IKEv2 VPN with Pre-Shared key on Mobile Devices (Instead of L2TP)

This article will show you how to connect mobile phones (Android and iPhone (iOS)) with IKEv2 PSK (pre-shared key) instead of L2TP. Because in Android 12 and later, L2TP support is no longer available. This article will also look at how to set up IKEv2 PSK for iOS users.

mceclip15.png

First, we need to set up the Tunnel on our Firewall; in this case, the firewall is an ATP200 with fw 5.31.

Firewall: Setup VPN Gateway (Phase 1)

  1. Login to your device using GUI
  2. Go to "Configuration > VPN > IPSec VPN > VPN Gateway"

mceclip1.png

  1. Click on "Add"
  2. Click on "Enable"
  3. Please give it a Name
  4. Choose IKEv2
  5. Choose your WAN Interface
  6. Set the Peer Gateway Address to "Dynamic"
  7. Set a Pre-Shared Key "PSK"

mceclip0.png

In "Phase 1 Settings", we need to change the Advance settings

  1. Add Encryption and Authentication according to the picture below
  2. Add Key Group according to the image below
  3. Disable the Two-factor Authentication
  4. Click "OK"

Note: For IOS 17 a key group is used: DH19 must be used

mceclip0.png

Firewall: Setup VPN Connection (Phase 2)

Go to the "VPN Connection" Tab and click "Add."

  1. Click on "Add"
  2. Click on "Enable"
  3. Please give it a name
  4. Choose "Remote Access (Server Role)"
  5. Choose the Gateway we created in the previous Step
  6. Choose "Local Policy," the subnet you want to connect to with the VPN

Enable Configuration Payload - This section is mandatory for iOS. In the case of using Android, this is optional.

mceclip14.png

In "Phase 2 Settings", we need to change the Advance settings

  1. Add Encryption and Authentication according to the picture below
  2. Add Key Group according to the picture below
  3. Click "OK"

mceclip8.png

Note! You can also use DH2 and DH14 on both "Phase 1" and "Phase 2" settings if other devices (such as old Android phones) cannot connect.

Mobile: Configure on Android

  1. Settings mceclip10.png
  2. Enter the VPN and go to VPN settings
  3. Add a new VPN Connection
  4. Type the Name
  5. Choose IKEv2/IPSec PSK
  6. Enter the IP or FQDN from the WAN Interface of your Firewall
  7. Enter IPSec identifier (If you have not changed anything on the Firewall, leave 0.0.0.0)
  8. Enter the Pre-shared Key (same as you entered on the Firewall)
  9. Click "Save"
  10. Select the newly created VPN and click "Connect."

mceclip16.pngmceclip17.png

mceclip19.pngmceclip21.png

In some versions of VPN, in the advanced settings, the field "DNS Server" is available. You can leave this field empty If you have not changed anything on the Firewall in the "Content" field, as in the figure below. Otherwise, you must specify the same value in the "DNS Server" field as in the "Content" field.

mceclip1.png

In case of a successful connection, the VPN status on your mobile will be "Connected."

Mobile: Configure on iOS

Notes:  Since the release of iOS 18, users have reported issues connecting to remote VPNs configured via .mobileconfig files. The VPN connection fails to establish, necessitating manual profile creation as an alternative.

Workaround:

   Edit the .mobileconfig file:
       Open the .mobileconfig file using a text editor such as Notepad.

   Locate the following lines:

<key>LocalIdentifier</key>
<string></string>

Modify the lines to include a specific identifier:

<key>LocalIdentifier</key>
<string>Zyxel</string>

Save the changes and deploy the updated .mobileconfig file to your iOS device.

  1. Settings mceclip1.png
  2. Enter the VPN and go to VPN settings
  3. Add a new VPN Connection
  4. Choose IKEv2
  5. Type the Name
  6. Enter the IP or FQDN from the WAN Interface of your Firewall
  7. Enter Remote ID (If you have not changed anything on the Firewall, leave 0.0.0.0)
  8. Choose User Authentication "None"
  9. Disable "User Certification"
  10. Enter the Pre-shared Key (same as you entered on the Firewall)
  11. Click "Done"
  12. Select the newly created VPN and click "Connect."

mceclip3.pngmceclip6.pngmceclip1.pngmceclip10.png

You can check the connection status in the firewall Settings (under Configuration -> VPN -> IPSec VPN, then you will see the green symbol if it's connected).

mceclip22.png

You can also see the connectivity under Monitor -> Logs.

mceclip13.png

Articles in this section

Was this article helpful?
20 out of 52 found this helpful
Share