How to check IKEv2 settings when it is not working

Zyxel_Kevin Posts: 754  Zyxel Employee
First Anniversary 10 Comments Friend Collector First Answer

Sometimes the VPN settings which is created by wizard does not work at every device because the default proposal does not suit  each device. It is important to modify the firewall proposal to apply in the customer environment.

The article explains how to check your devices and firewall when you have IKEv2 issue. (Certificate will be used as an example rather than PSK because it is more complicated.)

Checking Flow

1. Find the log that contains  “Phase 1 proposal mismatch”. You can find which proposals can be used for this client. For example, Firewall receives proposals (1)AES256,SHA256/SHA128,DH14 (2) AES256,SHA256/SHA128,DH19

In the packet trace, you can also find those proposals in IKE_SA_INIT phase.

Then you can configure matched proposal in VPN Gateway (Phase1) setting.

2. Find the log that contains “Phase 1 Local ID mismatch”.

The “Remote ID” field on the client must be  the same as the firewall’s Local ID.


3. If the process gets stuck at “[AUTH]” phase, check if you have the certificate on the client.


4. If the message “[AUTH fail]” appears in the log, check if you have correct account and password.

5. The amount of IP Address Pool cannot exceed 65535. This is the design limitation.