Use the WatchGuard IKEv2 Setup Wizard (2024)

Table of Contents
Before You Begin Default Settings Other Settings Use the IKEv2 Setup Wizard Edit the Configuration Download the Configuration Edit the Configuration Download the Configuration FAQs

The WatchGuard IKEv2 Setup Wizard helps you activate and configure Mobile VPN with IKEv2 on the Firebox. The setup wizard is available only when Mobile VPN with IKEv2 is not activated. The wizard prompts you to configure four settings:

  • Firebox domain name or IPaddress for client connections
  • Authentication server
  • Users and groups
  • Virtual IPaddress pool

Settings not included in the wizard are set to their default values. After you complete the wizard, you can edit the Mobile VPN with IKEv2 configuration to change settings you specified in the wizard and other settings.

Before You Begin

Authentication Server

You must configure an authentication server for IKEv2 user authentication before you enable Mobile VPN with IKEv2. When you configure Mobile VPN with IKEv2, you select an authentication server and specify users and groups. If your users authenticate to network resources with Active Directory, we recommend that you configure RADIUS authentication so the IKEv2 VPN can pass through Active Directory credentials.

For more information about supported user authentication methods for IKEv2, go to About Mobile VPN with IKEv2 User Authentication.

Dynamic IP Address

If your Firebox has a dynamic IP address, you can specify a domain name for client connections instead of an IPaddress. To connect to the mobile VPN, users specify the domain name in the mobile VPN client settings. Make sure to register the external IP address of your Firebox with a dynamic DNS service provider. Optionally, you can enable dynamic DNS on the Firebox to automatically send IP address updates to a dynamic DNS service provider that the Firebox supports. For more information about dynamic DNS, go to About the Dynamic DNS Service.

Network Access Enforcement

To limit mobile VPN connections to devices that follow corporate policy, you can use network access enforcement. Before you enable network access enforcement for groups specified in the Mobile VPN with IKEv2 configuration, enable and configure network access enforcement at Subscription Services > Network Access Enforcement (Fireware v12.9 or higher). For more information, go to Network Access Enforcement Overview.

In Fireware v12.5.4 to v12.8.x, this feature was called TDR Host Sensor Enforcement. TDR is now end of life and cannot be used for network access enforcement. In the user interface, this feature is no longer functional but is required by the configuration schema. To enable network access enforcement, we recommend that you upgrade to EDR Core. For more information, go to this Knowledge Base article:Host Sensor Upgrade to Endpoint Security.

Default Settings

IPSec

When you activate Mobile VPN with IKEv2, IPSec is enabled by default with these IPSec settings:

Phase 1 transforms:

  • SHA2-256, AES(256), and Diffie-Hellman Group 14
  • SHA-1, AES(256), and Diffie-Hellman Group 5
  • SHA-1, AES(256), and Diffie-Hellman Group 2
  • SHA-1, 3DES, and Diffie-Hellman Group 2

The SA life is 24 hours for all transforms.

Phase 2 proposals:

  • ESP-AES-SHA1
  • ESP-AES256-SHA256

PFS is disabled.

See Also
Select a Mobile VPN TypeWhat is the IKEv2 protocol?Android IPSec with IKEv2 Setup GuideWhat is IKEv2

Fireware v12.2 or higher supports AES-GCM for Phase 1 transforms and Phase 2 proposals.

If your IKEv2 clients require different settings, you can edit these settings after you run the wizard.

IP Address Pool

By default, the Mobile VPN with IKEv2 address pool is 192.168.114.0/24.

We recommend that you do not use the private network ranges 192.168.0.0/24 or 192.168.1.0/24 on your corporate or guest networks. These ranges are commonly used on home networks. If a mobile VPN user has a home network range that overlaps with your corporate network range, traffic from the user does not go through the VPN tunnel. To resolve this issue, we recommend that you Migrate to a New Local Network Range.

