Configure Windows Devices for Mobile VPN with IKEv2

You can configure the native IKEv2 VPN client on Windows devices for a VPN connection to your Firebox. To add the VPN connection on your device, you can use the WatchGuard automatic configuration script or manually configure settings on the device.

To install the CA certificate, you must have Administrator permissions on your Windows device. The WatchGuard configuration script automatically requests Administrator permissions to install the required CA certificate for the new IKEv2 VPN connection.

Mobile IKEv2 clients do not inherit a domain suffix from the Firebox. To manually configure a domain suffix in Windows, see Configure DNS server and suffix settings in IKEv2 and L2TP VPN clients in the WatchGuard Knowledge Base.

Mobile VPN with IKEv2 is supported on Fireboxes with Fireware v12.1 and higher.

For operating system support information, see the Operating System Compatibility Matrix in the Fireware Release Notes.

WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about configuring a non-WatchGuard product, see the documentation and support resources for that product.

Automatically Configure VPN Settings

To configure a VPN connection with the WatchGuard automatic configuration script, you must download a compressed .TGZ file from your Firebox. This file contains instructions and configuration scripts for different operating systems. For information about how to download this file, see Configure Client Devices for Mobile VPN with IKEv2.

The automatic configuration script creates a new IKEv2 VPN connection. The script configures the connection to be default-route (full tunnel), which means all traffic is sent over the VPN connection. The configuration script also installs the required CA certificate for the VPN connection. For information about default-route and split tunnel VPN connections, see Internet Access Through a Mobile VPN with IKEv2 Tunnel.

To automatically add a new IKEv2 VPN connection in Windows:

  1. Download or copy the Windows_8.1_10 folder to your device. This folder contains the automatic configuration file and the required CA certificate.
  2. In the Windows_8.1_10 folder, double-click the .bat file.
  3. If a User Account Control dialog box opens, select Yes.
    Two PowerShell windows open; one closes automatically.
  4. If your account does not have Administrator permissions, specify the Administrator credentials when prompted. The Run as Administrator option is not supported.
  5. In the open PowerShell window, press any key to continue. The setup process completes.
  6. To find the new VPN connection, select Settings > Network & Internet > VPN.
  7. To connect to the VPN, click the VPN connection that you added and click Connect.

For computers with Windows 7, you must manually configure the VPN connection. The automatic configuration script is not supported. For more information, see Configure Windows 7 Devices for Mobile VPN with IKEv2 in the WatchGuard Knowledge Base.

If your configuration includes a RADIUS server, and you upgrade from Fireware v12.4.1 or lower to Fireware v12.5 or higher, the Firebox automatically uses RADIUS as the domain name for that server. To authenticate to that server, you must specify RADIUS as the domain name.

Manually Configure VPN Settings

To manually add a new IKEv2 VPN connection in Windows 10:

  1. In the Windows_8.1_10 folder, right-click the rootca.crt file.
  2. Click Install Certificate.
    The Certificate Import Wizard appears.
  3. Select the Local Machine store location and click Next.
  4. If a User Account Control dialog box opens that asks whether to allow this app to make changes to your device, select Yes.
  5. Select Place all certificates in the following store.
  6. Click Browse.
  7. From the Select Certificate Store list, select Trusted Root Certificate Authorities.
  8. Click Ok > Next > Finish.
  9. If a Security Warning dialog box opens that asks whether to install the certificate, select Yes.
  10. Click the Start button and select Settings > Network & Internet > VPN.
  11. Click Add a VPN connection.
  12. Specify these settings:
  • VPN provider: Windows (built-in)
  • Connection name: [Descriptive name such as MyCompany IKEv2 VPN]
  • Server name or address: [Host name or IP address of your Firebox]
  • VPN Type: IKEv2
  • Type of sign-in info: User name and password
  • (Optional) To save your username and password for later use, specify those credentials now.
  1. Click Save.

If you manually configure the client, we recommend that you configure a default-route (full tunnel) VPN. In Windows 10, you might need to change the IPv4 adapter properties for the IKEv2 VPN connection so that Use default gateway on remote network is selected. This is the default-route (full tunnel) option.

To manually add a new IKEv2 VPN connection in Windows 8.1:

  1. In the Windows_8.1_10 folder, right-click the rootca.crt file.
  2. Click Install Certificate.
    The Certificate Import Wizard appears.
  3. Select the Local Machine store location and click Next.
  4. If a User Account Control dialog box opens that asks whether to allow this app to make changes to your device, select Yes.
  5. Select Place all certificates in the following store.
  6. Click Browse.
  7. From the Select Certificate Store list, select Trusted Root Certificate Authorities.
  8. Click Ok > Next > Finish.
  9. If a Security Warning dialog box opens that asks whether to install the certificate, select Yes.
  10. Click the Start button and select PC Settings > Network > VPN.
  11. Click Add a VPN connection.
  12. Specify these settings:
  • VPN provider: Microsoft
  • Connection name: [Descriptive name such as MyCompany IKEv2 VPN]
  • Server name or address: [Host name or IP address of your Firebox]
  • (Optional) Type of sign-in info: User name and password
  • (Optional) To save your username and password for later use, specify those credentials now.
  1. Click Save.
  2. To open the PC Settings page, click the Back button twice.
  3. Click Control Panel > Network and Internet > Network and Sharing Center > Change Adapter Settings.
  4. Right-click the VPN adapter that you added and click Properties.
  5. On the Security tab, from the Type of VPN list, select IKEv2 and click OK.
  6. From the Data encryption drop-down list, select Require encryption.
  7. From the Authentication section, select Use Extensible Authentication Protocol (EAP).
  8. From the drop-down list, select the EAP-MSCHAP v2 option and click OK.
  9. In the Windows system tray, click the Internet Access icon.
  10. To connect to the VPN, click the VPN connection that you added and click Connect.

See Also

About Mobile VPN with IKEv2

Configure Client Devices for Mobile VPN with IKEv2

Configure iOS and macOS Devices for Mobile VPN with IKEv2

Configure Android Devices for Mobile VPN with IKEv2

Internet Access Through a Mobile VPN with IKEv2 Tunnel

Troubleshoot Mobile VPN with IKEv2