Android 12 VPN to Zywall 110
With Android 12, Google has removed support for L2TP over IPSEC. As a result, I needed to configure my Pixel 6 Pro to connect using "IKEv2/IPSec PSK". I looked at several guides I found online, but none of them worked for me. So, I had to fiddle around quite a bit to get it to work. Posting my config here so that others might benefit. Please post if you've found other configs that worked for you.
Gateway Config
Notes:
- I had to select DNS as the Local ID Type with my ZyWall domain name as the Content. Nothing else would work for me. It took me quite a while to figure this out!
Connection
Notes
- I had to set the Local Policy to 0.0.0.0, otherwise my ZyWall would not route traffic from the Pixel to the Internet.
Android Config
Gateway Config
Notes:
- I had to select DNS as the Local ID Type with my ZyWall domain name as the Content. Nothing else would work for me. It took me quite a while to figure this out!
Connection
Notes
- I had to set the Local Policy to 0.0.0.0, otherwise my ZyWall would not route traffic from the Pixel to the Internet.
Android Config
0
All Replies
-
Does any error message in Log ? Not sure Android 12 support what proposal is, But I found below proposal could work on android 11.Maybe you can try that. and capture the negotiate packet to check the what proposal should select.
Phase 1 — SHA2(256)–AES(256)–DH2
Phase 2 — SHA2(256)–AES(256)
1 -
Thanks for your tutorial.
However, I cannot get it to work for a Motorola G82 phone / Android 12 phone.
I spent the past 2 days trying to set it up. Unfortunately the route using the Strongswan client is not an option for us.
Access via an iOS device works on the connection.
This is a copy of the entries in the log. Perhaps you have an idea on where it goes wrong?No. Date/Time Source DestinationPriority Category NoteMessage20 2023-02-04 13:35:51 178.139.232.98:21888 192.168.1.10:500info ike IKE_LOGThe cookie pair is : 0xb2810c48da345c4d / 0xb1634a5f266fe453 [count=2]21 2023-02-04 13:35:51 178.139.232.98:21888 192.168.1.10:500info ike IKE_LOGReceiving IKEv2 request22 2023-02-04 13:35:51 178.139.232.98:21888 192.168.1.10:500info ike IKE_LOG[INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][NOTIFY]23 2023-02-04 13:35:51 178.139.232.98:21888 192.168.1.10:500info ike IKE_LOGRecv IKE sa: SA([0] protocol = IKE (1), AES CTR key len = 256, AES CBC key len = 256, AES CTR key len = 192, AES CBC key len = 192, AES CTR key len = 128, AES CBC key len = 128, HMAC-SHA512-256, HMAC-SHA384-192, HMAC-SHA256-128, AES-XCBC-96, unknown integ24 2023-02-04 13:35:51 192.168.1.10:500 178.139.232.98:21888info ike IKE_LOGThe cookie pair is : 0xb1634a5f266fe453 / 0xb2810c48da345c4d25 2023-02-04 13:35:51 192.168.1.10:500 178.139.232.98:21888info ike IKE_LOGIKE SA [NatSoft_IKEv2_GW] is disconnected26 2023-02-04 13:35:51 178.139.232.98:21890 192.168.1.10:500info ike IKE_LOGThe cookie pair is : 0xcfac2c4d1e6e8893 / 0xc0c087e52f902758 [count=2]27 2023-02-04 13:35:51 178.139.232.98:21890 192.168.1.10:500info ike IKE_LOGReceiving IKEv2 request28 2023-02-04 13:35:51 178.139.232.98:21890 192.168.1.10:500info ike IKE_LOG[INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][NOTIFY]29 2023-02-04 13:35:51 178.139.232.98:21890 192.168.1.10:500info ike IKE_LOGRecv IKE sa: SA([0] protocol = IKE (1), AES CTR key len = 256, AES CBC key len = 256, AES CTR key len = 192, AES CBC key len = 192, AES CTR key len = 128, AES CBC key len = 128, HMAC-SHA512-256, HMAC-SHA384-192, HMAC-SHA256-128, AES-XCBC-96, unknown integ30 2023-02-04 13:35:52 192.168.1.10:500 178.139.232.98:21890info ike IKE_LOGThe cookie pair is : 0xc0c087e52f902758 / 0xcfac2c4d1e6e8893 [count=2]31 2023-02-04 13:35:52 192.168.1.10:500 178.139.232.98:21890info ike IKE_LOG[INIT] Send:[SAr1][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][CERTREQ][VID][VID][VID][VID][VID]32 2023-02-04 13:35:52 178.139.232.98:4500 192.168.1.10:4500info ike IKE_LOGThe cookie pair is : 0xcfac2c4d1e6e8893 / 0xc0c087e52f90275833 2023-02-04 13:35:52 178.139.232.98:4500 192.168.1.10:4500info ike IKE_LOG[AUTH] Recv:[IDi][IDr][AUTH][SA][TSi][TSr][CONF]34 2023-02-04 13:35:52 192.168.1.10:500 178.139.232.98:21890info ike IKE_LOGIPsec SA negotiation failed0 -
Hi @SpaceCowboy,
Greeting Forum,
Because the "Certificate" are alreay included in the creation wizard from ikev2. The script has to be opend with Strongswan.
So I would suggest use PSK instead of certificate If strongswan is not option or please try to install certificate on Motorola G82 phone / Android 12 phone manually.
Thank you
0 -
Hello Kevin
I am using PSK and not certificate on the VPN Gateway Authentification Settings (Phase 1). Is there any other place where I can select PSK?
I am basically using the settings from mhilbush adapted to our network (remote address, etc.)
We are behind a router ( I don't know if this is a problem) and we have a dynamic address from our provider, so we are using a dyndns DNS entry.
As I said - from iOS everything works perfectly. All current Android 12 phones (we tested Motorola G82 & Samsung S22) cannot connect.
We also tries AES128/SHA256 & AES256/SHA512 coding options but no change. Event tried all combinations with DH2 instead of DH14.
Do you have any other recommendations?
Kind reagards
Thomas
0 -
Hi @SpaceCowboy,
Please kindly try to install the latest FCS version. For ATP/FLEX/VPN v5.35, For USG v4.73
We already fixed issue about Multiple DH issue in IKEv2 connection (especially Android phone).
If the issue persist, please capture traffic on WAN interface when mobile tried to initial .
Thank you
Kevin0
Master Member
Freshman Member
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 150 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 267 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 41 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 388 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 74 Security Highlight
