How to check IKEv2 settings when it is not working
Zyxel Employee
Sometimes the VPN settings which is created by wizard does not work at every device because the default proposal does not suit each device. It is important to modify the firewall proposal to apply in the customer environment.
The article explains how to check your devices and firewall when you have IKEv2 issue. (Certificate will be used as an example rather than PSK because it is more complicated.)
Checking Flow
1. Find the log that contains “Phase 1 proposal mismatch”. You can find which proposals can be used for this client. For example, Firewall receives proposals (1)AES256,SHA256/SHA128,DH14 (2) AES256,SHA256/SHA128,DH19
In the packet trace, you can also find those proposals in IKE_SA_INIT phase.
Then you can configure matched proposal in VPN Gateway (Phase1) setting.
2. Find the log that contains “Phase 1 Local ID mismatch”.
The “Remote ID” field on the client must be the same as the firewall’s Local ID.
3. If the process gets stuck at “[AUTH]” phase, check if you have the certificate on the client.
4. If the message “[AUTH fail]” appears in the log, check if you have correct account and password.
5. The amount of IP Address Pool cannot exceed 65535. This is the design limitation.
Categories
- 8.4K All Categories
- 1.6K Nebula
- 70 Nebula Ideas
- 56 Nebula Status and Incidents
- 4.5K Security
- 226 Security Ideas
- 980 Switch
- 46 Switch Ideas
- 870 WirelessLAN
- 22 WLAN Ideas
- 5.1K Consumer Product
- 155 Service & License
- 280 News and Release
- 58 Security Advisories
- 13 Education Center
- 578 FAQ
- 261 Nebula FAQ
- 160 Security FAQ
- 76 Switch FAQ
- 74 WirelessLAN FAQ
- 7 Consumer Product FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 69 About Community
- 46 Security Highlight