How to check IKEv2 settings when it is not working

Zyxel_Kevin
Zyxel_Kevin Posts: 875  Zyxel Employee
Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments

Sometimes the VPN settings which is created by wizard does not work at every device because the default proposal does not suit  each device. It is important to modify the firewall proposal to apply in the customer environment.

The article explains how to check your devices and firewall when you have IKEv2 issue. (Certificate will be used as an example rather than PSK because it is more complicated.)

Checking Flow

1. Find the log that contains  “Phase 1 proposal mismatch”. You can find which proposals can be used for this client. For example, Firewall receives proposals (1)AES256,SHA256/SHA128,DH14 (2) AES256,SHA256/SHA128,DH19


In the packet trace, you can also find those proposals in IKE_SA_INIT phase.


Then you can configure matched proposal in VPN Gateway (Phase1) setting.


2. Find the log that contains “Phase 1 Local ID mismatch”.


The “Remote ID” field on the client must be  the same as the firewall’s Local ID.


 

3. If the process gets stuck at “[AUTH]” phase, check if you have the certificate on the client.

 

4. If the message “[AUTH fail]” appears in the log, check if you have correct account and password.


5. The amount of IP Address Pool cannot exceed 65535. This is the design limitation.