This article will show you how to connect mobile phones (Android and iPhone (iOS)) with IKEv2 PSK (pre-shared key) instead of L2TP. Because in Android 12 and later, L2TP support is no longer available. This article will also look at how to set up IKEv2 PSK for iOS users.
First, we need to set up the Tunnel on our Firewall; in this case, the firewall is an ATP200 with fw 5.31.
Firewall: Setup VPN Gateway (Phase 1)
- Login to your device using GUI
- Go to "Configuration > VPN > IPSec VPN > VPN Gateway"
- Click on "Add"
- Click on "Enable"
- Please give it a Name
- Choose IKEv2
- Choose your WAN Interface
- Set the Peer Gateway Address to "Dynamic"
- Set a Pre-Shared Key "PSK"
In "Phase 1 Settings", we need to change the Advance settings
- Add Encryption and Authentication according to the picture below
- Add Key Group according to the image below
- Disable the Two-factor Authentication
- Click "OK"
Note: For IOS 17 a key group is used: DH19 must be used
Firewall: Setup VPN Connection (Phase 2)
Go to the "VPN Connection" Tab and click "Add."
- Click on "Add"
- Click on "Enable"
- Please give it a name
- Choose "Remote Access (Server Role)"
- Choose the Gateway we created in the previous Step
- Choose "Local Policy," the subnet you want to connect to with the VPN
Enable Configuration Payload - This section is mandatory for iOS. In the case of using Android, this is optional.
In "Phase 2 Settings", we need to change the Advance settings
- Add Encryption and Authentication according to the picture below
- Add Key Group according to the picture below
- Click "OK"
Note! You can also use DH2 and DH14 on both "Phase 1" and "Phase 2" settings if other devices (such as old Android phones) cannot connect.
Mobile: Configure on Android
- Settings
- Enter the VPN and go to VPN settings
- Add a new VPN Connection
- Type the Name
- Choose IKEv2/IPSec PSK
- Enter the IP or FQDN from the WAN Interface of your Firewall
- Enter IPSec identifier (If you have not changed anything on the Firewall, leave 0.0.0.0)
- Enter the Pre-shared Key (same as you entered on the Firewall)
- Click "Save"
- Select the newly created VPN and click "Connect."
In some versions of VPN, in the advanced settings, the field "DNS Server" is available. You can leave this field empty If you have not changed anything on the Firewall in the "Content" field, as in the figure below. Otherwise, you must specify the same value in the "DNS Server" field as in the "Content" field.
In case of a successful connection, the VPN status on your mobile will be "Connected."
Mobile: Configure on iOS
Notes: Since the release of iOS 18, users have reported issues connecting to remote VPNs configured via .mobileconfig
files. The VPN connection fails to establish, necessitating manual profile creation as an alternative.
Workaround:
Edit the .mobileconfig file:
Open the .mobileconfig file using a text editor such as Notepad.
Locate the following lines:
<key>LocalIdentifier</key> <string></string>
Modify the lines to include a specific identifier:
<key>LocalIdentifier</key> <string>Zyxel</string>
Save the changes and deploy the updated .mobileconfig file to your iOS device.
- Settings
- Enter the VPN and go to VPN settings
- Add a new VPN Connection
- Choose IKEv2
- Type the Name
- Enter the IP or FQDN from the WAN Interface of your Firewall
- Enter Remote ID (If you have not changed anything on the Firewall, leave 0.0.0.0)
- Choose User Authentication "None"
- Disable "User Certification"
- Enter the Pre-shared Key (same as you entered on the Firewall)
- Click "Done"
- Select the newly created VPN and click "Connect."
You can check the connection status in the firewall Settings (under Configuration -> VPN -> IPSec VPN, then you will see the green symbol if it's connected).
You can also see the connectivity under Monitor -> Logs.