iPadOS18 IKEv2 Mobile VPN + Authpoint
Hi Watchguard Community!
Anyone else having issues with IKEv2 Mobile VPN since upgrading to iPadOS18 ?
During the beta of 18 I noticed when trying to connect to a Watchguard Mobile IKEv2 VPN that it would get stuck at connecting and I would never be prompted to approve or deny my connection on another device in Authpoint.
Rolling back to iPadOS 17 fixed this so i just put it down to being a Apple issue in the beta and reported it to them at the time.
However as iPadOS and iOS 18 have released to the public today i thought i would try again and looks like the same issue is occuring.
Just wondering if anyone else in the community has experienced this or has any pointers on what logs I can go digging into.
I have a feeling the VPN connection never leaves my device and it's an Apple issue.
Comments
-
Hello.
I have the same problem with iOS 18. I think it is not an AuthPoint issue. Apple may have changed something in the basic behavior. I see the following traffic log wenn I try to start VPN (on an iOS 18 Device):
2024-09-17 13:00:23 iked (x.x.x.x<->y.y.y.y)drop the received IKEv2 message from y.y.y.y:4500 - reason="payload(IDi)'s size is smaller than the minimal value(8 < 10)"
Any ideas how to fix it?
0 -
Glad im not the only one with problems here!
0 -
Depending on when you initially imported that VPN profile, I'd suggest trying to import it again.
If your issues persist, I'd suggest opening a support case so that one of our technicians can help.
0 -
Same issue just says connecting. We dont use authpoint so I feel like this is a watchguard/iOS issue. I imported a new config file as @james.carson suggested but same issue.0
-
@Sraglin Please open a support case if you're able -- our team can take a look at your logs and help troubleshoot the issue.
0 -
@Chris01 my logs show the same issue.
Thanks @james.carson support case raised.0 -
Same problem here IKEv2, Firebox M300, iPhone 15 Pro Max iOS 18.
Have tried removing profile and re-importing - no luck.
Worked fine prior to iOS upgrade, now throws:
2024-09-18 17:37:02 iked (103.xxx.xxx.xxx<->1.xxx.xxx.xxx)drop the received IKEv2 message from 1.xxx.xxx.xxx:29686 - reason="payload(IDi)'s size is smaller than the minimal value(8 < 10)"
Has always worked flawlessly, but iOS 18 definitely breaks it. Hoping Apple release a fast iOS 18.1 with working fix. Firebox is out of subscription so hoping like hell the fix isn't a Firebox upgrade!
0 -
Ok so the WG support person has tried with an iPhone on iOS 18 and has it working on a device at WG Support.
I have done some independent research and my current theories are as follows.- Apple could have changed requirements around certificates making the WG generated certificate an issue on iOS18.
- Apple has deprecated one of the crypto methods used for Phase 1 or Phase 2 of the connection and we haven't seen any guidelines on this.
- a combination of the 2.
I suspect there is a document published somewhere obscure on the Apple website in the iOS patch notes that might mention the removal of say a crypto method that now means we need to modify our Phase 1 or Phase 2.
if I'm right I hope it's only Phase 2 as Phase 1 config is shared with a lot of BOVPN's.side note, issue also exists on iPhones at iOS18 but curiously not Mac OSX Sequoia
0 -
Hi,
I ran into the same issue (payload ID size too small) in a slightly different setup (IKEv2, Radius, iOS18) and found that the client profile for the IKEv2 Mobile VPN does not contain a LocalID, which seems to bother iOS at least on the iPhone.
My solution/workaround/whatever you call it was:
- download the client profile from the WG Appliance
- extract, dive into the MacOS_iOS-Folder
- edit the xxx.mobileconfig with your favourite text editor
- find the <key>LocalIdentifier</key> tag, which should be followed by an empty <string /> tag
- insert an identifier into that string-tag, a UFQDN like user@vpn.internal should suffice, it seems not to be verified anywhere (though I did not run any IKE message tracing)
the segment should then look like
<key>LocalIdentifier</key>
<string>user@vpn.internal</string>save, then airdrop/push the .mobileconfig to the iOS-device and install.
worked for me.
Have a good day.
9 -
I can also confirm that the solution (provided by @stefanbo) for iOS18 works. Many thanks for that.
0 -
@stefanbo's solution working for me - iOS 18, IKEv2, iPhone, Firebox-DB
Thanks very much!
0 -
There is now a Known Issue for this, with a similar fix:
Mobile VPN with IKEv2 connections fail on iOS 18
https://techsearch.watchguard.com/KB?type=Known Issues&SFDCID=kA1Vr00000060IHKAY&lang=en_US0 -
@stefanbo solution worked for our company as well. iOS 18.2
0
