Troubleshooting IPsec VPN Connection with IKEv2 :: Documentation (2024)

FAQs

How do I troubleshoot IPSec VPN connectivity issues? ›

In most cases, the following quick 4-step process can help you identify, diagnose, and troubleshoot/resolve any IPSec VPN Tunnel issue: Navigate to Monitor > System Logs - look for error(s) related to IKE, IPSec, or VPN. From the CLI, type > less mp-log ikemgr. log - look for specific error(s) related to the failure.

By default, IKEv2 uses IPSec, which requires UDP ports 500 and 4500, and ESP IP Protocol 50. You cannot disable IPSec. By default, L2TP uses IPSec, which requires UDP ports 500 and 4500, and ESP IP Protocol 50. If you disable IPSec, Mobile VPN with L2TP requires only UDP port 1701.

To view status information about active IPsec tunnels, use the show ipsec tunnel command. This command prints status output for all IPsec tunnels, and it also supports printing tunnel information individually by providing the tunnel ID.

IKEv2 handles the protection of your traffic, while IPsec is responsible for moving it through the tunnel quickly and without interruption. For more details, read this article. What is the difference between IKEv2/IPSec and L2TP? IKEv2/IPsec and L2TP are VPN protocols with different capabilities.

In computing, IKEv2 is a VPN tunneling protocol ensuring safe online communication between two devices. IKEv2 works with the IPsec protocol, forming a VPN protocol called IKEv2/IPSec. IKEv2 helps devices recognize each other, and the IPsec protocol provides security when transporting data.

One downside of IKEv2, though, is that it is only used on Port 500 which makes it easier to block by network administrators as they can simply block Port 500 on the network and IKEv2 won't connect anymore.

How do I add a VPN connection to IKEv2? ›

IPSec VPN. IPSec VPN is a layer 3 protocol that communicates over IP protocol 50, Encapsulating Security Payload (ESP). It might also require UDP port 500 for Internet Key Exchange (IKE) to manage encryption keys, and UDP port 4500 for IPSec NAT-Traversal (NAT-T).

Go to Settings -> Network & internet -> VPN, then tap the "+" button. Enter a name for the VPN profile. Select IKEv2/IPSec RSA from the Type drop-down menu. Enter Your VPN Server IP (or DNS name) in the Server address field.

IPsec VPNs' usage differs from SSL VPN

IPsec VPN securely interconnects entire networks (site-to-site VPN) OR remote users with a particular protected area such as a local network, application, or the cloud. SSL VPN creates a secure tunnel from the host's web browser to a particular application.

The virtual IP address pool is the group of private IP address the Firebox assigns to Mobile VPN with IKEv2 users. The default is 192.168. 114.0/24.

Go to Control Panel > Network and Internet > Network Connections, open the properties for your VPN Profile, and check to make sure the value in the General tab can publicly resolve through DNS. If not, the Remote Access server or VPN server being unable to resolve to an IP address is likely the cause of the issue.

If you encounter issues when you use SSL-VPN connections, you can check the logs of SSL-VPN clients or the logs of SSL-VPN connections in the VPN Gateway console to troubleshoot the issues.

While IPSec provides robust security for IP communications, its major drawback lies in its complexity and the administrative burden it places on network administrators.