With macOS/iOS 26, Apple has deprecated the use of lower Diffie-Hellman (DH) groups in the Network Extension framework. Only MODP19 is now supported, and attempting to use lower groups such as MODP1024 or MODP1536 will cause profile failures.
admin@VOS-Gateway-01-cli> show configuration orgs org-services Versa-Tenant-1 secure-access
servers {
VOS-Gateway-01 {
priority 100;
description "VSIA Force tunnel server for: PP-MAC";
ipsec-profile-id PP-MAC;
tunnel-authentication {
x509-cert vsa-default-ca-chain.crt;
}
ike {
dpd-timeout 120;
pfs-group mod2; -----------------------------------> Change from mod2 to mod19
lifetime 21600;
ike-transform aes256-sha256;
ike-version v2;
}
ipsec {
pfs-group mod2; -----------------------------------> Change from mod2 to mod19
lifetime 3600;
ipsec-transform esp-aes128-sha256;
}
client-auth-type eap;
client-auth-eap-type mschap-v2;
groups [ US-WEST-100 ];
app-delete disabled;
os-visible enabled;
hosts [ Versa-Tenant-1-VOS-Gateway-01.versa-test.net ];
ca-certificate vsa-default-ca-chain.crt;
}
}
Bug-ID : 132578
Description: SASE || Apple OS 26 needs the dh-key to be a minimum MOD19 for macOS/iOS/iPAD Profiles. Config pushed from Concerto needs to be updated.
Fix-Release : Hotfix 12.2.2 or 12.2.1 build on or after 9/18/2025.