Problem with VPN configuration for Android 12 and above

Options
JanBab
JanBab Posts: 4
First Comment
in Security

Hi,

We have ATP100 (version: V5.38(ABPS.0)). We are unable to configure VPN connection using IKEv2. It is unable to start VPN connection. The following message appears.

Error-message.jpg

Here is our VPN connection and VPN gateway setup. We have a public IP address.

VPN gateway.jpg
VPN connection.jpg

I have one more question, is there another connection option for Android 12 and above? For example, by using a paid certificate?

Thanks

Jan

All Replies

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,462  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @JanBab,

    You cannot click the "connect" button on a dynamic peer VPN tunnel as the dynamic VPN tunnel plays a passive role in waiting for client connections. Please refer to this link for configuring remote access VPN for Android clients.

    https://support.zyxel.eu/hc/en-us/articles/5897661827986-VPN-Configure-IKEv2-VPN-with-Android-via-StrongSwan

  • JanBab
    JanBab Posts: 4
    First Comment
    Options

    Connection failed again. Here is the log from Android. (185.xxx.xxx.xxx is our public IP address)

    May 13 12:34:08 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    May 13 12:34:08 00[DMN] Starting IKE service (strongSwan 5.9.13, Android 12 - SP1A.210812.016.G975FXXSGHWC1/2023-03-01, SM-G975F - samsung/beyond2lteeea/samsung, Linux 4.14.113-25257816, aarch64, org.strongswan.android)
    May 13 12:34:08 00[LIB] providers loaded by OpenSSL: default legacy
    May 13 12:34:08 00[LIB] loaded plugins: androidbridge charon android-log socket-default openssl nonce pkcs1 pem x509 xcbc kdf revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls
    May 13 12:34:08 00[JOB] spawning 16 worker threads
    May 13 12:34:08 06[IKE] initiating IKE_SA android[7] to 185.xxx.xxx.xxx
    May 13 12:34:08 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    May 13 12:34:08 06[NET] sending packet: from 100.81.165.92[41807] to 185.xxx.xxx.xxx[500] (336 bytes)
    May 13 12:34:08 09[NET] received packet: from 185.xxx.xxx.xxx[500] to 100.81.165.92[41807] (721 bytes)
    May 13 12:34:08 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HTTP_CERT_LOOK) CERTREQ V V V V V V ]
    May 13 12:34:08 09[ENC] received unknown vendor ID: f7:58:f2:26:68:75:0f:03:b0:8d:f6:eb:e1:d0:04:03
    May 13 12:34:08 09[ENC] received unknown vendor ID: f9:19:6d:f8:6b:81:2f:b0:f6:80:26:d8:87:6d:cb:7b:00:04:32:00
    May 13 12:34:08 09[ENC] received unknown vendor ID: ac:40:f8:c4:38:99:27:c6:e8:ac:24:53:1b:b7:8b:2b:5d:a9:fc:4c:ae:bd:78:9e:03:d8:34:56:df:bd:4d:a1:ab:eb:d1:de:cd:16:ab:ba:b2:97:88:d7:11:33:e5:97:83:57:3a:6d:98:64:35:c5:f0:ba:0b:e6:db:52:9e:cd:ca:70:c6:45:d7:70:a5:3f:46:37:f0:ef:ac:9f:55:fe:93:75:1f:9c:cf:ff:c0:be:b6:b4:60:79:05:3e:11:33:45:04:83:e9:30:44:97:9c:26:58:03:d8:8b:43:4c:61:ab:39:40:2e:eb:c6:a5:24:bb:47:0c:7d:c6:3c:06:14
    May 13 12:34:08 09[ENC] received unknown vendor ID: 24:ae:2f:6d:9e:a6:1b:d4:23:5e:e3:f3:c2:ee:65:6f:9c:5c:14:23:75:76:ca:18:a7:93:b3:b6:66:e6:a4:6f:5d:b8:ef:bb:24:b5:61:7c:1c:5b:73:c7:90:59:a8:ff:5d:9c:7e:e4:67:ee:97:89:ef:38:71:69:32:d1:85:e3
    May 13 12:34:08 09[ENC] received unknown vendor ID: 8a:3b:5b:d4:b8:94:b2:f3:37:0c:1e:65:67:2e:ec:44
    May 13 12:34:08 09[ENC] received unknown vendor ID: b6:c9:8c:ca:29:0a:eb:be:37:f1:9f:31:12:d2:d7:cb
    May 13 12:34:08 09[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
    May 13 12:34:08 09[IKE] local host is behind NAT, sending keep alives
    May 13 12:34:08 09[IKE] received cert request for "CN=185.xxx.xxx.xxx"
    May 13 12:34:08 09[IKE] received 5 cert requests for an unknown ca
    May 13 12:34:08 09[IKE] sending cert request for "CN=185.xxx.xxx.xxx"
    May 13 12:34:08 09[IKE] establishing CHILD_SA android{5}
    May 13 12:34:08 09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
    May 13 12:34:08 09[NET] sending packet: from 100.81.165.92[35378] to 185.xxx.xxx.xxx[4500] (368 bytes)
    May 13 12:34:08 10[NET] received packet: from 185.xxx.xxx.xxx[4500] to 100.81.165.92[35378] (80 bytes)
    May 13 12:34:08 10[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    May 13 12:34:08 10[IKE] received AUTHENTICATION_FAILED notify error

  • PeterUK
    PeterUK Posts: 2,849  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Here settings that work for my Android 12 that are different to what you have.

    Local policy IP 0.0.0.0

    Phase 1

    Encryption AES128

    authentication SHA256

    DH14

    Phase 2

    Encryption AES128

    authentication SHA256

    PFS DH2

    for certificate the built-in VPN client may not works use strongswan VPN client

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)