For more information about virtual IPaddress pools, go to Virtual IPAddresses and Mobile VPNs.

User Group and Enforcement

When you enable Mobile VPNwith IKEv2, the Firebox automatically creates a user group named IKEv2-Users. You can add other users and groups in the IKEv2 configuration. The Firebox automatically includes those users and groups in the IKEv2-Users group.

For information about user authentication and multi-factor authentication, go to About Mobile VPN with IKEv2 User Authentication.

By default, network access enforcement is not enabled for groups specified in the Mobile VPN with IKEv2 configuration.

Policies

When you activate Mobile VPN with IKEv2, the Firebox automatically creates two policies: Allow-IKE-to-Firebox, which is a hidden policy, and Allow IKEv2-Users.

The Allow IKEv2-Users policy allows the groups and users you configured for IKEv2 authentication to get access to resources on your network. By default, the To list in the policy includes only the alias Any, which means this policy allows Mobile VPN with IKEv2 users to access to all network resources.

We recommend that you limit which network resources that Mobile VPN with IKEv2 users can access through the VPN. To do this, you can replace the Allow IKEv2-Users policy. For instructions that explain how to replace the Allow IKEv2-Users policy, and for more information about IKEv2 policies, go to About IKEv2 Policies.

Other Settings

After you complete the wizard, you can configure additional Mobile VPN with IKEv2 settings that do not appear in the wizard. For information about other settings, go to Edit the Mobile VPN with IKEv2 Configuration.

Use the IKEv2 Setup Wizard

To use the IKEv2 Setup Wizard, from Fireware Web UI:

  1. (Fireware v12.3 or higher) Select VPN > Mobile VPN.
  2. In the IKEv2 section, select Launch Wizard.
    The Welcome to the WatchGuard Mobile VPN with IKEv2 Setup Wizard page opens.
  3. (Fireware v12.2.1 or lower) Select VPN > Mobile VPN with IKEv2.
    The Mobile VPN with IKEv2 page opens.
  4. Click Next.
    The Specify the Server Addresses for Client Connections page opens.
  5. Type the domain name or IP address for client connections. If your Firebox is behind a NAT device, you must specify the public IPaddress or domain name of the NATdevice.

Use the WatchGuard IKEv2 Setup Wizard (2)

  1. Click Add.
  2. Click Next.
    The Select the User Authentication Servers page opens.
  3. From the drop-down list, select a server for Mobile VPNwith IKEv2 users:
    • Firebox-DB
    • RADIUS
    • AuthPoint (Fireware v12.7 or higher)

Use the WatchGuard IKEv2 Setup Wizard (3)

  1. Click Add.
  2. Repeat Steps 8–9 to add other authentication servers. The first server in the list is the default authentication server.
  3. Click Next.
    The Add Users and Groups page opens.
  4. Select or add the users or groups for Mobile VPN with IKEv2.
  5. (Optional) To apply enforcement settings to Mobile VPN with IKEv2 groups:
    1. Select the check box for a group.
    2. In Fireware v12.9 or higher, in the Network Access Enforcement column, select Yes.

Use the WatchGuard IKEv2 Setup Wizard (4)

  1. Click Next.
    The Define the Virtual IP Address Pool page opens.
  2. Specify the IP address pool for Mobile VPN with IKEv2 users. The default IP address pool is 192.168.114.0/24.

Use the WatchGuard IKEv2 Setup Wizard (5)

  1. Click Next.
    The Mobile VPN with IKEv2 Setup Wizard is Complete page opens.

Use the WatchGuard IKEv2 Setup Wizard (6)

  1. Click Finish and then click Save.

Edit the Configuration

To edit the configuration:

  1. Select VPN > Mobile VPN.
    The Mobile VPN page opens.
  2. In the IKEv2 section, click Configure.

Download the Configuration

To download configuration scripts and instructions for IKEv2 VPN clients:

  1. Select VPN > Mobile VPN.
    The Mobile VPN page opens.
  2. In the IKEv2 section, click Client Profile.
    The Client Profile and Instructions page opens.
  3. Click Download.
    For more information about scripts and instructions, go to Configure Client Devices for Mobile VPN with IKEv2.

