Hello, are there more important differents?
View: small company / no mass deployment.
why is IKEv2 better than Mobile SSL VPN?
pro:
a bit faster
windows cmd: rasdial + rasphone native support
one-touch-desktoip-icon possible, e.g. rasdial+open mstsc.exe /v
whatsmyip.com shows the public IP of the destination watchguard
initial connect faster
+++++
txt from webui:
IKEv2
Mobile VPN with IKEv2 is the most secure option and provides high-performance VPN connections. Users can connect with native Windows, macOS, or iOS clients, or with the strongSwan app for Android.
Mobile SSL VPN
Mobile VPN with SSL/TLS is a secure option, but it is slower than other mobile VPN types. Windows and macOS users download a client from a Firebox portal. Android and iOS users download a profile from the Firebox portal for use with an OpenVPN client.
Ikev2 is easier for the end user to use. It’s not another program they have to open, it’s built into the native windows UI.
It’s nearly instant connection instead of waiting a few seconds on ssl. Not huge difference, but 100% better than waiting.
It’s more secure
It’s easier to roll out
It’s far faster bandwidth
It can be set up with -AlluserConnection and then users can connect to vpn before windows login, which solves the issues of login scripts.
12.8 and higher has mobile Ike which makes roaming seamless
We install both. Too many times port 500 is blocked by an ISP and they have to use SSL. IKEV2 is faster, but for the purposes of getting work done, there isn’t much difference. We have a lot of mobile users so it just makes sense for us to install both. 90% of the time our users are using SSL.
Beware if you have ipv6 only or hotel guest users. In both cases ikev2 won’t work.
SSL VPN means you can use the OpenVPN client as well, sometimes we have to mess around with multiple clients on multiple operating systems to make it play nicely
How to add VPN in Android? Which type should I use? Where can I get server address?
wow thanks, for the input.
Which inbound Port is IKEv2 using/required?
For example in case there is a wan-router before the Watchguard and each inbound Port needs to be re-directed to the Watchguard.
Its fun until you find out ISP block ikev2 ports
Last I knew, Windows doesn’t support secure IKE settings unless you use powershell. Not very approachable for most. Performance of SSL is plenty good for all use cases I manage and configuration is a breeze.
Same. Sslvpn installed as a backup.
None of the AD users are in the authentication group unless they just can’t get in on ikev2, and then we just put them in temporarily.
That’s a big kicker, because I’d rather not have to administer get ssl updates on everything.
Yes, provided your MFA provider supports RADIUS.
I assume: in case of IKEv2 problems, first stept would be
“net stop rasman” + “net start rasman”
- retry rasdial/rasphone.exe
it will generate scripts when you download the IKEv2 profile
At tball. Will in a few hours
The only important changes are:
- Adding the
-DnsSuffix switch: This applies to both the Add-VPNConnection and Update-VPNConnection functions.
- Using the
-AllUserConnection switch: Also needed for both functions to ensure the VPN connection is created for all users on the system.
- Modifying the global VPN configuration: To make sure the VPN connection is configured globally (not just per user), the following line is required:
$RASPhoneBook = "C:\Users\All Users\Microsoft\Network\Connections\pbk\rasphone.pbk"
See screenshot:
https://i.imgur.com/02uDiGN.png
Around 2020, after a Windows update, I noticed that VPN connections on some Windows 10 machines stopped resolving network resources like mapped drives. It turned out that DNS queries were being routed through the LAN NIC’s DNS servers instead of the VPN’s DNS servers.
Initially, I tried adding the IpDnsFlag changes, but it didn’t solve the issue. What ultimately fixed it was setting the IpInterfaceMetric of the VPN connection to 1 (the lowest value), which gave the VPN higher priority in routing.
Although I’ve kept the IpDnsFlags modification, I’m not convinced it’s still necessary. The IpInterfaceMetric adjustment alone seems to resolve the issue, and it always works for me now.
Here is a paste of what I add under SetIPSecConfiguration
$RASPhoneBook = "C:\Users\All Users\Microsoft\Network\Connections\pbk\rasphone.pbk"
(Get-Content $RASPhoneBook) -Replace 'IpDnsFlags=0', 'IpDnsFlags=3' | Set-Content $RASPhoneBook
(Get-Content $RASPhoneBook) -Replace 'IpInterfaceMetric=.{1,5}', 'IpInterfaceMetric=1' | Set-Content $RASPhoneBook
My reply was rambling so cleaned up with chatgpt lol
50/500/4500 udp for ikev2. That is one potential down side. Maybe you get to some hotel that has that blocked. It’s been a while since I’ve had a user report that though. Never see it any more
Only isps i have found that had issues so far we’re quantum fiber and t mobile cellular, but neither were port issues and I found the fix (check recent post history)
Man. Run a speed test on both. I understand it’s night and day different in quick books/ db related stuff too
I assume no chance to get back the separate rasphone.exe Icon right below at the clock - good way to see rasdial/rasphone.exe connection status
