Good Morning,

a)
I know, maybe Mobile VPN with SSL/TLS for the following procedure also suiteable.

A Home Office User needs a VPN Solution to his company.
Is it possible to have one desktop icon for the following procedure? (after pc login)

-connect IPSec vpn with Windows 11 onboard embedded client
-starting mstsc.exe to his office pc via dns-name
-mapping company-file-server-shares to his home-office
-(e.g. share credential-login-window-would-appear in case credentials weren´t saved yesterday…)
-access to internet on the homeoffice pc required while vpn to company

b)
Do you had trouble in the last years with Notebooks Users on business tript and blocked
"IKEv2 IPSec traffic " at the HOTEL WIFI?+++++++++

IPSec

Mobile VPN with IPSec is a less secure option unless you configure a certificate instead of a pre-shared key. Users can connect with a WatchGuard IPSec VPN client powered by NCP, and some native VPN clients.

We recommend Mobile VPN with IPSec for legacy IPSec IKEv1 tunnels when IKEv2 is not available. We also recommend this option for experienced Firebox administrators who must deploy multiple VPN routing profiles.

+++++++++

SSL

Mobile VPN with SSL/TLS is a secure option, but it is slower than other mobile VPN types. Windows and macOS users download a client from a Firebox portal. Android and iOS users download a profile from the Firebox portal for use with an OpenVPN client.

We recommend Mobile VPN with SSL when IKEv2 IPSec traffic is not allowed on the remote network or when split-tunneling is required.

+++++++++

SSL VPN is so easy to work with. Performance impact is negligible, and doesn’t affect rdp. It works anywhere port 443 is allowed, unless the firewall blocks openvpn.

I’ve found Windows lags so far behind in encryption methods supported that you’re better off using the SSL client. Use AGM 256 DH 21 for phase 1 and AGM 128 DH 19 for phase 2. That offers the best performance on most fireboxes.

IPsec V1 use port 50, 500 and 4500. IPsec v2 use Port 50 and 4500. If you can use IPsec v1 in most Environment you can use IPsec v2 (ipsec passthrough police in most firewalls)

In IPsec v1 you can use certificates or psk, also in Remote Access.

IPsec v2 is more secure when you use the new cgm encryption proposal in phase2. PSK or Certificate is use in Phase 1, the encryption is use in Phase 2. In my opinion, with a strong PSK is ipsec so secure as with certificates.

Sslvpn is totally fine. Just make sure you have some kind of mfa because if you look at active traffic you’ll see brute force attacks constantly flowing in.

I’ve actually found a big difference between SSLVPN and IKEv2 on an M290. 40mbps max on SSLVPN and 200mbps on IKEv2 on the same device and internet connection.

Using what encryption? The newer elliptical calculations are faster in recent firebox models.

AES-GCM256 DH19 for IKEv2. Tried AES-GCM256/128 and AES256/128 for SSLVPN and could never get even close to IKEv2. Would be interested to know what works for you.