Use the WatchGuard IKEv2 Setup Wizard (7)

See Also
What is the Remote ID and Local ID for IKEv2?

To use the IKEv2 Setup Wizard, from Policy Manager:

  1. (Fireware v12.3 or higher) Select VPN > Mobile VPN >IKEv2.
    The IKEv2 Setup Wizard opens.
  2. (Fireware v12.2.1 or lower) Select VPN > Mobile VPN >IKEv2 > Activate.
    The IKEv2 Setup Wizard opens.

Use the WatchGuard IKEv2 Setup Wizard (9)

  1. Click Next.
    The Specify the Server Addresses for Client Connections page opens.
  2. Type the domain name or IP address for client connections. If your Firebox is behind a NAT device, specify the public IPaddress or domain name of the NATdevice.

Use the WatchGuard IKEv2 Setup Wizard (10)

  1. Click Add.
  2. Click Next.
    The Select the User Authentication Servers page opens.
  3. Select one or more authentication servers for Mobile VPNwith IKEv2 users:
    • Firebox-DB
    • RADIUS
    • AuthPoint (Fireware v12.7 or higher)

Use the WatchGuard IKEv2 Setup Wizard (11)

  1. To specify a different default authentication server, select a server and click Make Default.
  2. Click Next.
    The Add Users and Groups page opens.
  3. Select or add the users or groups for Mobile VPN with IKEv2.

Use the WatchGuard IKEv2 Setup Wizard (12)

  1. (Optional) To apply enforcement settings to Mobile VPN with IKEv2 groups:
    1. Select the check box for a group.
    2. In Fireware v12.9 or higher, select the Network Access Enforcement check box.
  2. Click Next.
    The Define the Virtual IP Address Pool page opens.
  3. Specify the IP address pool for Mobile VPN with IKEv2 users. The default IP address pool is 192.168.114.0/24.

Use the WatchGuard IKEv2 Setup Wizard (13)

  1. Click Next.
    The Mobile VPN with IKEv2 Wizard is Complete page appears.
  2. Click Finish.

Use the WatchGuard IKEv2 Setup Wizard (14)

Edit the Configuration

To edit the configuration, from Policy Manager:

  1. Select VPN > Mobile VPN > Get Started.
    The Configure Mobile VPN dialog box opens.
  2. In the IKEv2 section, click Configure.
    The Mobile VPN with IKEv2 Configuration dialog box opens.

Download the Configuration

To download configuration scripts and instructions for IKEv2 VPN clients, from Policy Manager:

  1. Select VPN > Mobile VPN > Get Started.
    The Configure Mobile VPN dialog box opens.
  2. In the IKEv2 section, click Client Profile.
    The Mobile VPNwith IKEv2 Client Instructions dialog box opens.

Use the WatchGuard IKEv2 Setup Wizard (15)

  1. In the VPN Connection Name text box, type a name that describes this VPNconnection.
  2. Click Download.

For more information about scripts, go to Configure Client Devices for Mobile VPN with IKEv2.

To configure other settings, edit the Mobile VPN with IKEv2 configuration.

Related Topics

Mobile VPNwith IKEv2

Set Up Mobile VPN with IKEv2 video tutorial (8 minutes)

Edit the Mobile VPN with IKEv2 Configuration

Internet Access Through a Mobile VPN with IKEv2 Tunnel

Configure Client Devices for Mobile VPN with IKEv2

Configure iOS and macOS Devices for Mobile VPN with IKEv2

Configure Windows Devices for Mobile VPN with IKEv2

Configure Android Devices for Mobile VPN with IKEv2

Troubleshoot Mobile VPN with IKEv2

© 2024 WatchGuard Technologies, Inc. All rights reserved. WatchGuard and the WatchGuard logo are registered trademarks or trademarks of WatchGuard Technologies in the United States and other countries. Various other trademarks are held by their respective owners.

