Use the WatchGuard IKEv2 Setup Wizard

The WatchGuard IKEv2 Setup Wizard helps you activate and configure Mobile VPN with IKEv2 on the Firebox. The setup wizard is available only when Mobile VPN with IKEv2 is not activated. The wizard prompts you to configure four settings:

  • Firebox domain name or IP address for client connections
  • Authentication server
  • Users and groups
  • Virtual IP address pool

Settings not included in the wizard are set to their default values. After you complete the wizard, you can edit the Mobile VPN with IKEv2 configuration to change settings you specified in the wizard and other settings.

Before You Begin

Authentication Server

You must configure an authentication server for IKEv2 user authentication before you enable Mobile VPN with IKEv2. When you configure Mobile VPN with IKEv2, you select an authentication server and specify users and groups. If your users authenticate to network resources with Active Directory, we recommend that you configure RADIUS authentication so the IKEv2 VPN can pass through Active Directory credentials.

For more information about supported user authentication methods for IKEv2, go to About Mobile VPN with IKEv2 User Authentication.

Dynamic IP Address

If your Firebox has a dynamic IP address, you can specify a domain name for client connections instead of an IP address. To connect to the mobile VPN, users specify the domain name in the mobile VPN client settings. Make sure to register the external IP address of your Firebox with a dynamic DNS service provider. Optionally, you can enable dynamic DNS on the Firebox to automatically send IP address updates to a dynamic DNS service provider that the Firebox supports. For more information about dynamic DNS, go to About the Dynamic DNS Service.

Network Access Enforcement

To limit mobile VPN connections to devices that follow corporate policy, you can use network access enforcement. Before you enable network access enforcement for groups specified in the Mobile VPN with IKEv2 configuration, enable and configure network access enforcement at Subscription Services > Network Access Enforcement (Fireware v12.9 or higher). For more information, go to Network Access Enforcement Overview.

In Fireware v12.5.4 to v12.8.x, this feature was called TDR Host Sensor Enforcement. TDR is now end of life and cannot be used for network access enforcement. In the user interface, this feature is no longer functional but is required by the configuration schema. To enable network access enforcement, we recommend that you upgrade to EDR Core. For more information, go to this Knowledge Base article: Host Sensor Upgrade to Endpoint Security.

Default Settings

IPSec

When you activate Mobile VPN with IKEv2, IPSec is enabled by default with these IPSec settings:

Phase 1 transforms:

  • SHA2-256, AES(256), and Diffie-Hellman Group 14
  • SHA-1, AES(256), and Diffie-Hellman Group 5
  • SHA-1, AES(256), and Diffie-Hellman Group 2
  • SHA-1, 3DES, and Diffie-Hellman Group 2

The SA life is 24 hours for all transforms.

Phase 2 proposals:

  • ESP-AES-SHA1
  • ESP-AES256-SHA256

PFS is disabled.

Fireware v12.2 or higher supports AES-GCM for Phase 1 transforms and Phase 2 proposals.

If your IKEv2 clients require different settings, you can edit these settings after you run the wizard.

IP Address Pool

By default, the Mobile VPN with IKEv2 address pool is 192.168.114.0/24.

We recommend that you do not use the private network ranges 192.168.0.0/24 or 192.168.1.0/24 on your corporate or guest networks. These ranges are commonly used on home networks. If a mobile VPN user has a home network range that overlaps with your corporate network range, traffic from the user does not go through the VPN tunnel. To resolve this issue, we recommend that you Migrate to a New Local Network Range.

For more information about virtual IP address pools, go to Virtual IP Addresses and Mobile VPNs.

User Group and Enforcement

When you enable Mobile VPN with IKEv2, the Firebox automatically creates a user group named IKEv2-Users. You can add other users and groups in the IKEv2 configuration. The Firebox automatically includes those users and groups in the IKEv2-Users group.

For information about user authentication and multi-factor authentication, go to About Mobile VPN with IKEv2 User Authentication.

By default, network access enforcement is not enabled for groups specified in the Mobile VPN with IKEv2 configuration.

Policies

When you activate Mobile VPN with IKEv2, the Firebox automatically creates two policies: Allow-IKE-to-Firebox, which is a hidden policy, and Allow IKEv2-Users.

The Allow IKEv2-Users policy allows the groups and users you configured for IKEv2 authentication to get access to resources on your network. By default, the To list in the policy includes only the alias Any, which means this policy allows Mobile VPN with IKEv2 users to access to all network resources.

We recommend that you limit which network resources that Mobile VPN with IKEv2 users can access through the VPN. To do this, you can replace the Allow IKEv2-Users policy. For instructions that explain how to replace the Allow IKEv2-Users policy, and for more information about IKEv2 policies, go to About IKEv2 Policies.

Other Settings

After you complete the wizard, you can configure additional Mobile VPN with IKEv2 settings that do not appear in the wizard. For information about other settings, go to Edit the Mobile VPN with IKEv2 Configuration.

Use the IKEv2 Setup Wizard

To configure other settings, edit the Mobile VPN with IKEv2 configuration.

Related Topics

Mobile VPN with IKEv2

Edit the Mobile VPN with IKEv2 Configuration

Internet Access Through a Mobile VPN with IKEv2 Tunnel

Configure Client Devices for Mobile VPN with IKEv2

Configure iOS and macOS Devices for Mobile VPN with IKEv2

Configure Windows Devices for Mobile VPN with IKEv2

Configure Android Devices for Mobile VPN with IKEv2

Troubleshoot Mobile VPN with IKEv2