IKEv2 Certificate Based on iOS 17.03

alehzn
alehzn Posts: 37  Freshman Member
First Comment Friend Collector Fifth Anniversary
edited October 2023 in Security

Hello Community,

after getting a new apple device (iPhone 15) with the latest version (17.0.3) I am not able to get my IKEv2 VPN running. With the previous apple device (iPhone X) all was working fine. The configuration has not been changed on the ZyXEL (USG20W-VPN) side. Please see a screenshot of the configuration:

After successfully reinstalling the certificate on the new device and entering the credentials for authentication, I am getting a "phase 2 proposal mismatch" message in the ZyXEL log.

On my existing iPad the IKEv2 VPN worked fine after an in-place upgrade to iOS 17. However, after deleting the VPN configuration and reconfiguring it (on the iPad) the VPN stopped working with the same proposal mismatch issue.

Any ideas?

Thanks a lot in advance.

Accepted Solution

  • ake01
    ake01 Posts: 4
    First Answer First Comment First Anniversary
    edited November 2023 Answer ✓

    yes, on my ATP100 I just changed the DH group from DH2, DH14, DH21

    to DH2, DH19

    DH14 and/or DH21 did not work for me.

    best regards from Austria

All Replies

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers

    Did you set up IKEv2 VPN manually or with Quick Setup Wizard?
    I perform a test with iPhone 15 iOS 17.0.3 and it works fine. The IKEv2 profile is created by the wizard then I download the script to iPhone 15.

  • ake01
    ake01 Posts: 4
    First Answer First Comment First Anniversary
    edited October 2023

    It does not work here too, using IKEv2 with iPhone 14 Pro with IOS 17.1 and ATP100. :-(

    Tried everything for hours. The same settings work with an USG 100 Flex and the very same iPhone. So it has to do something with the ATP100 in combination with newer iPhones. My old iPad Mini 2 with IOS 12.5.7 is able to establish the VPN connection (to ATP100).

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers

    You may follow my encryption configuration AES128/SHA256, and try again.
    Moreover, I recommend that create the VPN configure via Wizard and then download the VPN script. It works for my iPhone with iOS 17.

  • ake01
    ake01 Posts: 4
    First Answer First Comment First Anniversary
    edited November 2023

    Just tried it with the wizard and it still doesn't work. Wizard configured:
    Phase 1: AES128/SHA256, DH2, DH14, DH21
    Phase 2: AES128/SHA256, none

    LOG says (newest on top):

    IKE SA [] is disconnected [count=3]
    [SA] : No proposal chosen [count=3]
    [SA] : Tunnel [RemoteAccess_Wiz] Phase 1 proposal mismatch [count=3]

    Honestly I don't know what to do…

  • ake01
    ake01 Posts: 4
    First Answer First Comment First Anniversary

    PROBLEM SOLVED!

    Use DH19 instead of DH14! So for Windows/Mac/iOS use groups DH2 and DH19.

    @Zyxel Support: Please change your online manuals ;-)

  • Zyxel_James
    Zyxel_James Posts: 663  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate 100 Answers

    @ake01 Thanks for your feedback.

    According to Apple's official documentation, the minimum allowed value is DH14. You can see my screenshot provided previously, I used DH2, DH14, DH, 21.

    Reference:

    Could you confirm that you only need to adjust the DH group setting to make it work?

  • ake01
    ake01 Posts: 4
    First Answer First Comment First Anniversary
    edited November 2023 Answer ✓

    yes, on my ATP100 I just changed the DH group from DH2, DH14, DH21

    to DH2, DH19

    DH14 and/or DH21 did not work for me.

    best regards from Austria

  • Niksr
    Niksr Posts: 2  Freshman Member
    First Comment

    FYI, with iOS18 there is another problem: empty LocalIdentifier in the mobileconfig file.

    Solution: login to device from Chrome with changed User agent (under Network Conditions in Development panel), download *.mobileconfig file, find LocalIdentifier string, put there random email, send changed file by email. open on iPhone in Mail and install profile as usual. This is also chance to change profile name and VPN name on something useful and make all UUID unique so possible to install profiles from more than one USG.

    Credit: https://techsearch.watchguard.com/KB?type=Known%20Issues&SFDCID=kA1Vr00000060IHKAY&lang=en_US

Security Highlight