Use the WatchGuard IKEv2 Setup Wizard (2024)

FAQs

Use the WatchGuard IKEv2 Setup Wizard? ›

Go to Settings -> Network & internet -> VPN, then tap the "+" button. Enter a name for the VPN profile. Select IKEv2/IPSec RSA from the Type drop-down menu. Enter Your VPN Server IP (or DNS name) in the Server address field.

Know More
How to set up IKEv2 VPN on watchguard? ›

To download the instructions, profiles, and scripts, from Policy Manager:
  1. (Fireware v12. 3 or higher) Select VPN > Mobile VPN > Get Started > IKEv2 > Client Profile.
  2. (Fireware v12. 2.1 or lower) Select VPN > Mobile VPN > IKEv2 > Client Instructions. The Mobile VPN with IKEv2 Client Instructions dialog box opens.

Discover More Details
How do I setup a VPN on IKEv2? ›

Go to Settings -> Network & internet -> VPN, then tap the "+" button. Enter a name for the VPN profile. Select IKEv2/IPSec RSA from the Type drop-down menu. Enter Your VPN Server IP (or DNS name) in the Server address field.

Continue Reading
How to setup IKEv2 iOS? ›

Connect to the VPN
  1. Open the Settings app on your device, go to General, and tap on the VPN & Device Management tab.
  2. Select Add VPN Configuration...
  3. Fill in all the required details: Type: IKEv2. ...
  4. From now on, you will find the configured VPN profile in the VPN tab that you will always find in Settings > General.
Mar 19, 2024

Learn More
What is the username and password for IKEv2 VPN? ›

On your Android device, go to Google Play , search and install strongSwan VPN Client app. VPN Type – IKEv2 EAP (Username/Password). Username – your IVPN account ID that begins with letters 'ivpnXXXXXXXX' or 'i-XXXX-XXXX-XXXX' (case-sensitive). Password – ivpn .

Learn More
What firewall port do you need to configure for IKEv2? ›

By default, IKEv2 uses IPSec, which requires UDP ports 500 and 4500, and ESP IP Protocol 50.

Keep Reading
Is IKEv2 VPN secure? ›

IKEv2 advantages and disadvantages

Highly secure as it encrypts with high-end cyphers, including AES and Camellia, and 256-bit encryption algorithms. Offers a strong and stable connection, allowing users to stay on the VPN connection when switching between networks.

Get More Info Here
Should I use IKEv2 or OpenVPN? ›

IKEv2 and OpenVPN are both solid choices when it comes to speed, security, and reliability. IKEv2 has the edge when it comes to speed and is a better choice for mobile devices due to its stability. However, OpenVPN is the stronger option if security is the top priority, and it still offers a fast connection.

Read More
Which operating system supports IKEv2 VPN? ›

IKEv2 is supported on Windows 10 and Server 2016. However, in order to use IKEv2 in certain OS versions, you must install updates and set a registry key value locally. OS versions prior to Windows 10 aren't supported and can only use SSTP or OpenVPN® Protocol.

Explore More
What is the authentication method of IKEv2? ›

IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. is an updated version of IKE that is faster and supports a wider variety of authentication mechanisms. IKEv2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec.

See More

What is the remote ID for IKEv2 VPN? ›

The Remote ID is the server address and the Local ID is the vpn username. Then the Remote ID will be also eu-fr.321inter.net, and the Local ID will be same as your username.

Get More Info
What is the IKEv2 server for iPhone? ›

IKEv2 Protocol for iPhone and iPad
  • Step #1: Open your iPhone/ iPad Settings.
  • Step #3: Tap on Add VPN Configuration and select IKEv2.
  • Step #5: Your iPhone VPN profile has been created. Tap on its name and turn on the switch.
  • Step #6: You are now “Connected“.

