ZYWALL - Android IPSEC (IKEv2) Client reference
is there a recommendation from ZYXEL (maybe also a manual) which IPSC client (no L2TPoverIPSEC) works with IKEv1/2 on Android with a ZYWALL USG?
Android Software is actually not availible by ZYXEL self
Thx forward and regards
Christian
Comments
-
Please select IPSec Xauth PSK when you create VPN, I think most Android OS are support this function.
Wei
0 -
Hi Christian,
Here my configuration which work for Android using IPSec Xauth PSK to USG.The key is the VPN server need to support X-auth and mode-config for Andriod clientsOn USG,
1. USG VPN gateway rule,
- IKEv1
- Aggressive mode
- AES-SHA1-DH2, lifetime 86400
- Enable X-Auth
2. USG VPN Connection rule,
- Scenario: Remote Access (Server Role)
- Local Policy: 0.0.0.0/0 ; you can set subnet 0.0.0.0/0 or host 0.0.0.0
- AES-SHA1, no PFS. lifetime 28800
- Enable mode config, and select a non-overlap ip address range for vpn clients
On Android, I just list the key parts you need to known.
- Type: IPSec Xauth PSK
- IPSec identifier: any string(without space, special characters), as local ID to USG
note: on USG side the peer ID need to set as any. Other type will have compatible issue as I test.
Advanced (optional):
By default, Android will forward all traffic into VPN tunnel
If you want to run as split tunnel. Then you need to add the route which need to go into Forwarding routes.
0 -
Hi @Zyxel_Wei and @lan31
thanks for the information and the screenshots, cause i've read a article outside ZYXEL, that several vendors had additional parameer in the IPSEC that are required. And by ZYXEL i saw no post / KB articel about the possibility and example as described here
i will create a new GW/CON and test it - thanks for the information
Regards
Christian
0 -
Hi @Zyxel_Wei and @lan31It works i've set AES256/SHA512 and in the conneciton also DH14 to have the required configuration for the VPN connection. it works fine with the embedded IPSEC client on Android 7.1.Thanks for the quick response and the short manuallRegardsChristian1
-
Hi All,
Thanks Ian31 as your post was very helpful. I had not configured the local policy with 0.0.0.0 and still not sure why that works.
As a note, I have a Pixel 3XL at Android 10 and it worked fine except that some web sites would not work. I could get an image from the site but some pages would not work. On my Nexus 6p using all the same VPN settings, everything worked fine.
I then adjusted the MSS setting on my firewall and set it to 1280 and everything worked very nicely after that. Seems like some issue with the TCP segment size was too large and not handled correctly across the VPN.
Based on web searches, the VPN on Android at certains levels seems to have problems. I could not get L2TP working reliably on the Pixel and why I tried IPSec instead.
Regards
Steve
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight