Problem with VPN configuration for Android 12 and above

JanBab

Hi,

We have ATP100 (version: V5.38(ABPS.0)). We are unable to configure VPN connection using IKEv2. It is unable to start VPN connection. The following message appears.

Here is our VPN connection and VPN gateway setup. We have a public IP address.

I have one more question, is there another connection option for Android 12 and above? For example, by using a paid certificate?

Thanks

Jan

Zyxel_Cooldia

Hi @JanBab,

You cannot click the "connect" button on a dynamic peer VPN tunnel as the dynamic VPN tunnel plays a passive role in waiting for client connections. Please refer to this link for configuring remote access VPN for Android clients.

https://support.zyxel.eu/hc/en-us/articles/5897661827986-VPN-Configure-IKEv2-VPN-with-Android-via-StrongSwan

JanBab

Connection failed again. Here is the log from Android. (185.xxx.xxx.xxx is our public IP address)

May 13 12:34:08 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
May 13 12:34:08 00[DMN] Starting IKE service (strongSwan 5.9.13, Android 12 - SP1A.210812.016.G975FXXSGHWC1/2023-03-01, SM-G975F - samsung/beyond2lteeea/samsung, Linux 4.14.113-25257816, aarch64, org.strongswan.android)
May 13 12:34:08 00[LIB] providers loaded by OpenSSL: default legacy
May 13 12:34:08 00[LIB] loaded plugins: androidbridge charon android-log socket-default openssl nonce pkcs1 pem x509 xcbc kdf revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls
May 13 12:34:08 00[JOB] spawning 16 worker threads
May 13 12:34:08 06[IKE] initiating IKE_SA android[7] to 185.xxx.xxx.xxx
May 13 12:34:08 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
May 13 12:34:08 06[NET] sending packet: from 100.81.165.92[41807] to 185.xxx.xxx.xxx[500] (336 bytes)
May 13 12:34:08 09[NET] received packet: from 185.xxx.xxx.xxx[500] to 100.81.165.92[41807] (721 bytes)
May 13 12:34:08 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HTTP_CERT_LOOK) CERTREQ V V V V V V ]
May 13 12:34:08 09[ENC] received unknown vendor ID: f7:58:f2:26:68:75:0f:03:b0:8d:f6:eb:e1:d0:04:03
May 13 12:34:08 09[ENC] received unknown vendor ID: f9:19:6d:f8:6b:81:2f:b0:f6:80:26:d8:87:6d:cb:7b:00:04:32:00
May 13 12:34:08 09[ENC] received unknown vendor ID: ac:40:f8:c4:38:99:27:c6:e8:ac:24:53:1b:b7:8b:2b:5d:a9:fc:4c:ae:bd:78:9e:03:d8:34:56:df:bd:4d:a1:ab:eb:d1:de:cd:16:ab:ba:b2:97:88:d7:11:33:e5:97:83:57:3a:6d:98:64:35:c5:f0:ba:0b:e6:db:52:9e:cd:ca:70:c6:45:d7:70:a5:3f:46:37:f0:ef:ac:9f:55:fe:93:75:1f:9c:cf:ff:c0:be:b6:b4:60:79:05:3e:11:33:45:04:83:e9:30:44:97:9c:26:58:03:d8:8b:43:4c:61:ab:39:40:2e:eb:c6:a5:24:bb:47:0c:7d:c6:3c:06:14
May 13 12:34:08 09[ENC] received unknown vendor ID: 24:ae:2f:6d:9e:a6:1b:d4:23:5e:e3:f3:c2:ee:65:6f:9c:5c:14:23:75:76:ca:18:a7:93:b3:b6:66:e6:a4:6f:5d:b8:ef:bb:24:b5:61:7c:1c:5b:73:c7:90:59:a8:ff:5d:9c:7e:e4:67:ee:97:89:ef:38:71:69:32:d1:85:e3
May 13 12:34:08 09[ENC] received unknown vendor ID: 8a:3b:5b:d4:b8:94:b2:f3:37:0c:1e:65:67:2e:ec:44
May 13 12:34:08 09[ENC] received unknown vendor ID: b6:c9:8c:ca:29:0a:eb:be:37:f1:9f:31:12:d2:d7:cb
May 13 12:34:08 09[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
May 13 12:34:08 09[IKE] local host is behind NAT, sending keep alives
May 13 12:34:08 09[IKE] received cert request for "CN=185.xxx.xxx.xxx"
May 13 12:34:08 09[IKE] received 5 cert requests for an unknown ca
May 13 12:34:08 09[IKE] sending cert request for "CN=185.xxx.xxx.xxx"
May 13 12:34:08 09[IKE] establishing CHILD_SA android{5}
May 13 12:34:08 09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
May 13 12:34:08 09[NET] sending packet: from 100.81.165.92[35378] to 185.xxx.xxx.xxx[4500] (368 bytes)
May 13 12:34:08 10[NET] received packet: from 185.xxx.xxx.xxx[4500] to 100.81.165.92[35378] (80 bytes)
May 13 12:34:08 10[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
May 13 12:34:08 10[IKE] received AUTHENTICATION_FAILED notify error

PeterUK

Here settings that work for my Android 12 that are different to what you have.

Local policy IP 0.0.0.0

Phase 1

Encryption AES128

authentication SHA256

DH14

Phase 2

Encryption AES128

authentication SHA256

PFS DH2

for certificate the built-in VPN client may not works use strongswan VPN client