Related Topics
Internet Access Through a Mobile VPN with IKEv2 Tunnel
For Mobile VPN with IKEv2, we support default-route VPN only. Split tunnel VPN is not supported.
Default-route VPN is the most secure option because it requires all remote user Internet traffic to be routed through the VPN tunnel to the Firebox. Then, the traffic is sent back out to the Internet. With this configuration, the Firebox is able to examine all traffic and provide increased security, although it uses more processing power and bandwidth.
Default-Route VPN Setup for Mobile VPN with IKEv2
In Windows and macOS, the default setting for an IKEv2 connection is default-route. You cannot disable this setting on mobile operating systems.
Your Firebox must be configured with dynamic NAT to receive the traffic from an IKEv2 user. Any policy that manages traffic going out to the Internet from behind the Firebox must be configured to allow the IKEv2 user traffic.
When you configure your default-route VPN:
- Make sure that the IP addresses you have added to the IKEv2 address pool are included in your dynamic NAT configuration on the Firebox. This allows remote users to browse the Internet when they send all traffic to the Firebox.
From Policy Manager, select Network > NAT. - Edit your policy configuration to allow connections from the IKEv2 -Users group through the external interface.
For example, if you use WebBlocker to control web access, add the IKEv2 -Users group to the proxy policy that is configured with WebBlocker enabled.
Disable Split Tunneling in Windows
If you enabled split tunneling in Windows, follow these steps to disable it.
- In the Windows 8.1 or Windows 10, search for the Network and Sharing Center.
- Click Change Adapter Settings.
- Right-click the VPN connection name.
- Click Properties.
The VPN Connection Properties dialog box appears. - Select the Networking tab.
- Select Internet Protocol Version 4 (TCP/IPv4) in the list and click Properties.
- On the General tab, click Advanced.
The Advanced TCP/IP Settings dialog box appears. - On the IP Settings tab, select the Use default gateway on remote network check box.
- In the Windows search bar, type powershell.
- In the search results, select Windows PowerShell.
The PowerShell command interface window appears. - To see the list of VPNs, type this command: get-vpnconnection
The configuration of all available Windows VPNs appears in the PowerShell window. - Identify the name of the mobile VPN connection you want to change, for example My Mobile VPN.
- To disable split tunneling for this VPN connection, type:
set -vpnconnection -Name "My Mobile VPN" -SplitTunneling $false - To exit PowerShell, type exit.
- Select Control Panel > Network and Internet > Connect to a network.
- Right-click the VPN connection and select Properties.
The VPN properties dialog box appears. - Select the Networking tab.
- Select Internet Protocol Version 4 (TCP/IPv4) in the list and click Properties.
- Click Advanced.
The Advanced TCP/IP Settings dialog box appears. - On the IP Settings tab, select the Use default gateway on remote network check box.