Android 13/IPAD IOS 15.7 and USG40 with IKEv2

Jokke

Hi,

I have used earlier L2TP/IPSEC tunneling but now newer andoids doesn't support that one. 

I did IKEv2 configuration according these.
https://support.zyxel.eu/hc/en-us/articles/8805317185298-VPN-Configure-IKEv2-with-Pre-Shared-key-on-Mobile-Devices-Instead-of-L2TP-


When I try make a connection I will get always error message in both devices android (SAMSUNG S20) and IPAD.

Any Ideas? KR,J

"

[SA] : No proposal chosen

 84.250.110.101:500

 221.210.110.200:39676

IKE_LOG

5

2022-12-23 05:15:26

info

IKE

[SA] : Tunnel [IKEv2_Connection] Phase 1 proposal mismatch

 84.250.110.101:500

 221.210.110.200:39676

IKE_LOG

6

2022-12-23 05:15:26

info

IKE

The cookie pair is : 0xe2c0fb51341291dc / 0xfc79f4663830a392 [count=3]

 84.250.110.101:500

 221.210.110.200:39676

IKE_LOG

7

2022-12-23 05:15:26

info

IKE

Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, AES CBC key len = 128, HMAC-SHA512-256, HMAC-SHA384-192, HMAC-SHA256-128, HMAC-SHA1-96, HMAC-SHA512 PRF, HMAC-SHA384 PRF, HMAC-SHA256 PRF, HMAC-SHA1 PRF, RFC5114 2048-256 bit MODP, 384 bit ECP

 221.210.110.200:39676

 84.250.110.101:500

IKE_LOG

8

2022-12-23 05:15:26

info

IKE

[INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][NOTIFY]

 221.210.110.200:39676

 84.250.110.101:500

IKE_LOG

9

2022-12-23 05:15:26

info

IKE

Receiving IKEv2 request

 221.210.110.200:39676

 84.250.110.101:500

IKE_LOG

10

2022-12-23 05:15:26

info

IKE

The cookie "

Zyxel_Emily

Hi @Jokke,

[SA] : Tunnel [IKEv2_Connection] Phase 1 proposal mismatch

Here is Phase 1 and Phase 2 proposal that match the iOS setting for your reference. 

iOS: 15.6.1 on iPhone 8 Plus

Phase 1 

Phase 2

Test Result
IKEv2 is connected on iPhone.

Jokke

Zyxel_Emily said:

Hi @Jokke,

[SA] : Tunnel [IKEv2_Connection] Phase 1 proposal mismatch

Here is Phase 1 and Phase 2 proposal that match the iOS setting for your reference. 

iOS: 15.6.1 on iPhone 8 Plus

Phase 1 

Phase 2

Test Result
IKEv2 is connected on iPhone.

Ipad IOS 16.2 worked when chanhed key group from DH2 to DH14. Anyway my android 13 still cannot establish connection. 

Zyxel_Emily

Hi @Jokke,

[SA] : Tunnel [IKEv2_Connection] Phase 1 proposal mismatch

Here is Phase 1 and Phase 2 proposal that match the iOS setting for your reference. 

iOS: 15.6.1 on iPhone 8 Plus

Phase 1 

Phase 2

Test Result
IKEv2 is connected on iPhone.

valerio_vanni

In a thread of some day ago we discussed about parameters setting:

https://community.zyxel.com/en/discussion/15355/l2tp-over-ipsec-parameters-for-windows-10-native-client#latest

Now a question arise: is there a way to disable, on Android and Apple devices, vpn password save? I'd like to have users input it every time.

jasailafan

@valerio_vanni

The VPN secret and password setting are saved on Apple device. Maybe you should check with Apple if these settings are able to be not saved.  

Jokke

Zyxel_Emily said:

Hi @Jokke,

[SA] : Tunnel [IKEv2_Connection] Phase 1 proposal mismatch

Here is Phase 1 and Phase 2 proposal that match the iOS setting for your reference. 

iOS: 15.6.1 on iPhone 8 Plus

Phase 1 

Phase 2

Test Result
IKEv2 is connected on iPhone.

Ipad IOS 16.2 worked when chanhed key group from DH2 to DH14. Anyway my android 13 still cannot establish connection. 

Zyxel_Emily

Hi @Jokke,

For Android 13, set proposal "AES128-SHA256-DH2" in phase 1 and "AES128-SHA256" in phase 2.

Jokke

https://community.zyxel.com/en/discussion/comment/47102#Comment_47102

Unfortenately this does not work :( also Even this would work I shoud creat own VPN tunnel for IOS and android because Zyxel support only one IKE Diffie-Hellman (DH) group per tunnel

Jokke

https://community.zyxel.com/en/discussion/comment/49917#Comment_49917

I am wondering is that something what is Samsung spefic, my phone is Samsung s20 with android 13

Zyxel_Emily

Hi @Jokke,
It seems Samsung needs two DNS server in phase 2 settings. Hence, try to configure both First DNS server and Second DNS server in VPN Connetion > Configuration Payload on USG40.