IPsec VPN setup for iPhone

OldFox Posts: 11
I'm trying to setup the Cisco IPSec VPN connection on the iPhone.
Everything works fine with StrongSwan VPN (installed on RaspberryPI), but now I want to get rid of StrongSwan and move the VPN server to the ZyXEL ZyWall 110.

I'm using certificate authentication + X-Auth.
Phase 1 process is done successfully. but in the Phase 2 I get the error message "Phase 2 proposal mismatch" and "No proposal chosen".

In attached images you can see the settings and IKE logs.

And HERE is the Apple reference for "Cisco IPsec VPN setup for iPhone and iPad".

Any idea how to solve this issue?




Accepted Solution

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 314  Zyxel Employee
    Answer ✓
    Thanks for your feedback.
    You can change the Perfect Forward Secrecy(PFS) to none, please refer to the below.

    And I also correct my previous message, thanks.

All Replies

  • OldFox
    OldFox Posts: 11
    I'm also attaching the log file of successful connection from the iPhone to the StrongSwan VPN server.
  • Zyxel_Jeff
    Zyxel_Jeff Posts: 314  Zyxel Employee
    edited July 2021

    You can change the local policy domain to, please refer to the following lab test result.

    Please change the local policy domain to

    The successful IKE log:

  • OldFox
    OldFox Posts: 11
    thanks for the feedback.
    I've removed VPN settings and started from scratch.
    I've done some changes:
    • changed encryption: AES128 to AES256 (in phase1 and phase2 settings)
    • changed address pool to range - 100
    • switched from certificate authentication to Pre-Shared Key
    • changed the local policy domain to, like you suggested
    So my settings looks same as yours now. You can check my settings and logs in the following PDF file:

    But I still get that error message:
    [SA] : Tunnel [IPSec_iOS] Phase 2 proposal mismatch
    [SA] : No proposal chosen

    There should be that "Recv IPSec SA..." message, like in your case.

    However in your test result there is 2x same image from the Phase1, so I can't see lower part of the Phase2 settings (below the "Mode config" section). Could you maybe re-attach "Phase 2" settings image?
    Any idea what should I try next?

    L2TP VPN connection is working fine, but I want to use IPSec, becaust it allows "VPN on demand" feature.

    Thanks a lot for your support

  • OldFox
    OldFox Posts: 11
    Wow, if I disable the PFS (phase2) it works! Thanks.

    But if I switch back to authentication with certificates, it doesn't work. Phase 1 is ok, but in Phase 2 I get the "delete" or "close connection" message (I will post log later, when I get home) , without any error message. 
    Any idea why it doesn't work with certificate authentication?
    I'm not 100% sure, but I think that "VPN on demand" requires certificate authentication.

    Thanks again for your time!

Security Highlight