iPadOS18 IKEv2 Mobile VPN + Authpoint

Pat · September 17

Hi Watchguard Community!
Anyone else having issues with IKEv2 Mobile VPN since upgrading to iPadOS18 ?
During the beta of 18 I noticed when trying to connect to a Watchguard Mobile IKEv2 VPN that it would get stuck at connecting and I would never be prompted to approve or deny my connection on another device in Authpoint.

Rolling back to iPadOS 17 fixed this so i just put it down to being a Apple issue in the beta and reported it to them at the time.

However as iPadOS and iOS 18 have released to the public today i thought i would try again and looks like the same issue is occuring.

Just wondering if anyone else in the community has experienced this or has any pointers on what logs I can go digging into.

I have a feeling the VPN connection never leaves my device and it's an Apple issue.

Chris01 · September 17

Hello.

I have the same problem with iOS 18. I think it is not an AuthPoint issue. Apple may have changed something in the basic behavior. I see the following traffic log wenn I try to start VPN (on an iOS 18 Device):

2024-09-17 13:00:23 iked (x.x.x.x<->y.y.y.y)drop the received IKEv2 message from y.y.y.y:4500 - reason="payload(IDi)'s size is smaller than the minimal value(8 < 10)"

Any ideas how to fix it?

Pat · September 17

Glad im not the only one with problems here!

james.carson · September 17

Hi @Chris01 and @Pat

Depending on when you initially imported that VPN profile, I'd suggest trying to import it again.

See:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ikev2/mvpn_ikev2_mac_client.html

If your issues persist, I'd suggest opening a support case so that one of our technicians can help.

Sraglin · September 17

Same issue just says connecting. We dont use authpoint so I feel like this is a watchguard/iOS issue. I imported a new config file as @james.carson suggested but same issue.

james.carson · September 17

@Sraglin Please open a support case if you're able -- our team can take a look at your logs and help troubleshoot the issue.

Pat · September 18

@Chris01 my logs show the same issue.
Thanks @james.carson support case raised.

Mark_Dabner · September 18

Same problem here IKEv2, Firebox M300, iPhone 15 Pro Max iOS 18.

Have tried removing profile and re-importing - no luck.

Worked fine prior to iOS upgrade, now throws:

2024-09-18 17:37:02 iked (103.xxx.xxx.xxx<->1.xxx.xxx.xxx)drop the received IKEv2 message from 1.xxx.xxx.xxx:29686 - reason="payload(IDi)'s size is smaller than the minimal value(8 < 10)"

Has always worked flawlessly, but iOS 18 definitely breaks it. Hoping Apple release a fast iOS 18.1 with working fix. Firebox is out of subscription so hoping like hell the fix isn't a Firebox upgrade!

Pat · September 18

Ok so the WG support person has tried with an iPhone on iOS 18 and has it working on a device at WG Support.
I have done some independent research and my current theories are as follows.

Apple could have changed requirements around certificates making the WG generated certificate an issue on iOS18.
Apple has deprecated one of the crypto methods used for Phase 1 or Phase 2 of the connection and we haven't seen any guidelines on this.
a combination of the 2.

I suspect there is a document published somewhere obscure on the Apple website in the iOS patch notes that might mention the removal of say a crypto method that now means we need to modify our Phase 1 or Phase 2.
if I'm right I hope it's only Phase 2 as Phase 1 config is shared with a lot of BOVPN's.

side note, issue also exists on iPhones at iOS18 but curiously not Mac OSX Sequoia

stefanbo · September 18

Hi,

I ran into the same issue (payload ID size too small) in a slightly different setup (IKEv2, Radius, iOS18) and found that the client profile for the IKEv2 Mobile VPN does not contain a LocalID, which seems to bother iOS at least on the iPhone.

My solution/workaround/whatever you call it was:

download the client profile from the WG Appliance
extract, dive into the MacOS_iOS-Folder
edit the xxx.mobileconfig with your favourite text editor
find the <key>LocalIdentifier</key> tag, which should be followed by an empty <string /> tag
insert an identifier into that string-tag, a UFQDN like user@vpn.internal should suffice, it seems not to be verified anywhere (though I did not run any IKE message tracing)
the segment should then look like
<key>LocalIdentifier</key>
<string>user@vpn.internal</string>
save, then airdrop/push the .mobileconfig to the iOS-device and install.

worked for me.

Have a good day.

Pat · September 18

Can confirm the solution provided by @stefanbo works.
Hopefully Watchguard addresses the mobileconfig creation out of the policy manager to avoid manual intervention.

Thanks for your help @stefanbo its really appreciated!!