Posted on by Mac User

Watch guard Mobile VPN with IKEv2 disconnects after 10 minutes on macOS

If you’re using WatchGuard Mobile VPN with IKEv2 on your Mac, you might have encountered a frustrating issue where the connection drops after approximately 10 minutes. This problem has become more prevalent following macOS updates, such as Sonoma or later versions, affecting users on Apple Silicon devices like M1, M2, and beyond. The disconnects can disrupt remote work, requiring frequent reconnections and potentially leading to security concerns or productivity loss.

Fortunately, several proven workarounds and fixes exist, drawn from official WatchGuard documentation and community experiences. This article outlines the common causes and step-by-step solutions to stabilize your VPN connection.

Understanding the Issue

The root cause often stems from compatibility issues between WatchGuard’s IKEv2 implementation and Apple’s native VPN client on macOS. After system upgrades, the VPN may fail to properly rekey the session, leading to timeouts around 8-10 minutes (or sometimes 24 minutes in related variants). macOS might silently modify VPN profiles by adding elements like Perfect Forward Secrecy (PFS) or altering rekey timers, which mismatches with the Firebox settings. Error logs could show messages like “InvalidKEPayload” or “PeerInvalidSyntax,” indicating negotiation failures during rekeying. This isn’t unique to WatchGuard; it’s a broader third-party VPN challenge with Apple’s IKE client.

Common Symptoms

  • VPN connects successfully but disconnects after ~10 minutes
  • Disconnections occur even while traffic is passing
  • macOS shows “VPN disconnected” without a clear error
  • Reconnecting works, but the issue repeats
  • More common on Silicon basted machines running macOS Sonoma, Sequoia , and Tahoe.

I would run this workaround prior to further fault find on VPN stability on macOS running macOS Tahoe

  1. Use an SSH client (such as Putty) to connect to the Firebox on port 4118.
  2. Log in with admin credentials.
  3. Run the following command to disable mobike support:
diagnose vpn "/ike/param/set mobike_support=0 action=now"

After running the command re test on you Mac to see if it has fixed the issue. You can see the Watch guard article here

Failing that you can start a fault find step by step options:

Solution 1: Disable MOBIKE Support on the Firebox

MOBIKE (Mobility and Multihoming Protocol for IKE) can sometimes cause instability on macOS. Disabling it via command line has helped many users maintain connections beyond 10 minutes.

Steps:

  • Download and install an SSH client like PuTTY (available for free from the official website).
  • Connect to your Firebox IP address on port 4118 using admin credentials.
  • Once logged in, run the following command
diagnose vpn "/ike/param/set mobike_support=0 action=now"
  • If you’re using a FireCluster, execute this only on the cluster master device.
  • Test your VPN connection on macOS to verify stability.

This change takes effect immediately and can significantly improve VPN reliability without requiring profile changes.

Solution 2: Enable Perfect Forward Secrecy (PFS) and Adjust Security Settings

Enabling PFS in Phase 2 settings addresses rekeying mismatches, often resolving disconnects at 24 minutes but also effective for shorter timeouts. Users have reported connections lasting 30-50 minutes or longer after this tweak.

Steps:

  1. Log in to the Fireware Web UI on your Firebox.
  2. Navigate to VPN > Mobile VPN > IKEv2 > Configure > Security.
  3. In the Phase 1 tab:
    • Set the encryption to AES-GCM-256bit.
    • Set the lifetime to 24 hours.
    • Move DH Group 19 to the top of the list (add it if not present).
  4. In the Phase 2 tab:
    • Add or select ESP/SHA2-256/AES 256bit.
    • Check the box to enable Perfect Forward Secrecy (PFS).
    • Set the PFS group to Diffie-Hellman Group 19.
  5. Save the changes.
  6. Export a new IKEv2 profile from the Firebox.
  7. On your Mac, remove the existing VPN configuration (System Settings > Network > VPN > Delete the profile).
  8. Import the new profile and reconnect.

Reimporting the profile ensures macOS doesn’t override settings. If disconnects persist, increase logging on the Firebox (set IKE/IPSec logs to Information level) and check the Traffic Monitor for errors related to your Mac’s IP.

Solution 3: Upgrade Fireware on the Firebox

Outdated Fireware versions may contain bugs fixed in later releases. Upgrading has resolved IKEv2 disconnects for many, especially those occurring after 8-10 minutes.

Steps:

  1. Check your current Fireware version in the Firebox dashboard.
  2. Download the latest version (e.g., 12.10.4 or newer) from the WatchGuard portal.
  3. Follow the official upgrade guide: Back up your configuration, then apply the update via the Web UI or Policy Manager.
  4. After upgrading, re-export and import the IKEv2 profile on your Mac as described in Solution 2.
  5. Test the connection.

Note: Version 12.10.2 specifically addresses iOS/macOS IKEv2 disconnects, but confirm the latest release notes for your model.

Additional Tips and Alternatives

Diagnostic Logging: On macOS, view VPN logs via Console.app (search for “VPN” or “IKEv2”) to identify specific errors. On the Firebox, enable detailed logging to pinpoint issues.

Switch to SSL VPN: If IKEv2 continues to fail, configure Mobile VPN with SSL as an alternative—it’s often more stable on macOS.

Report to Apple: Since macOS alterations contribute to the problem, submit feedback via Apple’s Feedback Assistant to encourage a fix in future updates.

Community Resources: Check forums like Reddit or WatchGuard Community for user-specific scenarios, as hardware variations (e.g., M1 vs. Intel) can influence behavior.