IKEv2 and mobileconfig files for MacOS/IOS and Windows.

denholm

Hello.

I'm running 2026.2 firmware on T125.

I have define IKEv2 VPN (not BOVPN) as follows:
Phase1 : AES-GCM-128, DH19,
Phase2 : AES-GCM-128, no PFS.

When I downloaded the client profile, it does not include a working mobileconfig file for Mac/IOS or a Powershell script for Windows. Instead there's an error.txt file that tells me AES-GCM is not supported in Phase 1.

This information is wrong regarding latest Mac/IOS/Windows versions. The error.txt also suggests SHA1, DES, 3DES, and DH 1/2/5 for Apple - but Apple has dropped support in latest versions. It also claims Windows supports only DH 1/2/14, but Windows 10/11 support at least 19 and 20 as well.

If I manually change the EncryptionAlgorithm to AES-128-GCM and remove the IntegrityAlgorithm lines in a mobileconfig file, I can connect just fine using IKEv2 with iOS 26 devices. Same with editing the Powershell script. Using Traffic Monitor I have verified that the connection is indeed using AES-GCM. (also, I have no other proposals, so couldn't be anything else)

Apple has updated the ciphers and also dropped the old stuff:
https://developer.apple.com/documentation/devicemanagement/vpn/ikev2-data.dictionary/ikesecurityassociationparameters-data.dictionary

Perhaps WG could implement MacOS_iOS_Modern folder structure along with the old MacOS_IOS folder, with refreshed data that mirrors Apple's IKEv2 specifications? Same with Windows as well.

Also, the mobileconfig files have odd LifeTimeInMinutes values. Instead of and 8 hours there's a value of 384 (minutes). Instead of 24 hours, there's value of 1152. So 20% smaller than what is configured in WG. Is this by design to work around a problem in iOS/Mac?

One final question about Hardware Acceleration which shows as disabled when clients are connected. Traffic Monitor prints this line:
"XDO is not enabled for mobile VPN tunnels. vpn-type:2 xdo_max_mvpn:0"
Is the HW acceleration somehown broken on these new T1x5 models or was the 2026.1.1 fix a temporary solution until it is fixed in future release? I don't have performance problems as it is.

geometrydash3d

@denholm said:
Hello.

I'm running 2026.2 firmware on T125.

I have define IKEv2 VPN (not BOVPN) as follows:
Phase1 : AES-GCM-128, DH19,
Phase2 : AES-GCM-128, no PFS.

When I downloaded the client profile, it does not include a working mobileconfig file for Mac/IOS or a Powershell script for Windows. Instead there's an error.txt file that tells me AES-GCM is not supported in Phase 1.

This information is wrong regarding latest Mac/IOS/Windows versions. The error.txt also suggests SHA1, DES, 3DES, and DH 1/2/5 for Apple - but Apple has dropped support in latest versions. It also claims Windows supports only DH 1/2/14, but Windows 10/11 support at least 19 and 20 as well.

If I manually change the EncryptionAlgorithm to AES-128-GCM and remove the IntegrityAlgorithm lines in a mobileconfig file, I can connect just fine using IKEv2 with iOS 26 devices. Same with editing the Powershell script. Using Traffic Monitor I have verified that the connection is indeed using AES-GCM. (also, I have no other proposals, so couldn't be anything else)

Apple has updated the ciphers and also dropped the old stuff:
https://developer.apple.com/documentation/devicemanagement/vpn/ikev2-data.dictionary/ikesecurityassociationparameters-data.dictionary geometry dash 3d

Perhaps WG could implement MacOS_iOS_Modern folder structure along with the old MacOS_IOS folder, with refreshed data that mirrors Apple's IKEv2 specifications? Same with Windows as well.

Also, the mobileconfig files have odd LifeTimeInMinutes values. Instead of and 8 hours there's a value of 384 (minutes). Instead of 24 hours, there's value of 1152. So 20% smaller than what is configured in WG. Is this by design to work around a problem in iOS/Mac?

One final question about Hardware Acceleration which shows as disabled when clients are connected. Traffic Monitor prints this line:
"XDO is not enabled for mobile VPN tunnels. vpn-type:2 xdo_max_mvpn:0"
Is the HW acceleration somehown broken on these new T1x5 models or was the 2026.1.1 fix a temporary solution until it is fixed in future release? I don't have performance problems as it is.

Your device (WatchGuard T125 on 2026.2) is using old compatibility rules. The error.txt is incorrect—modern iOS / macOS and Windows 11 do support AES-GCM and DH19+. That’s why your manual edits work—your config is valid, the generator just hasn’t caught up.