IKEv2 VPN with Pre-Shared key on Mobile Devices (Instead of L2TP)
Zyxel Employee
This article will show you how to connect mobile phones (Android and iPhone (iOS)) with IKEv2 PSK (pre-shared key) instead of L2TP. Because in Android 12 and later, L2TP support is no longer available. This article will also look at how to set up IKEv2 PSK for iOS users.
First, we need to set up the Tunnel on our Firewall; in this case, the firewall is an ATP200 with fw 5.31.
1) Firewall: Setup VPN Gateway (Phase 1)- Login to your device using GUI
- Go to "Configuration > VPN > IPSec VPN > VPN Gateway"
- Click on "Add"
- Click on "Enable"
- Please give it a Name
- Choose IKEv2
- Choose your WAN Interface
- Set the Peer Gateway Address to "Dynamic"
- Set a Pre-Shared Key "PSK"
In "Phase 1 Settings", we need to change the Advance settings
- Add Encryption and Authentication according to the picture below
- Add Key Group according to the image below
- Disable the Two-factor Authentication
- Click "OK"
Note: For IOS 17 a key group is used: DH19 must be used
Go to the "VPN Connection" Tab and click "Add."
- Click on "Add"
- Click on "Enable"
- Please give it a name
- Choose "Remote Access (Server Role)"
- Choose the Gateway we created in the previous Step
- Choose "Local Policy," the subnet you want to connect to with the VPN
Enable Configuration Payload - This section is mandatory for iOS. In the case of using Android, this is optional.
In "Phase 2 Settings", we need to change the Advance settings
- Add Encryption and Authentication according to the picture below
- Add Key Group according to the picture below
- Click "OK"
Note! You can also use DH2 and DH14 on both "Phase 1" and "Phase 2" settings if other devices (such as old Android phones) cannot connect.
3) Mobile: Configure on Android- Settings
- Enter the VPN and go to VPN settings
- Add a new VPN Connection
- Type the Name
- Choose IKEv2/IPSec PSK
- Enter the IP or FQDN from the WAN Interface of your Firewall
- Enter IPSec identifier (If you have not changed anything on the Firewall, leave 0.0.0.0)
- Enter the Pre-shared Key (same as you entered on the Firewall)
- Click "Save"
- Select the newly created VPN and click "Connect."
- Settings
- Enter the VPN and go to VPN settings
- Add a new VPN Connection
- Choose IKEv2
- Type the Name
- Enter the IP or FQDN from the WAN Interface of your Firewall
- Enter Remote ID (If you have not changed anything on the Firewall, leave 0.0.0.0)
- Choose User Authentication "None"
- Disable "User Certification"
- Enter the Pre-shared Key (same as you entered on the Firewall)
- Click "Done"
- Select the newly created VPN and click "Connect."
You can check the connection status in the firewall Settings (under Configuration -> VPN -> IPSec VPN, then you will see the green symbol if it's connected).
You can also see the connectivity under Monitor -> Logs.
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 246 Service & License
- 383 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight