ATP200 VPN on Iphone stays stuck on "connection starting"
Hello,
I had a IKEv2 VPN with certificate working at my home, i'm not sure if the issue started after i upgraded the ATP to release 5.39 or my upgrade to IOS 18, but i;m not able to get the VPN working again, i tried new phase 1 and 2 settings a new certificate but nothing is working, i think it has something to do with the PEER IP adress mismatch message , but im not able to fix it.
PS, the certificate is created with a FQDN and the FQDN is working
Does this look similar for someone, see the debug log file:
Best Answers
-
Hi @Jarno_Smits,
May I know how you created the VPN profile on your iPhone? Was it created by the firewall's script?
I did some lab for this issue and found:
- I can connect the VPN by manually creating a VPN profile on iOS 17.6.1 and 18 with the proposal in the above FAQ.
- I can connect the VPN by the firewall's script on iOS 17.6.1.
- I can connect the VPN by the firewall's script on iOS 18.
Could you help to try manually creating a VPN profile to test if you used the script to create the VPN profile?
Zyxel Melen0 -
Good Morning Melen,
It looke like it has something to do with the certificate / Enable Extended Authentication Protocol
I deleted the profile / Certificate from my iphone and configured manualy the VPN.
I changed from certificate to Pre-shared key, but still it didn't work, the same errors, then i disabled the "Enable Extended Authentication Protocol " and now it is connecting.
The Local ID Type is stil on DNS , bacause that is working.
I think it mus be sometihing with the certificate and/or "Enable Extended Authentication Protocol "
this in combination with IoS 18?
This because i have a second VPN the same setup as the old one, using the same old certificate and here is "Enable Extended Authentication Protocol " still enabled but this VPN profile is only used for my Laptop, and this one is still connectiong without any problem.
In my case it doesn't look it had something to do with the Phase 1 settings offcouse i changed the DH settings to the new document, but for the test i changed them back to the old settings and then the VPN still could connect, but only with the new preshared key configuration.
See below the settings how i have it running now.
Now the next step is to get it working with the Profile and Certificate again :-)
1
All Replies
-
For the VPN gateway rule in Advance set peer ID type to any
0 -
Hi Peter,
It is already on "ANY"
see screenshot below, i already found a topic online about this, but it doesn't solve my problem.
0 -
Is the certificate Self-signed? imported to phone?
disable other VPN's for testing
0 -
Yes certificate is self signed and imported to the iphone, i already created a new certificate and imported it, but the same problem.
for testing also disconected the other site to site vpn's and the VPN for the laptop, but stil no connection, every time the Peer ID mismatch, very strange can't find the root cause, it worked before more then a year without any issue, noticed the problem a few days after the upgrade of the ATP200 and the IPhone to IOS 18, but don't know witch is causing the issue.
its only the Iphone, other site to site vpn's are working, and the other VPN for the laptop, is also using the same certificate and is working..
0 -
Maybe a update on the phone caused it?
can you try strongswan VPN client?
0 -
Hi Peter, i searched for strongswan VPN client in the appstore, i only found Brooog IKEv2
instaled it, but here i can't use the certificate , so maybe i'm doing something wrong.
It is very strange, maybe more people are reading this problem on the forum, so i'm courious if more people got the same issue when using a ATPxxx router with a IOS 18 devive and a IKEV2 VPN with a certificate, i can't believe i'm the only one with this combination :-)
0 -
Hi @Jarno_Smits,
It seems like iOS/macOS has changed the proposal in the new version. Could you follow this FAQ to configure the phase 1 and phase 2 proposals and test remote access again?
Also, please help collect the VPN event log if you still cannot connect to the remote access VPN. Thanks~Zyxel Melen0 -
Hello Melen,
Thank you for the feedback, i changed the phase 1 and 2 settings as described in the document, but still the same issue.
I also created a new certificate wit the WAN IP, and changed the setting to use the WAN IP instead but thas also don't make any diferense.
So I changed it but to the old settings with the FQDN
Below the settings how i have set it up at this moment, and the debug logging.
And the Debug loggng, when i enable the VPN on my ipone ( Iphone is offcourse at a 5G connection and not on the local wifi)
0 -
Try setting Domain name/ IPv4 to 0.0.0.0
0 -
Hi Peter,
No, when changing Domain name/ IPv4 to 0.0.0.0 still got the same error in de debug logging.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight