IPsec VPN setup for iPhone
Freshman Member
Hi,
I'm trying to setup the Cisco IPSec VPN connection on the iPhone.
Everything works fine with StrongSwan VPN (installed on RaspberryPI), but now I want to get rid of StrongSwan and move the VPN server to the ZyXEL ZyWall 110.
I'm using certificate authentication + X-Auth.
Phase 1 process is done successfully. but in the Phase 2 I get the error message "Phase 2 proposal mismatch" and "No proposal chosen".
In attached images you can see the settings and IKE logs.
And HERE is the Apple reference for "Cisco IPsec VPN setup for iPhone and iPad".
Any idea how to solve this issue?
PHASE1:
PHASE 2:
LOGS:
I'm trying to setup the Cisco IPSec VPN connection on the iPhone.
Everything works fine with StrongSwan VPN (installed on RaspberryPI), but now I want to get rid of StrongSwan and move the VPN server to the ZyXEL ZyWall 110.
I'm using certificate authentication + X-Auth.
Phase 1 process is done successfully. but in the Phase 2 I get the error message "Phase 2 proposal mismatch" and "No proposal chosen".
In attached images you can see the settings and IKE logs.
And HERE is the Apple reference for "Cisco IPsec VPN setup for iPhone and iPad".
Any idea how to solve this issue?
PHASE1:
PHASE 2:
LOGS:
0
Accepted Solution
-
Hi @OldFoxThanks for your feedback.You can change the Perfect Forward Secrecy(PFS) to none, please refer to the below.
And I also correct my previous message, thanks.0
Zyxel Employee
All Replies
-
I'm also attaching the log file of successful connection from the iPhone to the StrongSwan VPN server.0
-
@OldFox
You can change the local policy domain to 0.0.0.0/0, please refer to the following lab test result.
Please change the local policy domain to 0.0.0.0/0.
The successful IKE log:
0 -
@Zyxel_Jeff
thanks for the feedback.
I've removed VPN settings and started from scratch.
I've done some changes:- changed encryption: AES128 to AES256 (in phase1 and phase2 settings)
- changed address pool to range 10.10.10.1 - 100
- switched from certificate authentication to Pre-Shared Key
- changed the local policy domain to 0.0.0.0/0, like you suggested
https://www.dropbox.com/s/qfjaau4bpmb2r2h/ZyWALL_110_ipsec_vpn_ios.pdf?dl=0
But I still get that error message:
[SA] : Tunnel [IPSec_iOS] Phase 2 proposal mismatch
[SA] : No proposal chosen
There should be that "Recv IPSec SA..." message, like in your case.
However in your test result there is 2x same image from the Phase1, so I can't see lower part of the Phase2 settings (below the "Mode config" section). Could you maybe re-attach "Phase 2" settings image?
Any idea what should I try next?
p.s.
L2TP VPN connection is working fine, but I want to use IPSec, becaust it allows "VPN on demand" feature.
Thanks a lot for your support
Luka
0 -
Hi @OldFoxThanks for your feedback.You can change the Perfect Forward Secrecy(PFS) to none, please refer to the below.And I also correct my previous message, thanks.0
-
@Zyxel_Jeff
Wow, if I disable the PFS (phase2) it works! Thanks.
But if I switch back to authentication with certificates, it doesn't work. Phase 1 is ok, but in Phase 2 I get the "delete" or "close connection" message (I will post log later, when I get home) , without any error message.
Any idea why it doesn't work with certificate authentication?
I'm not 100% sure, but I think that "VPN on demand" requires certificate authentication.
Thanks again for your time!0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.6K Security
- 245 USG FLEX H Series
- 268 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 247 Service & License
- 386 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 72 Security Highlight
