VPN Server role IKEv2 broken as far as I can tell
Guru Member
Following another post about this have made my own post
https://support.zyxel.eu/hc/en-us/articles/4411498192914
Android 12 and ikev2 — Zyxel Community
Tested on USG60W V4.71(AAKZ.0) and VPN300 V5.21(ABFC.0)
Phone tested with Sony Xperia 5 II Android 12
I have tested every setting I can think of but get:
Receiving IKEv2 request[count=5]
[INIT] Recv:
[SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][NOTIFY] [count=5]
Recv IKE sa: SA([0]
protocol = IKE (1), AES CTR key len = 256, AES CBC key len = 256, AES
CTR key len = 192, AES CBC key len = 192, AES CTR key len = 128, AES
CBC key len = 128, HMAC-SHA512-256, HMAC-SHA384-192, HMAC-SHA256-128,
AES-XCBC-96, unknown integ [count=5]
The cookie pair is :
0x7180eb2e28ac6628 / 0x4364f247052b96a5 [count=3]
[SA] : Tunnel
[VPN_server] Phase 1 proposal mismatch [count=5]
[SA] : No proposal chosen [count=5]
My phone has the old IKEv1 which works but you can't make new ones with Android 12 only IKEv2
All Replies
-
Seems I didn't try every setting it was I combination of Key group and encryption thanks to the help of Joel B
Here are the lowest settings needed
So for Phase 1 I have
AES128 with SHA256
Key group DH14
for Phase 2 I have
AES128 with SHA256
PFS DH2
2 -
Hi @PeterUK,
Thanks for sharing this information to community
. It seems need to adjust IKEv2 phase1 and phase 2 encryption/authentication based on mobile device minimum cipher suites. 0 -
Unfortunately, the same happens with a ZyWALL 110 V4.70(AAAA.0) and a Realme GT2 Pro (Android 12, latest update as of today).I get the exact same error as the OP, and if I change Phase 1 Key Group to DH14, I only getIKE SA [VPN_1] is disconnected [count=3]withoutPhase 1 proposal mismatchNo proposal chosen
0 -
Hi @GioM,
Please try it again with StrongSwan client.
Following link for your reference.
https://community.zyxel.com/en/discussion/12940/android-12-and-ikev2
0
Zyxel Employee
Categories
- All Categories
- 394 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 78 Nebula Status and Incidents
- 5.1K Security
- 51 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 70 Switch Ideas
- 907 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 210 Service & License
- 332 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 880 Nebula FAQ
- 415 Security FAQ
- 221 Switch FAQ
- 195 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 63 Security Highlight
