Android 12 VPN to Zywall 110

With Android 12, Google has removed support for L2TP over IPSEC. As a result, I needed to configure my Pixel 6 Pro to connect using "IKEv2/IPSec PSK". I looked at several guides I found online, but none of them worked for me. So, I had to fiddle around quite a bit to get it to work. Posting my config here so that others might benefit. Please post if you've found other configs that worked for you.

Gateway Config


Notes:
- I had to select DNS as the Local ID Type with my ZyWall domain name as the Content. Nothing else would work for me. It took me quite a while to figure this out!

Connection


Notes
- I had to set the Local Policy to 0.0.0.0, otherwise my ZyWall would not route traffic from the Pixel to the Internet.

Android Config

All Replies

  • WJS
    WJS Posts: 123  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Does any error message in Log ? Not sure Android 12 support what proposal is, But I found below proposal could work on android 11.Maybe you can try that. and capture the negotiate packet to check the what proposal should select.

    Phase 1 — SHA2(256)–AES(256)–DH2

    Phase 2 — SHA2(256)–AES(256)


  • WJS said:
    Does any error message in Log ? 
    Sorry, perhaps you misunderstood my post. I posted a working configuration that might help others avoid the trial and error I had to do with Android 12 to get it to work.

  • Thanks for your tutorial.

    However, I cannot get it to work for a Motorola G82 phone / Android 12 phone.

    I spent the past 2 days trying to set it up. Unfortunately the route using the Strongswan client is not an option for us.

    Access via an iOS device works on the connection.

    This is a copy of the entries in the log. Perhaps you have an idea on where it goes wrong?

    No.  Date/Time           Source                 Destination           
         Priority            Category               Note                  
         Message
    20   2023-02-04 13:35:51 178.139.232.98:21888                            192.168.1.10:500                                
         info                ike                    IKE_LOG                                         
         The cookie pair is : 0xb2810c48da345c4d / 0xb1634a5f266fe453 [count=2]
    21   2023-02-04 13:35:51 178.139.232.98:21888                            192.168.1.10:500                                
         info                ike                    IKE_LOG                                         
         Receiving IKEv2 request
    22   2023-02-04 13:35:51 178.139.232.98:21888                            192.168.1.10:500                                
         info                ike                    IKE_LOG                                         
         [INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][NOTIFY]
    23   2023-02-04 13:35:51 178.139.232.98:21888                            192.168.1.10:500                                
         info                ike                    IKE_LOG                                         
         Recv IKE sa: SA([0] protocol = IKE (1), AES CTR key len = 256, AES CBC key len = 256, AES CTR key len = 192, AES CBC key len = 192, AES CTR key len = 128, AES CBC key len = 128, HMAC-SHA512-256, HMAC-SHA384-192, HMAC-SHA256-128, AES-XCBC-96, unknown integ
    24   2023-02-04 13:35:51 192.168.1.10:500                                178.139.232.98:21888                            
         info                ike                    IKE_LOG                                         
         The cookie pair is : 0xb1634a5f266fe453 / 0xb2810c48da345c4d
    25   2023-02-04 13:35:51 192.168.1.10:500                                178.139.232.98:21888                            
         info                ike                    IKE_LOG                                         
         IKE SA [NatSoft_IKEv2_GW] is disconnected
    26   2023-02-04 13:35:51 178.139.232.98:21890                            192.168.1.10:500                                
         info                ike                    IKE_LOG                                         
         The cookie pair is : 0xcfac2c4d1e6e8893 / 0xc0c087e52f902758 [count=2]
    27   2023-02-04 13:35:51 178.139.232.98:21890                            192.168.1.10:500                                
         info                ike                    IKE_LOG                                         
         Receiving IKEv2 request
    28   2023-02-04 13:35:51 178.139.232.98:21890                            192.168.1.10:500                                
         info                ike                    IKE_LOG                                         
         [INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][NOTIFY]
    29   2023-02-04 13:35:51 178.139.232.98:21890                            192.168.1.10:500                                
         info                ike                    IKE_LOG                                         
         Recv IKE sa: SA([0] protocol = IKE (1), AES CTR key len = 256, AES CBC key len = 256, AES CTR key len = 192, AES CBC key len = 192, AES CTR key len = 128, AES CBC key len = 128, HMAC-SHA512-256, HMAC-SHA384-192, HMAC-SHA256-128, AES-XCBC-96, unknown integ
    30   2023-02-04 13:35:52 192.168.1.10:500                                178.139.232.98:21890                            
         info                ike                    IKE_LOG                                         
         The cookie pair is : 0xc0c087e52f902758 / 0xcfac2c4d1e6e8893 [count=2]
    31   2023-02-04 13:35:52 192.168.1.10:500                                178.139.232.98:21890                            
         info                ike                    IKE_LOG                                         
         [INIT] Send:[SAr1][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][CERTREQ][VID][VID][VID][VID][VID]
    32   2023-02-04 13:35:52 178.139.232.98:4500                             192.168.1.10:4500                               
         info                ike                    IKE_LOG                                         
         The cookie pair is : 0xcfac2c4d1e6e8893 / 0xc0c087e52f902758
    33   2023-02-04 13:35:52 178.139.232.98:4500                             192.168.1.10:4500                               
         info                ike                    IKE_LOG                                         
         [AUTH] Recv:[IDi][IDr][AUTH][SA][TSi][TSr][CONF]
    34   2023-02-04 13:35:52 192.168.1.10:500                                178.139.232.98:21890                            
         info                ike                    IKE_LOG                                         
         IPsec SA negotiation failed

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 741  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @SpaceCowboy
    Greeting Forum, 
    Because the "Certificate" are alreay included in the creation wizard from ikev2. The script has to be opend with Strongswan. 
    So I would suggest use PSK instead of certificate If strongswan is not option or please try to install certificate on Motorola G82 phone / Android 12 phone manually. 
    Thank you


  • Hello Kevin
    I am using PSK and not certificate on the VPN Gateway Authentification Settings (Phase 1). Is there any other place where I can select PSK?
    I am basically using the settings from mhilbush adapted to our network (remote address, etc.)
    We are behind a router ( I don't know if this is a problem) and we have a dynamic address from our provider, so we are using a dyndns DNS entry.
    As I said - from iOS everything works perfectly. All current Android 12 phones (we tested Motorola G82 & Samsung S22) cannot connect.
    We also tries AES128/SHA256 & AES256/SHA512 coding options but no change. Event tried all combinations with DH2 instead of DH14.
    Do you have any other recommendations?
    Kind reagards
    Thomas

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 741  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @SpaceCowboy
    Please kindly try to install the latest FCS version. For ATP/FLEX/VPN v5.35, For USG v4.73
    We already fixed issue about Multiple DH issue in IKEv2 connection (especially Android phone). 
    If the issue persist, please capture traffic on WAN interface when mobile tried to initial . 
    Thank you
    Kevin

Security Highlight