Keep Reading
How do I manually add VPN to iOS? ›

Here's how to manually enable a VPN to work on your iPhone:
  1. Tap on your “Settings” app on the Home Screen of your iPhone.
  2. Choose “General.”
  3. Press “VPN.”
  4. Tap “Add VPN Configuration.”
  5. Press “Type” and pick the type of VPN protocol you're using. ...
  6. Type in a description, remote ID, and a server for the VPN.

Explore More
How to set up IKEv2 VPN? ›

Setup IKEv2 on iPad / iPhone
  1. Click on "Settings".
  2. Click on "General".
  3. Click on "VPN".
  4. Click on "Add VPN Configuration...".
  5. Take over the settings from the screenshot and set as "Description": hide.me VPN and select a server in the members area and put the alternative server address as "Server".

Know More
How to connect VPN IKEv2 IPSec PSK? ›

3) Mobile: Configure on Android
  1. Settings.
  2. Enter the VPN and go to VPN settings.
  3. Add a new VPN Connection.
  4. Type the Name.
  5. Choose IKEv2/IPSec PSK.
  6. Enter the IP or FQDN from the WAN Interface of your Firewall.
  7. Enter IPSec identifier (If you have not changed anything on the Firewall, leave 0.0.0.0)
Apr 27, 2024

Get More Info Here
How do I find my VPN ID? ›

To find the ID for a VPN or Private Network Connection

Click the name of the VPN or Private Network Connection for which you need the ID. The ID is displayed in the browser address bar, after vpns/ . For example, if the URL for environment is https://cloud.skytap.com/vpns/vpn-443322 , the ID number is vpn-443322 .

Discover More Details
How to configure VPN in WatchGuard Firewall? ›

To configure an Access Point VPN, follow these steps:
  1. Configure a Firebox with Mobile VPN (IKEv2)
  2. Add an Access Point Site.
  3. Add an SSID with NAT.
  4. Configure the Access Point VPN.
  5. Deploy the Site Configuration to an Access Point.
  6. Test the Access Point VPN.

Show Me More
Is WireGuard better than IKEv2? ›

IKEv2 vs WireGuard

WireGuard is a newer option that still has some issues to iron out, but as an open-source protocol, it's more widely available than IKEv2, which has limited compatibility. Both options offer excellent speed.

Continue Reading
What is the difference between IKEv2 and IPSec? ›

Working together, they deal with different tasks to ensure a stable, secure, and fast VPN connection. IKEv2 handles the protection of your traffic, while IPsec is responsible for moving it through the tunnel quickly and without interruption.

Read More
Top Articles
Tiramisu cups - easy, quick and low calorie
Hier kun je prima mee voor de dag komen!
40 Off Of $40
Hillside Funeral Home | Laredo, Texas
Sevita Single Sign On Dashboard
Vagicaine Walgreens
Between Friends Comic Strip Today
Wnem Radar
Www Craigslist Macon Ga
Lac Dhr
911 Active Calls Caddo
Discovering NBABite: Your Ultimate Guide To NBA Insights
Latest Posts
Bread and Grilling Cheeses
How Starch Affects Batters for Frying | Rouxbe Online Culinary School
Article information

Author: Dong Thiel

Last Updated:

Views: 5904

Rating: 4.9 / 5 (59 voted)

Reviews: 90% of readers found this page helpful

Author information

Name: Dong Thiel

Birthday: 2001-07-14

Address: 2865 Kasha Unions, West Corrinne, AK 05708-1071

Phone: +3512198379449

Job: Design Planner

Hobby: Graffiti, Foreign language learning, Gambling, Metalworking, Rowing, Sculling, Sewing

Introduction: My name is Dong Thiel, I am a brainy, happy, tasty, lively, splendid, talented, cooperative person who loves writing and wants to share my knowledge and understanding with you.