ZYWALL - Android IPSEC (IKEv2) Client reference

ChrisGer
ChrisGer Posts: 205  Ally Member
Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
edited April 2021 in Security
Hello ZYXEL Community,
is there a recommendation from ZYXEL (maybe also a manual) which IPSC client (no L2TPoverIPSEC) works with IKEv1/2 on Android with a ZYWALL USG?

Android Software is actually not availible by ZYXEL self  :'(

Thx forward and regards
Christian




Comments

  • Zyxel_Wei
    Zyxel_Wei Posts: 2  Zyxel Employee
    First Comment Friend Collector

    ChristianG,

    Please select IPSec Xauth PSK when you create VPN, I think most Android OS are support this function.


    Wei

  • Ian31
    Ian31 Posts: 174  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    Hi Christian,
    Here my configuration which work for Android using IPSec Xauth PSK to USG.
    The key is the VPN server need to support X-auth and mode-config for Andriod clients 
    On USG,
    1. USG VPN gateway rule,
    - IKEv1
    - Aggressive mode
    - AES-SHA1-DH2, lifetime 86400
    - Enable X-Auth


    2. USG VPN Connection rule,
    - Scenario: Remote Access (Server Role)
    - Local Policy: 0.0.0.0/0  ; you can set subnet 0.0.0.0/0 or host 0.0.0.0
    - AES-SHA1, no PFS. lifetime 28800
    - Enable mode config, and select a non-overlap ip address range for vpn clients
      

    On Android, I just list the key parts you need to known. 
    - Type: IPSec Xauth PSK
    - IPSec identifier: any string(without space, special characters), as local ID to USG
      note: on USG side the peer ID need to set as any. Other type will have compatible issue as I test.


    Advanced (optional):
    By default, Android will forward all traffic into VPN tunnel
    If you want to run as split tunnel. Then you need to add the route which need to go into Forwarding routes.

  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Hi @Zyxel_Wei and @lan31
    thanks for the information and the screenshots, cause i've read a article outside ZYXEL, that several vendors had additional parameer in the IPSEC that are required. And by ZYXEL i saw no post / KB articel about the possibility and example as described here ;)

    i will create a new GW/CON and test it - thanks for the information

    Regards
    Christian
  • ChrisGer
    ChrisGer Posts: 205  Ally Member
    Zyxel Certified Network Administrator - WLAN Zyxel Certified Network Administrator - Security Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    It works =) i've set AES256/SHA512 and in the conneciton also DH14 to have the required configuration for the VPN connection. it works fine with the embedded IPSEC client on Android 7.1.

    Thanks for the quick response and the short manuall :)

    Regards
    Christian
  • STech
    STech Posts: 1  Freshman Member
    First Comment

    Hi All,

    Thanks Ian31 as your post was very helpful. I had not configured the local policy with 0.0.0.0 and still not sure why that works.

    As a note, I have a Pixel 3XL at Android 10 and it worked fine except that some web sites would not work. I could get an image from the site but some pages would not work. On my Nexus 6p using all the same VPN settings, everything worked fine.

    I then adjusted the MSS setting on my firewall and set it to 1280 and everything worked very nicely after that. Seems like some issue with the TCP segment size was too large and not handled correctly across the VPN.

    Based on web searches, the VPN on Android at certains levels seems to have problems. I could not get L2TP working reliably on the Pixel and why I tried IPSec instead.

    Regards

    Steve

Security Highlight