Tag Archives: watchguard

Failed to connect to IKEv2 VPN using iPhone USB tethering

Usually I tend to use the iPhone WiFi hotspot feature. But lately, I had to switch to USB tethering, because I had to work a whole workday using the hotspot feature. USB tethering saves battery and the connection was more reliable for me. Please note, that you need to install iTunes to use USB tethering, because the necessary Ethernet driver is only available with iTunes. Without this driver, Windows won’t recorgnize the iPhone as an Ethernet connection.

While using USB tethering I noticed that my IKEv2 VPN connection to my office wasn’t working. I use the native Windows 11 VPN client. At the office operates a WatchGuard T80 firewall with TotalSecurity Subscription. Interestingly the VPN connection was working fine with the WiFi hotspot. I double-checked it with another IKEv2 connection to a customer. This connection showed the same issue. Won’t work with USB tethering, connection was fine using the WiFi hotspot.


First things first: The traffic log showed some interesting facts. The connection attempt was recognized by the firewall.

2023-06-24 16:22:24iked(212.117.xx.yy<->91.41.xx.yy)The peer is behind NAT
2023-06-24 16:22:24iked(212.117.xx.yy<->91.41.xx.yy)The local is NOT behind NAT
2023-06-24 16:22:24iked(212.117.xx.yy<->91.41.xx.yy)Processed IKE_SA_INIT request message successfully
2023-06-24 16:22:24iked(212.117.xx.yy<->91.41.xx.yy)'IKE_SA_INIT response' message created successfully. length:496
2023-06-24 16:22:24iked(212.117.xx.yy<->91.41.xx.yy)Sent out IKE_SA_INIT response message (msgId=0) from 212.117.xx.yy:500 to 91.41.xx.yy:64172 for 'WG Default IKEv2 Gateway' gateway endpoint successfully.

2023-06-24 16:22:43iked(212.117.xx.yy<->80.187.xx.yy)The peer is behind NAT
2023-06-24 16:22:43iked(212.117.xx.yy<->80.187.xx.yy)The local is NOT behind NAT
2023-06-24 16:22:43iked(212.117.xx.yy<->80.187.xx.yy)Processed IKE_SA_INIT request message successfully
2023-06-24 16:22:43iked(212.117.xx.yy<->80.187.xx.yy)'IKE_SA_INIT response' message created successfully. length:496
2023-06-24 16:22:43iked(212.117.xx.yy<->80.187.xx.yy)Sent out IKE_SA_INIT response message (msgId=0) from 212.117.xx.yy:500 to 80.187.xx.yy:500 for 'WG Default IKEv2 Gateway' gateway endpoint successfully.

The uppper connection attempt was successfull. You might recorgnize the port used for the destination IP for the IKE_SA_INIT. The lower attempt was using USB tethering and it wasn’t successfull. In this case the connection attempt was made to 500/udp.

This is a Wireshark capture of the unsuccessful connection attempt.

This capture is from a successful attempt.

You will notice the difference after the IKE_AUTH MID=01 Initiator Request (Frame 620 and 1248). The response of the firewall is not received by the client. This behavior often is caused by MTU problems. A quick Google search showed evidence, that USB tethering might behave different from WiFi hotspot.


Connect your iPhone using an USB-to-Lightning cable. A new Ethernet device should come up. Open an elevated CMD and use the following command to adjust the MTU for the Apple Ethernet device.

PS C:\Users\adm-terlisten> netsh interface ipv4 show interfaces

Idx     Met         MTU          State                Name
---  ----------  ----------  ------------  ---------------------------
  1          75  4294967295  connected     Loopback Pseudo-Interface 1
 10          50        1500  disconnected  WLAN
 19          25        1500  disconnected  LAN-Verbindung* 1
  9          25        1500  disconnected  LAN-Verbindung* 2
 11          25        1500  connected     Ethernet 2
  2          65        1500  disconnected  Bluetooth-Netzwerkverbindung
 20          35        1432  connected     iPhone Hotspot

PS C:\Users\adm-terlisten> netsh interface ipv4 set subinterface "iPhone Hotspot" mtu=1472 store=persistent

I renamed my Apple Ethernet device, in your case it could something like “Ethernet 4” or similar. That’s it. Enjoy your VPN connection.

Fun fact: Cisco AnyConnect with an IKEv2 connection had no problem to any time, regardless if WiFi hotspot or USB tethering. I encountered the problem only with the native Windows VPN client.

WatchGuard Network Security Essentials Exam

This posting is ~3 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

Yesterday, I passed the first exam of the year. In this case the WatchGuards Network Security Essentials exam. The exam covers basic networking and firewalling skills, as well as the necessary knowledge to configure, manage, and monitor a WatchGuard Firebox. If you were familier with networking and firewalls in general, this exam is a “low hanging fruit”. I had to take it due to partner conditions.

WatchGuards offers a pretty good study guide for this exam which you can get for free.. The exam is delivered by  Kryterion and can be taken in a test center or as online proctored exam.

The closed book exam consists of 70 questions. You have 2h and you need at least 70% to pass the exam. The exam covers six different topics:

  • Network and network security basics
  • Administration and setup
  • Monitoring, logging, and reporting
  • Networking and NAT
  • Policies, proxies, and security services
  • Authentication and VPN

I passed the exam with a some preparation (I’ve only used the study guide). As long as you have experience with WatchGuard firewalls, which is mandartory IMHO, it is sufficient to read the study guide a couple of times.