USG IPSEC VPN not working with new android 14
Freshman Member
Hello, i found no way to have a working VPN between an Android 14 phone (or tablet) and my USG FLEX 200 Firewall.
With IPSEC / PSK there is no way to insert username/password in the phone (no support for Xauth) so i tried MSCHAPv2 but even if i follow the step by step guide the VPN connection stop with a "phase 1 local id mismatch" error in Zyxel's log.
Did someone had any luck connecting an android platform? Any working guide that can explain how to do this?
Thank you in advance
Luca
All Replies
-
After trying lot of different options now i obtain a Phase 2 Local policy mismatch.
The router is behind a firewall and it has already a configured L2TP vpn up and running with no problem
IKE
IKE SA [ARTE_VPN_IKEv2] is disconnected
IKE
The cookie pair is : 0x86c374adec9e2cc2 / 0x3d332d23f9dbbe74
IKE
[SA] : No proposal chosen
IKE
The cookie pair is : 0x86c374adec9e2cc2 / 0x3d332d23f9dbbe74
IKE
[ID] : Tunnel [ARTE_VPN_IKEv2] Phase 2 Local policy mismatch
IKE
The cookie pair is : 0x86c374adec9e2cc2 / 0x3d332d23f9dbbe74
IKE
[SA] : No proposal chosen
IKE
The cookie pair is : 0x86c374adec9e2cc2 / 0x3d332d23f9dbbe74
IKE
[ID] : Tunnel [ARTE_VPN_IKEv2] Phase 2 Local policy mismatch
IKE
The cookie pair is : 0x86c374adec9e2cc2 / 0x3d332d23f9dbbe74
IKE
[AUTH] Recv:[IDi][IDr][SA][TSi][TSr][CONF]
IKE
The cookie pair is : 0x3d332d23f9dbbe74 / 0x86c374adec9e2cc2
IKE
[INIT] Send:[SAr1][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][CERTREQ][VID][VID][VID][VID][VID][VID]
IKE
The cookie pair is : 0x86c374adec9e2cc2 / 0x3d332d23f9dbbe74
IKE
Recv IKE sa: SA([0] protocol = IKE (1), AES CTR key len = 256, AES CBC key len = 256, AES CTR key len = 192, AES CBC key len = 192, AES CTR key len = 128, AES CBC key len = 128, HMAC-SHA512-256, HMAC-SHA384-192, HMAC-SHA256-128, AES-XCBC-96, unknown integ
IKE
[INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][NOTIFY]
IKE
The cookie pair is : 0x3d332d23f9dbbe74 / 0x86c374adec9e2cc2
IKE
Receiving IKEv2 request
IKE
The cookie pair is : 0x3d332d23f9dbbe74 / 0x86c374adec9e2cc2
IKE
IKE SA [ARTE_VPN_IKEv2] is disconnected
IKE
The cookie pair is : 0x87b4a3e1c92dde61 / 0xb9dfccdbbff6d900
IKE
Recv IKE sa: SA([0] protocol = IKE (1), AES CTR key len = 256, AES CBC key len = 256, AES CTR key len = 192, AES CBC key len = 192, AES CTR key len = 128, AES CBC key len = 128, HMAC-SHA512-256, HMAC-SHA384-192, HMAC-SHA256-128, AES-XCBC-96, unknown integ
IKE
[INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][NOTIFY]
IKE
The cookie pair is : 0xb9dfccdbbff6d900 / 0x87b4a3e1c92dde61
IKE
Receiving IKEv2 request
IKE
The cookie pair is : 0xb9dfccdbbff6d900 / 0x87b4a3e1c92dde61
Any ideas?
