WatchGuard IKEv2 Mobile VPN

One of the important functions of a firewall is to allow easy remote access.  With more and more employees working from home or on the road, we need a way to provide this access efficiently.  However, with efficiency we can lose security if we are not careful.  Since we are allowing someone outside of our network to connect into local resources, we need to make sure we are doing everything we can to secure that connection.

Over the last several firmware revisions WatchGuard has been working to provide updated security options for their mobile VPNs.  The release of Fireware 12.0 removed the PPTP VPN, due to security issues.  Now WatchGuard provides the following options for mobile VPN configurations:

  • IPSec
  • SSL
  • L2TP with IPSec enabled
  • IKEv2

In the past the recommendation was to utilize either IPSec or SSL.  However, the security benefits of these have been replaced with the IKEv2 VPN.  JSCM Group now recommends that mobile VPNs be changed to utilize the IKEv2 option for added security.

 

Security Options

The IKEv2 VPN offers the highest level of security of the mobile VPNs available on the Watchguard firewall.  This VPN option includes multi-layer security, and supports certificate-based client authentication instead of a pre-shared key.  

 

Connection Setup

The IKEv2 mobile VPN allows the end user to utilized the native IKEv2 clients on iOS, macOS and Windows mobile devices.  Android connection is allowed with the third-party strongSwan application.

Additionally, configuration scripts can be downloaded from the Firebox that automatically configure the IKEv2 profile on iOS, macOS and Windows.  This script includes the automatic installation of the certificate, making user setup very simple.

 

Tunnel Setup

With the IKEv2 mobile VPN, all of the end-user’s traffic is automatically sent over the mobile VPN connection.  This is known as a “default route” configuration, and is the most secure way to allow remote connection traffic to pass through your firewall.  For more information on this connection type, please see our post on Default Route vs. Split Tunnel VPN traffic.

 

Authentication

The IKEv2 mobile VPN supports authentication through local Firebox-DB accounts and RADIUS.  Active Directory authentication is supported through a RADIUS server.

 

Configure the IKEv2 VPN

1. In Policy Manager, navigate to VPN > Mobile VPN > IKEv2 > Activate.  This will open the activation wizard for the VPN.

2. You will be asked to specify the firebox domain name or IP addresses for clients to connect to.  Here you will reference the external IP of the firewall that you want to use for the connection.

WatchGuard IKEv2 Mobile VPN

3. Select the authentication method you would like to use.  Please note you can utilize Active Directory through RADIUS.

WatchGuard IKEv2 Mobile VPN

4. Next select the authentication group you would like to specify for the IKEv2 VPN connection.  Users will need to be a member of the group listed here in order to connect.

WatchGuard IKEv2 Mobile VPN

5. The next step is to specify the virtual IP address pool that you want to use.  Much like the SSLVPN, the IKEv2 VPN creates its own IP pool.  This VPN uses 192.168.114.0/24.  If you would like to change it, remove the default entry and add a new one.  Make sure to not use a subnet already in use on your firewall to avoid IP conflict.

WatchGuard IKEv2 Mobile VPN

6. Click Finish to complete the wizard.

7. Save the policy to your firewall.

Deploying the IKEv2 VPN

1. Now that the VPN is configured, it can be deployed.  To start this process, navigate to VPN > Mobile VPN > IKEv2 > Client Instructions in Policy Manager.

2. Specify the name you want to use for the profile, and click Download.

WatchGuard IKEv2 Mobile VPN

3. This file will need to be shared with anyone wishing to connect to the IKEv2 VPN.

 

Installing the IKEv2 VPN - Windows

1. Extract the exported .tgz file to an easy-to-find location.

WatchGuard IKEv2 Mobile VPN

2. Once the file is extracted, open the folder and navigate to the Windows_8.1_10 folder.  Double-click the Windows Batch File.

WatchGuard IKEv2 Mobile VPN

3. During the installation, you may see two command prompt windows open.  The VPN will be installed when the first window states “Installed the IKEv2 VPN CA certificate.”  Once this is shown, the command prompt windows can be closed if they don’t close automatically.

 

Connecting to the IKEv2 VPN - Windows

1. Navigate to Settings > Network and Internet > VPN.

2. Look for the VPN that was added.  

3. Click Connect, and enter your VPN credentials.

WatchGuard IKEv2 Mobile VPN

 

Installing the IKEv2 VPN - Mac

1. Extract the exported .tgz file to an easy-to-find location.

2. Once the file is extracted, open the folder and navigate to the MacOS_iOS folder.  Double-click the .mobileconfig file to open and install.

WatchGuard IKEv2 Mobile VPN

3. If prompted, click Continue to install the VPN.

WatchGuard IKEv2 Mobile VPN

4. Enter the credentials to use with the VPN and click Install.

WatchGuard IKEv2 Mobile VPN

5.  If prompted, accept the installation.  You may be prompted to enter your device’s admin credentials to complete the setup.

 

Connecting to the IKEv2 VPN - Mac

1. Navigate to System Preferences > Network.

2. Look for the VPN profile that was added for IKEv2 and click Connect.

WatchGuard IKEv2 Mobile VPN

NOTE: To make VPN connections easier, Navigate to System Preferences > Network.  Select the option Show VPN status in menu bar.  This will allow you to connect from an icon on the menu bar.

WatchGuard IKEv2 Mobile VPN

 

Installing the IKEv2 VPN - iOS

NOTE: Ensure that the .mobileconfig file has been shared with the iOS device before starting these steps.  This file is found in the extracted .tgz file under the MacOS_iOS folder.  Most mobile devices may have trouble extracting files locally.

1. Click Install to install the VPN profile.

WatchGuard IKEv2 Mobile VPN

2. Click through the certificate and profile installation.

WatchGuard IKEv2 Mobile VPN

3. Enter the username and password for the VPN.

WatchGuard IKEv2 Mobile VPN

4. Click Done to complete the setup.

WatchGuard IKEv2 Mobile VPN

 

Connecting to the IKEv2 VPN - iOS

1. Navigate to Settings.  

2. If this is the only VPN that is configured on the iPhone, click the option to connect.

WatchGuard IKEv2 Mobile VPN

3. If there are multiple VPNs configured on the iPhone, select VPN, and then select the profile.  Click Connect to join to the VPN.

WatchGuard IKEv2 Mobile VPN

 

Installing the IKEv2 VPN - Android

NOTE: In order to use the IKEv2 VPN on an Android device, you must have the strongSwan app installed.

NOTE: Ensure that the .sswan file has been shared with the Android device before starting these steps.  This file is found in the extracted .tgz file under the Android folder.  Most mobile devices may have trouble extracting files locally.

1. Open the strongSwan app on the Android device.

WatchGuard IKEv2 Mobile VPN

2. Select the icon next to Add VPN Profile and select Import VPN profile.

WatchGuard IKEv2 Mobile VPN

3. Import the .sswan file for the VPN.

5. Enter the username and password for the VPN, and select Import.

WatchGuard IKEv2 Mobile VPN

 

Connecting to the IKEv2 VPN - Android

1. Open the strongSwan application.

2. Select the imported profile to begin connection.

WatchGuard IKEv2 Mobile VPN