ZYWALL - Android IPSEC (IKEv2) Client reference

ChrisGer

Hello ZYXEL Community,
is there a recommendation from ZYXEL (maybe also a manual) which IPSC client (no L2TPoverIPSEC) works with IKEv1/2 on Android with a ZYWALL USG?

Android Software is actually not availible by ZYXEL self 

Thx forward and regards
Christian

Zyxel_Wei

ChristianG,

Please select IPSec Xauth PSK when you create VPN, I think most Android OS are support this function.

Wei

Ian31

Hi Christian,
Here my configuration which work for Android using IPSec Xauth PSK to USG.

The key is the VPN server need to support X-auth and mode-config for Andriod clients 

On USG,
1. USG VPN gateway rule,
- IKEv1
- Aggressive mode
- AES-SHA1-DH2, lifetime 86400
- Enable X-Auth


2. USG VPN Connection rule,
- Scenario: Remote Access (Server Role)
- Local Policy: 0.0.0.0/0  ; you can set subnet 0.0.0.0/0 or host 0.0.0.0
- AES-SHA1, no PFS. lifetime 28800
- Enable mode config, and select a non-overlap ip address range for vpn clients
  

On Android, I just list the key parts you need to known. 
- Type: IPSec Xauth PSK
- IPSec identifier: any string(without space, special characters), as local ID to USG
  note: on USG side the peer ID need to set as any. Other type will have compatible issue as I test.


Advanced (optional):
By default, Android will forward all traffic into VPN tunnel
If you want to run as split tunnel. Then you need to add the route which need to go into Forwarding routes.

ChrisGer

Hi @Zyxel_Wei and @lan31
thanks for the information and the screenshots, cause i've read a article outside ZYXEL, that several vendors had additional parameer in the IPSEC that are required. And by ZYXEL i saw no post / KB articel about the possibility and example as described here

i will create a new GW/CON and test it - thanks for the information

Regards
Christian

ChrisGer

Hi @Zyxel_Wei and @lan31

It works i've set AES256/SHA512 and in the conneciton also DH14 to have the required configuration for the VPN connection. it works fine with the embedded IPSEC client on Android 7.1.

Thanks for the quick response and the short manuall

Regards

Christian

STech

Hi All,

Thanks Ian31 as your post was very helpful. I had not configured the local policy with 0.0.0.0 and still not sure why that works.

As a note, I have a Pixel 3XL at Android 10 and it worked fine except that some web sites would not work. I could get an image from the site but some pages would not work. On my Nexus 6p using all the same VPN settings, everything worked fine.

I then adjusted the MSS setting on my firewall and set it to 1280 and everything worked very nicely after that. Seems like some issue with the TCP segment size was too large and not handled correctly across the VPN.

Based on web searches, the VPN on Android at certains levels seems to have problems. I could not get L2TP working reliably on the Pixel and why I tried IPSec instead.

Regards

Steve