Issue establishing IPSEC-PSK VPN between Android 14 and USG20W-VPN

fil
fil Posts: 3  Freshman Member
First Comment Fifth Anniversary

After many years flawless operation of IPSEC VPN between usg20w-vpn and samsung s9 (android 10), I have upgraded to samsung s24 (android 14). I am facing same issue as many have not being able to establish IPSEC-PSK connection. I have followed many documents and instructions found on this forum, but I am still missing something. Please tell me what am I missing or doing wrong. Here is my log file and config:

Dec 19 09:23:44 firewall CEF: 0

ZyXEL

USG20W-VPN

5.39(ABAR.1)

0

IKE

4

devID=bc9911b02ffc src=a.b.c.d dst=e.f.g.h spt=8275 dpt=500 dvchost=firewall msg=The cookie pair is : 0x06b9053d600b2362 / 0x940fc438ab305bc8 cat=IKE ZYlevel=info ZYnote=IKE_LOG

Dec 19 09:23:44 firewall CEF: 0

ZyXEL

USG20W-VPN

5.39(ABAR.1)

0

IKE

4

devID=bc9911b02ffc src=a.b.c.d dst=e.f.g.h spt=8275 dpt=500 dvchost=firewall msg=Receiving IKEv2 request cat=IKE ZYlevel=info ZYnote=IKE_LOG

Dec 19 09:23:44 firewall CEF: 0

ZyXEL

USG20W-VPN

5.39(ABAR.1)

0

IKE

4

devID=bc9911b02ffc src=a.b.c.d dst=e.f.g.h spt=8275 dpt=500 dvchost=firewall msg=The cookie pair is : 0x06b9053d600b2362 / 0x940fc438ab305bc8 cat=IKE ZYlevel=info ZYnote=IKE_LOG

Dec 19 09:23:44 firewall CEF: 0

ZyXEL

USG20W-VPN

5.39(ABAR.1)

0

IKE

4

devID=bc9911b02ffc src=a.b.c.d dst=e.f.g.h spt=8275 dpt=500 dvchost=firewall msg=[INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][NOTIFY] cat=IKE ZYlevel=info ZYnote=IKE_LOG

Dec 19 09:23:44 firewall CEF: 0

ZyXEL

USG20W-VPN

5.39(ABAR.1)

0

IKE

4

devID=bc9911b02ffc src=a.b.c.d dst=e.f.g.h spt=8275 dpt=500 dvchost=firewall msg=Recv IKE sa: SA([0] protocol : IKE (1), AES CBC key len : 256, AES CBC key len : 128, HMAC-SHA512-256, HMAC-SHA384-192, HMAC-SHA256-128, HMAC-SHA1-96, HMAC-SHA512 PRF, HMAC-SHA384 PRF, HMAC-SHA256 PRF, HMAC-SHA1 PRF, RFC5114 2048-256 bit MODP, 384 bit ECP cat=IKE ZYlevel=info ZYnote=IKE_LOG

Dec 19 09:23:44 firewall CEF: 0

ZyXEL

USG20W-VPN

5.39(ABAR.1)

0

IKE

4

devID=bc9911b02ffc src=e.f.g.h dst=a.b.c.d spt=500 dpt=8275 dvchost=firewall msg=The cookie pair is : 0x940fc438ab305bc8 / 0x06b9053d600b2362 cat=IKE ZYlevel=info ZYnote=IKE_LOG

Dec 19 09:23:44 firewall CEF: 0

ZyXEL

USG20W-VPN

5.39(ABAR.1)

0

IKE

4

devID=bc9911b02ffc src=e.f.g.h dst=a.b.c.d spt=500 dpt=8275 dvchost=firewall msg=IKE SA [remote_warrior] is disconnected cat=IKE ZYlevel=info ZYnote=IKE_LOG

Dec 19 09:23:45 firewall CEF: 0

ZyXEL

USG20W-VPN

5.39(ABAR.1)

0

IKE

4

devID=bc9911b02ffc src=a.b.c.d dst=e.f.g.h spt=8275 dpt=500 dvchost=firewall msg=The cookie pair is : 0x83fee9faa1590590 / 0x940fc438ab305bc8 cat=IKE ZYlevel=info ZYnote=IKE_LOG

Dec 19 09:23:45 firewall CEF: 0

ZyXEL

USG20W-VPN

5.39(ABAR.1)

0

IKE

4

devID=bc9911b02ffc src=a.b.c.d dst=e.f.g.h spt=8275 dpt=500 dvchost=firewall msg=Receiving IKEv2 request cat=IKE ZYlevel=info ZYnote=IKE_LOG

Dec 19 09:23:45 firewall CEF: 0

ZyXEL

USG20W-VPN

5.39(ABAR.1)

0

IKE

4

devID=bc9911b02ffc src=a.b.c.d dst=e.f.g.h spt=8275 dpt=500 dvchost=firewall msg=The cookie pair is : 0x83fee9faa1590590 / 0x940fc438ab305bc8 cat=IKE ZYlevel=info ZYnote=IKE_LOG

Dec 19 09:23:45 firewall CEF: 0

ZyXEL

USG20W-VPN

5.39(ABAR.1)

0

IKE

4

devID=bc9911b02ffc src=a.b.c.d dst=e.f.g.h spt=8275 dpt=500 dvchost=firewall msg=[INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][NOTIFY] cat=IKE ZYlevel=info ZYnote=IKE_LOG

Dec 19 09:23:45 firewall CEF: 0

ZyXEL

USG20W-VPN

5.39(ABAR.1)

0

IKE

4

devID=bc9911b02ffc src=a.b.c.d dst=e.f.g.h spt=8275 dpt=500 dvchost=firewall msg=Recv IKE sa: SA([0] protocol : IKE (1), AES CBC key len : 256, AES CBC key len : 128, HMAC-SHA512-256, HMAC-SHA384-192, HMAC-SHA256-128, HMAC-SHA1-96, HMAC-SHA512 PRF, HMAC-SHA384 PRF, HMAC-SHA256 PRF, HMAC-SHA1 PRF, 2048 bit MODP, RFC5114 2048-256 bit MO cat=IKE ZYlevel=info ZYnote=IKE_LOG

Dec 19 09:23:45 firewall CEF: 0

ZyXEL

USG20W-VPN

5.39(ABAR.1)

0

IKE

4

devID=bc9911b02ffc src=e.f.g.h dst=a.b.c.d spt=500 dpt=8275 dvchost=firewall msg=The cookie pair is : 0x940fc438ab305bc8 / 0x83fee9faa1590590 cat=IKE ZYlevel=info ZYnote=IKE_LOG

Dec 19 09:23:45 firewall CEF: 0

ZyXEL

USG20W-VPN

5.39(ABAR.1)

0

IKE

4

devID=bc9911b02ffc src=e.f.g.h dst=a.b.c.d spt=500 dpt=8275 dvchost=firewall msg=[INIT] Send:[SAr1][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][CERTREQ][VID][VID][VID][VID][VID][VID] cat=IKE ZYlevel=info ZYnote=IKE_LOG

Dec 19 09:24:17 firewall CEF: 0

ZyXEL

USG20W-VPN

5.39(ABAR.1)

0

IKE

4

devID=bc9911b02ffc src=e.f.g.h dst=a.b.c.d spt=500 dpt=8275 dvchost=firewall msg=The cookie pair is : 0x940fc438ab305bc8 / 0x83fee9faa1590590 cat=IKE ZYlevel=info ZYnote=IKE_LOG

Dec 19 09:24:17 firewall CEF: 0

ZyXEL

USG20W-VPN

5.39(ABAR.1)

0

IKE

4

devID=bc9911b02ffc src=e.f.g.h dst=a.b.c.d spt=500 dpt=8275 dvchost=firewall msg=IKE SA [remote_warrior] is disconnected cat=IKE ZYlevel=info ZYnote=IKE_LOG

address-object everyone 0.0.0.0/0

ikev2 policy remote_warrior_gw
activate
local-ip interface sfp
peer-ip 0.0.0.0 0.0.0.0
authentication pre-share
encrypted-keystring xxxx
local-id type ip 0.0.0.0
peer-id type any
fall-back-check-interval 300
lifetime 86400
group14
transform-set aes256-sha256
dpd-interval 30
no twofa-auth

crypto map remote_warrior
activate
adjust-mss auto
ipsec-isakmp remote_warrior_gw
scenario remote-access-server
encapsulation tunnel
transform-set esp-aes256-sha256
set security-association lifetime seconds 28800
set pfs none
local-policy everyone
remote-policy any
no conn-check activate
configuration-payload-provide activate
configuration-payload-provide address-pool vpn
configuration-payload-provide first-dns a.b.c.13
configuration-payload-provide second-dns a.b.c.15
configuration-payload-provide first-wins a.b.c.11

All Replies

  • Zyxel_Judy
    Zyxel_Judy Posts: 1,641  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    Hi @fil ,

    I notice from the logs that you're using IKEv1, it seems the IKE version is incorrect. Please update your IKE version to IKEv2.

    If connection issues persist, please provide:

    1. The IKE logs
    2. Logs from your Strongswan APP or VPN application

    Judy

    See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community