https://developer.apple.com/documentation/macos-release-notes/macos-26-release-notes#NetworkExtension




With macOS/iOS 26, Apple has deprecated the use of lower Diffie-Hellman (DH) groups in the Network Extension framework. Only MODP19 is now supported, and attempting to use lower groups such as MODP1024 or MODP1536 will cause profile failures.


admin@VOS-Gateway-01-cli> show configuration orgs org-services Versa-Tenant-1 secure-access 

servers {

    VOS-Gateway-01 {

        priority             100;

        description          "VSIA Force tunnel server for: PP-MAC";

        ipsec-profile-id     PP-MAC;

        tunnel-authentication {

            x509-cert vsa-default-ca-chain.crt;

        }

        ike {

            dpd-timeout   120;

            pfs-group     mod2; -----------------------------------> Change from mod2 to mod19

            lifetime      21600;

            ike-transform aes256-sha256;

            ike-version   v2;

        }

        ipsec {

            pfs-group       mod2;  -----------------------------------> Change from mod2 to mod19

            lifetime        3600;

            ipsec-transform esp-aes128-sha256;

        }

        client-auth-type     eap;

        client-auth-eap-type mschap-v2;

        groups               [ US-WEST-100 ];

        app-delete           disabled;

        os-visible           enabled;

        hosts                [ Versa-Tenant-1-VOS-Gateway-01.versa-test.net ];

        ca-certificate       vsa-default-ca-chain.crt;

    }

}


Bug-ID       : 132578

Description: SASE || Apple OS 26 needs the dh-key to be a minimum MOD19 for macOS/iOS/iPAD Profiles. Config pushed from Concerto needs to be updated.

Fix-Release : Hotfix 12.2.2 or 12.2.1 build on or after 9/18/2025.