VPN Server role IKEv2 broken as far as I can tell

PeterUK

Following another post about this have made my own post

https://support.zyxel.eu/hc/en-us/articles/4411498192914

Android 12 and ikev2 — Zyxel Community

Tested on USG60W V4.71(AAKZ.0) and VPN300 V5.21(ABFC.0)

Phone tested with Sony Xperia 5 II Android 12

I have tested every setting I can think of but get:

Receiving IKEv2 request[count=5]

[INIT] Recv:
[SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][NOTIFY] [count=5]
Recv IKE sa: SA([0]
protocol = IKE (1), AES CTR key len = 256, AES CBC key len = 256, AES
CTR key len = 192, AES CBC key len = 192, AES CTR key len = 128, AES
CBC key len = 128, HMAC-SHA512-256, HMAC-SHA384-192, HMAC-SHA256-128,
AES-XCBC-96, unknown integ [count=5]

The cookie pair is :
0x7180eb2e28ac6628 / 0x4364f247052b96a5 [count=3]

[SA] : Tunnel
[VPN_server] Phase 1 proposal mismatch [count=5]

[SA] : No proposal chosen [count=5]

My phone has the old IKEv1 which works but you can't make new ones with Android 12 only IKEv2

PeterUK

Seems I didn't try every setting it was I combination of Key group and encryption thanks to the help of Joel B

Here are the lowest settings needed

So for Phase 1 I have

AES128 with SHA256

Key group DH14

for Phase 2 I have

AES128 with SHA256

PFS DH2

Zyxel_Cooldia

Hi @PeterUK,
Thanks for sharing this information to community  . It seems need to adjust IKEv2 phase1 and phase 2 encryption/authentication based on mobile device minimum cipher suites.

GioM

Unfortunately, the same happens with a ZyWALL 110 V4.70(AAAA.0) and a Realme GT2 Pro (Android 12, latest update as of today).

I get the exact same error as the OP, and if I change Phase 1 Key Group to DH14, I only get

IKE SA [VPN_1] is disconnected [count=3]

without

Phase 1 proposal mismatch

No proposal chosen

Zyxel_Cooldia

Hi @GioM,
Please try it again with StrongSwan client.
Following link for your reference.
https://community.zyxel.com/en/discussion/12940/android-12-and-ikev2