This article provides a step-by-step guide on configuring IKEv2 Remote Access VPN for Apple macOS Sonoma devices. Due to the default IKEv2 encryption settings used by Apple macOS/iOS/iPadOS 26 clients (AES256GCM, PRF-SHA256, and DH Group 19), the VPN gateway must be configured to support these parameters to ensure the successful establishment of the remote VPN connection. After installing the provisioning file on the MAC device, users are prompted to modify the user authentication settings to include a username and password. This step ensures a secure and tailored authentication process for accessing the VPN connection.
Disclaimer! This article offers a general overview of the series and may not apply uniformly to every model,
software/firmware version. Before purchasing or using the device, please consult the
model/version-specific documentation or contact technical support for accurate information.
Note: If you are unable to establish a VPN connection after upgrading to macOS Sonoma, please refer to the following article for a solution: Zyxel USG FLEX H Series [VPN] - Troubleshooting VPN Connection Issues After Updating to macOS Sonoma
Please note: When using certificates for an IKEv2 VPN connection, the Remote ID must match the Common Name (CN) of the remote VPN gateway certificate. During authentication, the client checks that the Remote ID matches the name in the certificate. This helps confirm the identity of the remote device and protects the connection from unauthorized access.
In Zyxel Nebula, the Remote ID is usually based on the certificate's Subject Name, which contains the CN. In this example, the Remote ID is 10.214.48.32, which matches the CN of the certificate (10.214.48.32).
Certificate installation is not required when the VPN tunnel is configured manually.
- Log in to the web GUI of your firewall
Go to VPN > IPsec VPN > To set the IKEv2 related information, as shown below:Scroll down the page until you see "Advanced Settings"Perfect Forward Secrecy (PFS) - Defines whether an additional Diffie-Hellman key exchange is performed during IPsec Phase 2. When enabled, a new, independent key is generated for each IPsec Security Association. When disabled, Phase 2 uses key material derived from Phase 1.
Download the "VPN Configuration Script Download" file to your macOS device and install it- To set the profile on your MAC OS
Go to System Preferences > Privacy and Security
- Double-click on the downloaded profile and install it
MAC may prompt for an administrator username and password to set the profile, enter the details, and click "OK"
Go to System Settings > VPN and edit the profile- Choose User authentication to Username and type the username and password
- Enable VPN connections and you're done
To verify the successful configuration and establishment of the IKEv2 VPN connection with the specified settings, follow these steps:
- Navigate to the USG Flex H graphical user interface (GUI)
- Access the VPN Status section
- Within the VPN Status, go to IPsec VPN
- Select Remote Access VPN
Upon reaching this location, you should observe that the IKEv2 VPN connection has been successfully established
Comments
0 commentsPlease sign in to leave a comment.