Knowledge Base

How IOS device get the IKEv2 VPN configuration from device

Scenario

This example is for IOS client easier get IKEv2 VPN configuration from device. It can avoid configuration error and easier establish IKEv2 tunnel or any certificate error. 

 

Step

Generate a self-signed certificate for IKEv2 VPN Tunnel

In the VPN/ATP, go to Configuration > Object > Certificate > Click Add button to generate a self-signed certificate.

Generate a self-signed certificate for IKEv2 VPN Tunnel

In the VPN/ATP, go to CONFIGURATION > VPN >IPSec VPN > VPN Gateway > click add to create a VPN gateway rule.

Configuration > VPN > IPSec VPN > VPN Gateway > Click “add” button

In the VPN/ATP, go to CONFIGURATION > VPN >IPSec VPN > VPN Connection > click add to create a VPN connection rule.

Configuration > VPN > IPSec VPN > VPN Connection > Click “add” button

Set Up the Configuration Provisioning for IKEv2 rule

Go to CONFIGURATION > VPN > IPSec VPN > Configuration Provisioning > Click Add button create rule and select IKEv2 rule which you would like to provisioned.

CONFIGURATION > VPN > IPSec VPN > Configuration Provisioning

Use your IOS device to get IKEv2 configuration from device

Use your IOS device and Safari access to device and login by normal user which you setup in provision. (e.g. https://192.168.1.1). And then click “IKEv2” button to download configuration.

Enter your IOS device password, and then click install button to install it.

Enter IKEv2 user name and password after installed configuration.

After these steps you can find the IKEv2 rule appears on your IOS device.(Settings > General > VPN > IKEv2_Connection) And you can try to connect IKEv2 tunnel on your IOS device.

 

Verification

Test the Result

On your IOS device, you can go to Settings > General > VPN > IKEv2_Connection and click connect button, check if your VPN tunnel is establish or not.

What Can Go Wrong?

  1. This function is only support for IOS 9.3 or above version.
  1. When downloading configuration, must use Safari to access device.
  1. When generating certificate, you must enter FQDN and must make sure it is able resolve device’s WAN IP address.
  1. Currently IOS has support for specific algorism. In VPN gateway: AES256+SHA256. Key group=DH14. In VPN connection: AES128+SHA256. PFS=none.
  1. Please make sure assigned pool IP address avoided it has overlap to any subnet. The local policy setting will related IOS routing issue. In this example, after tunnel established all of IOS traffic will forward to device.



YES NO

Please leave your comment:

SUBMIT

Question Profile

LANGUAGE:
ARTICLE ID:018054
TYPE:Application / Configuration Example
FIRMWARE:4.38 or above version
VIEWS:75
VOTES:0
TECHNOLOGY:
MODEL:ZyWALL 110,ZyWALL 1100,ZyWALL 310 (view more model name)

Still have trouble with your device? Contact Zyxel technology support team directly!

Contact Zyxel Support