How to check IKEv2 settings when it is not working
Zyxel Employee
Sometimes the VPN settings which is created by wizard does not work at every device because the default proposal does not suit each device. It is important to modify the firewall proposal to apply in the customer environment.
The article explains how to check your devices and firewall when you have IKEv2 issue. (Certificate will be used as an example rather than PSK because it is more complicated.)
Checking Flow
1. Find the log that contains “Phase 1 proposal mismatch”. You can find which proposals can be used for this client. For example, Firewall receives proposals (1)AES256,SHA256/SHA128,DH14 (2) AES256,SHA256/SHA128,DH19
In the packet trace, you can also find those proposals in IKE_SA_INIT phase.
Then you can configure matched proposal in VPN Gateway (Phase1) setting.
2. Find the log that contains “Phase 1 Local ID mismatch”.
The “Remote ID” field on the client must be the same as the firewall’s Local ID.
3. If the process gets stuck at “[AUTH]” phase, check if you have the certificate on the client.
4. If the message “[AUTH fail]” appears in the log, check if you have correct account and password.
5. The amount of IP Address Pool cannot exceed 65535. This is the design limitation.
Categories
- All Categories
- 385 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 80 Nebula Status and Incidents
- 5.1K Security
- 74 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 70 Switch Ideas
- 907 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 210 Service & License
- 335 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 886 Nebula FAQ
- 415 Security FAQ
- 228 Switch FAQ
- 199 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 63 Security Highlight