How to check IKEv2 settings when it is not working
Zyxel Employee
Sometimes the VPN settings which is created by wizard does not work at every device because the default proposal does not suit each device. It is important to modify the firewall proposal to apply in the customer environment.
The article explains how to check your devices and firewall when you have IKEv2 issue. (Certificate will be used as an example rather than PSK because it is more complicated.)
Checking Flow
1. Find the log that contains “Phase 1 proposal mismatch”. You can find which proposals can be used for this client. For example, Firewall receives proposals (1)AES256,SHA256/SHA128,DH14 (2) AES256,SHA256/SHA128,DH19
In the packet trace, you can also find those proposals in IKE_SA_INIT phase.
Then you can configure matched proposal in VPN Gateway (Phase1) setting.
2. Find the log that contains “Phase 1 Local ID mismatch”.
The “Remote ID” field on the client must be the same as the firewall’s Local ID.
3. If the process gets stuck at “[AUTH]” phase, check if you have the certificate on the client.
4. If the message “[AUTH fail]” appears in the log, check if you have correct account and password.
5. The amount of IP Address Pool cannot exceed 65535. This is the design limitation.
Categories
- All Categories
- 431 Beta Program
- 2.6K Nebula
- 165 Nebula Ideas
- 112 Nebula Status and Incidents
- 6K Security
- 366 USG FLEX H Series
- 293 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.7K Consumer Product
- 263 Service & License
- 407 News and Release
- 87 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.9K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 83 Security Highlight