IKEv2 Certificate Based on iOS 17.03
Hello Community,
after getting a new apple device (iPhone 15) with the latest version (17.0.3) I am not able to get my IKEv2 VPN running. With the previous apple device (iPhone X) all was working fine. The configuration has not been changed on the ZyXEL (USG20W-VPN) side. Please see a screenshot of the configuration:
After successfully reinstalling the certificate on the new device and entering the credentials for authentication, I am getting a "phase 2 proposal mismatch" message in the ZyXEL log.
On my existing iPad the IKEv2 VPN worked fine after an in-place upgrade to iOS 17. However, after deleting the VPN configuration and reconfiguring it (on the iPad) the VPN stopped working with the same proposal mismatch issue.
Any ideas?
Thanks a lot in advance.
Accepted Solution
-
yes, on my ATP100 I just changed the DH group from DH2, DH14, DH21
to DH2, DH19
DH14 and/or DH21 did not work for me.
best regards from Austria
0
All Replies
-
Did you set up IKEv2 VPN manually or with Quick Setup Wizard?
I perform a test with iPhone 15 iOS 17.0.3 and it works fine. The IKEv2 profile is created by the wizard then I download the script to iPhone 15.0 -
It does not work here too, using IKEv2 with iPhone 14 Pro with IOS 17.1 and ATP100. :-(
Tried everything for hours. The same settings work with an USG 100 Flex and the very same iPhone. So it has to do something with the ATP100 in combination with newer iPhones. My old iPad Mini 2 with IOS 12.5.7 is able to establish the VPN connection (to ATP100).
0 -
You may follow my encryption configuration AES128/SHA256, and try again.
Moreover, I recommend that create the VPN configure via Wizard and then download the VPN script. It works for my iPhone with iOS 17.0 -
Just tried it with the wizard and it still doesn't work. Wizard configured:
Phase 1: AES128/SHA256, DH2, DH14, DH21
Phase 2: AES128/SHA256, noneLOG says (newest on top):
IKE SA [] is disconnected [count=3]
[SA] : No proposal chosen [count=3]
[SA] : Tunnel [RemoteAccess_Wiz] Phase 1 proposal mismatch [count=3]Honestly I don't know what to do…
0 -
PROBLEM SOLVED!
Use DH19 instead of DH14! So for Windows/Mac/iOS use groups DH2 and DH19.
@Zyxel Support: Please change your online manuals ;-)
0 -
@ake01 Thanks for your feedback.
According to Apple's official documentation, the minimum allowed value is DH14. You can see my screenshot provided previously, I used DH2, DH14, DH, 21.
Reference:
Could you confirm that you only need to adjust the DH group setting to make it work?
0 -
yes, on my ATP100 I just changed the DH group from DH2, DH14, DH21
to DH2, DH19
DH14 and/or DH21 did not work for me.
best regards from Austria
0 -
FYI, with iOS18 there is another problem: empty LocalIdentifier in the mobileconfig file.
Solution: login to device from Chrome with changed User agent (under Network Conditions in Development panel), download *.mobileconfig file, find LocalIdentifier string, put there random email, send changed file by email. open on iPhone in Mail and install profile as usual. This is also chance to change profile name and VPN name on something useful and make all UUID unique so possible to install profiles from more than one USG.
Credit: https://techsearch.watchguard.com/KB?type=Known%20Issues&SFDCID=kA1Vr00000060IHKAY&lang=en_US0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight