more information aboutthe user name format, see the User Name Format section.
  1. Click Save.
  2. To open the PC Settings page, click the Back button twice.
  3. Click Control Panel > Network and Internet > Network and Sharing Center > Change Adapter Settings.
  4. Right-click the VPN adapter that you added and click Properties.
  5. On the Security tab, from the Type of VPN list, select IKEv2 and click OK.
  6. From the Data encryption drop-down list, select Require encryption.
  7. From the Authentication section, select Use Extensible Authentication Protocol (EAP).
  8. From the drop-down list, select the EAP-MSCHAP v2 option and click OK.
  9. In the Windows system tray, click the Internet Access icon.
  10. To connect to the VPN, click the VPN connection that you added and click Connect.

If you manually configure the client, we recommend that you configure a default-route (full tunnel) VPN. In Windows 10, you might need to change the IPv4 adapter properties for the IKEv2 VPN connection so that Use default gateway on remote network is selected. This is the default-route (full tunnel) option.

User Name Format

The User name format depends on which authentication server the user authenticates to:

  • If the Firebox configuration includes multiple authentication servers, and you want to authenticate to an authentication server that is not the default authentication server, you must specify the authentication server in the User name text box.
  • If the Firebox configuration includes multiple authentication servers, and you want to authenticate to the default authentication server, you do not need to specify the authentication server in the User name text box.

For example, the User name must be formatted in one of these ways:

To use the default authentication server

Type the user name. Example: jsmith

To use another authentication server

Type the authentication server name or domain name, and then type a backlash (\) followed by the user name. Examples:

Firebox-DB —  Firebox-DB\jsmith

AuthPoint (Fireware v12.7 or higher) — authpoint\jsmith

RADIUS (Fireware v12.5 or higher) — rad1.example.com\jsmith or RADIUS\jsmith. You must type the domain name specified in the RADIUS settings on Firebox.

RADIUS (Fireware v12.4.1 or lower) — RADIUS\jsmith. You must always type RADIUS.

Screen shot of the Windows IKEv2 client settings

If your configuration includes a RADIUS server, and you upgrade from Fireware v12.4.1 or lower to Fireware v12.5 or higher, the Firebox automatically uses RADIUS as the domain name for that server. To authenticate to that server, you must specify RADIUS as the domain name.

See Also

About Mobile VPN with IKEv2

Configure Client Devices for Mobile VPN with IKEv2

Configure iOS and macOS Devices for Mobile VPN with IKEv2

Configure Android Devices for Mobile VPN with IKEv2

Internet Access Through a Mobile VPN with IKEv2 Tunnel

Troubleshoot Mobile VPN with IKEv2