We deployed the IKEv2 VPN for a client who was having all sorts of intermittent issues. After much troubleshooting, Watchguard support finally told us their hardware does not support packet fragmentation for IKEv2 VPNs.
If your connection request exceeds your ISP’s MTU, you will fail to connect. Moral of the story, don’t even bother trying to implement IKEv2 if you’re using a Watchguard Firebox as the gateway.
Can’t you just reduce your MTUs to say 1492 or use WireGuard instead?
some routes can have a differing mtu and not reveal themselves for some time, use the ping command to find your mtu. ping 8.8.8.8 -f -l 1473 you should see “Packet needs to be fragmented but DF set” as it should be as 1473 + 28 = 1501, and it would need to be in the size of 2 packests. lower the mtu by 1 and try it, ping 8.8.8.8 -f -l 1472, you should see a ping reply letting you know your mtu is 1500 for this route.
Doesn’t quite seem right… does it work for a while and then stops working after a few days? We have tons of IKEv2 VPNs. One issue we did have, was the crypto chip failing (had to disable in cli) which caused the issue described above.
I always wonder what % out there leave the self signed cert? And does it ever come back to bite them? MITM is insanely uncommon I believe
About 2% of the time I might have an issue with ikev2. Ssl is more reliable but noticeably slower.
No, Watchguard specifically stated there is no way to resolve this other than deleting certificates from your cert store to lower the packet size (apparently a hash of all your certs are sent as part of the connection request?)
Watchguard does offer other VPN methods including L2TP and SSL. We switched them over to SSL and that instantly solved the reliability issue.
Nah it depends on where they try to connect from. They travel a lot and use mobile networks or hotel networks. Switching them over to an SSL VPN instantly resolved all their issues.
Just curious why you weren’t using SSL in the first place? Was there a use case for IKEv2?
We lowered the MTU through GPO to 1350 for everyone which solved our fragmentation issues.
Does the SSL tunnel still have the 40 Mbps throughput cap? I’ve been off of the WG ecosystem for a bit over a year.
They travel a lot and use mobile networks or hotel networks. Switching them over to an SSL VPN instantly resolved all their issues.
We’ve ran into the same issue and told them to hotspot their company phone if the hotel/airport network isn’t working. I guess that’s introducing yet another security vulnerability into the ether, but ehh what can ya do? The issue with the SSL connection is that it’s a lot slower than the IKEv2 connection and will drop if the connection drops at all.
From the general research we did on the protocols available, IKEv2 was touted as the most secure and compatible for mobile users. SSL works great, but there are some possible security concerns due to MITM attacks.
Makes sense. If you can’t fix it on one networking device, fix it for a few thousand client devices.
Happened with mobile hotspots as well from certain locations. Worked fine when it was tested initially, then it didn’t work while travelling. There are definitely drawbacks to the SSL mobile VPN, but at least it works.
The NSA is always hating on SSL VPNs. Take that for what it is worth. I am not worried about nation state actors getting into my network, so I don’t really care.
As long as you have good certs I was under the impression that would be highly unlikely to impossible, I’d love to be proven wrong though because that’s what we are currently using.
It is the most secure when configured as such. At our msp we only deploy the SSL VPN, however, I’ve set ikev2 without issues other than no AD auth. Much faster, more secure. Can be setup on endpoints via PSE without any software and pre windows login capable.
Coincidentally, about 1% of Watchguard firewalls were compromised with a botnet by Russian state-sponsored malware. We had 1 client that had positive scans on 4 of their firewalls that we had to remediate, and they were a a small business.
In general yeah, it’s probably fine. But after the FortiGate debacle where it was revealed their default config allowed for MITM attacks, I’ve been weary of utilizing SSL VPNs on firewalls that aren’t enterprise grade. Watchguard is nice and cheap, easy to use, but we only sell them to our clients because they won’t balk at the price. It’s a compromise to utilize these things, and we want to cover our asses as much as possible.
Clearly this bit us in the ass here because they didn’t disclose the major flaw with their implementation of the IKEv2 protocol.