Android 12 and ikev2

Options
1235

All Replies

  • Peppino
    Peppino Posts: 139  Ally Member
    First Anniversary 10 Comments Friend Collector
    Options
  • PeterUK
    PeterUK Posts: 2,857  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Yes but what I can't get working is the built in VPN client on phone and have to use strongswan...but on my phone built in VPN client I can't leave the IPsec identifier blank if I set to the DNS logs show its up then disconnects with strongswan it works fine.

  • Peppino
    Peppino Posts: 139  Ally Member
    First Anniversary 10 Comments Friend Collector
    Options

    Its a Samsung limitaton on hashing algorithms as I recall. Anyway Strongswan seamlessly integrates into Android.

  • QuiteSmart
    QuiteSmart Posts: 43  Freshman Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Thank you @Peppino , thank you @PeterUK for your feedbacks. Would you be so kind to check the configuration and log that i posted a few days ago and compare it with yours? I really cannot understand what i am missing. Apart from the ATP i've made some tests on an USG40 behind a Fritzbox router: the router is configured so that the firewall is the "exposed host".

    I understand that having the firewall directly connected to the internet is by far better but sometimes this is not possible because the ISP supplies VoIP services only on their devices and do not give configurations.

    As for using the built in client i also am aware that there is a limitation with Samsung about the DH algorithms, somewhere i read that Zyxel added new DH with latest firmwares but Strongswan seems to be the easier way on Samsung

  • Peppino
    Peppino Posts: 139  Ally Member
    First Anniversary 10 Comments Friend Collector
    Options

    You might have overlooked what PeterUK wrote:

    "If the certificate says a IP then the fw needs to have that IP and be WAN"

    So since the router has the external IP, your ATP claims to have an internal IP which in turn will not match the one set in the certificate.

  • QuiteSmart
    QuiteSmart Posts: 43  Freshman Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Maybe I just didn't want to read such a thing ;-)

    Can we close it saying that there is no possibility to create a client-server VPN (with certificate) with a firewall behind a router?

  • Peppino
    Peppino Posts: 139  Ally Member
    First Anniversary 10 Comments Friend Collector
    Options

    Correct

  • PeterUK
    PeterUK Posts: 2,857  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    I think it might be possible if the certificate uses DNS then a IP?

  • QuiteSmart
    QuiteSmart Posts: 43  Freshman Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Do you mean ddns?

    Who should issue the certificate?

    Have any of you even done it? (How? ;-) )

    Thank you again

  • Peppino
    Peppino Posts: 139  Ally Member
    First Anniversary 10 Comments Friend Collector
    Options

    Theoretically it could work. The certificate is created by you inside the ATP, under objects-certificates. This needs to be exported as file and imported into the Android phone. How did you make it work last time? Not like this?

Security Highlight