0 -
set for VPN connection for Policy for Local policy to 0.0.0.0
0 -
I configured the local policy as suggested but i still get "Phase 2 Local Policy Mismatch"
15/01/2025 12:05info
IKE
[SA] : No proposal chosen
15/01/2025 12:05
info
IKE
The cookie pair is : 0x30a964cb0377b9e4 / 0x33283ea1e534379d
15/01/2025 12:05
info
IKE
[ID] : Tunnel [ARTE_VPN_IKEv2] Phase 2 Local policy mismatch
15/01/2025 12:05
info
IKE
The cookie pair is : 0x30a964cb0377b9e4 / 0x33283ea1e534379d
15/01/2025 12:05
info
IKE
[SA] : No proposal chosen
15/01/2025 12:05
info
IKE
The cookie pair is : 0x30a964cb0377b9e4 / 0x33283ea1e534379d
15/01/2025 12:05
info
IKE
[ID] : Tunnel [ARTE_VPN_IKEv2] Phase 2 Local policy mismatch
15/01/2025 12:05
info
IKE
The cookie pair is : 0x30a964cb0377b9e4 / 0x33283ea1e534379d
15/01/2025 12:05
info
IKE
[AUTH] Recv:[IDi][IDr][SA][TSi][TSr][CONF]
15/01/2025 12:05
info
IKE
The cookie pair is : 0x33283ea1e534379d / 0x30a964cb0377b9e4
15/01/2025 12:05
info
IKE
[INIT] Send:[SAr1][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][CERTREQ][VID][VID][VID][VID][VID][VID]
15/01/2025 12:05
info
IKE
The cookie pair is : 0x30a964cb0377b9e4 / 0x33283ea1e534379d
15/01/2025 12:05
info
IKE
Recv IKE sa: SA([0] protocol = IKE (1), AES CTR key len = 256, AES CBC key len = 256, AES CTR key len = 192, AES CBC key len = 192, AES CTR key len = 128, AES CBC key len = 128, HMAC-SHA512-256, HMAC-SHA384-192, HMAC-SHA256-128, AES-XCBC-96, unknown integ
15/01/2025 12:05
info
IKE
[INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][NOTIFY]
15/01/2025 12:05
info
IKE
The cookie pair is : 0x33283ea1e534379d / 0x30a964cb0377b9e4
15/01/2025 12:05
info
IKE
Receiving IKEv2 request
0 -
Do you have other tunnels setup?
I suggest you use strongSwan VPN Client
0 -
I found that the error about the Phase 2 was related to the Encapsulation, was "transport" but need "Tunnel".
Now phase 2 seems to be ok but i obtain a Auth Fail! error, certificates are ok (self signed, created with zyxel and configured on my android phone both for CA and Server). I tried both AD user and local zyxel user with same results.
On the USG there is configured a L2TP vpn and a SSL vpn both working with the same user database.
Any ideas? (thanks again for your help)
15/01/2025 15:34
info
IKE
AUTH fail!
15/01/2025 15:34
info
IKE
The cookie pair is : 0xac5377f720d12564 / 0xad94eef6f6272593
15/01/2025 15:34
info
IKE
[AUTH] Recv:[EAP]
15/01/2025 15:34
info
IKE
The cookie pair is : 0xad94eef6f6272593 / 0xac5377f720d12564
15/01/2025 15:34
info
IKE
[AUTH] Recv:[IDi][IDr][SA][TSi][TSr][CONF]
15/01/2025 15:34
info
IKE
The cookie pair is : 0xad94eef6f6272593 / 0xac5377f720d12564
15/01/2025 15:34
info
IKE
[INIT] Send:[SAr1][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][CERTREQ][VID][VID][VID][VID][VID][VID]
15/01/2025 15:34
info
IKE
The cookie pair is : 0xac5377f720d12564 / 0xad94eef6f6272593
15/01/2025 15:34
info
IKE
Recv IKE sa: SA([0] protocol = IKE (1), AES CTR key len = 256, AES CBC key len = 256, AES CTR key len = 192, AES CBC key len = 192, AES CTR key len = 128, AES CBC key len = 128, HMAC-SHA512-256, HMAC-SHA384-192, HMAC-SHA256-128, AES-XCBC-96, unknown integ
15/01/2025 15:34
info
IKE
[INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][NOTIFY]
15/01/2025 15:34
info
IKE
The cookie pair is : 0xad94eef6f6272593 / 0xac5377f720d12564
15/01/2025 15:34
info
IKE
Receiving IKEv2 request
15/01/2025 15:34
info
IKE
The cookie pair is : 0xad94eef6f6272593 / 0xac5377f720d12564
15/01/2025 15:34
info
IKE
IKE SA [ARTE_VPN_IKEv2] is disconnected
15/01/2025 15:34
info
IKE
The cookie pair is : 0xaa86f3cef0f1fd4c / 0xf53bdd3c1a1ff2c5
15/01/2025 15:34
info
IKE
Recv IKE sa: SA([0] protocol = IKE (1), AES CTR key len = 256, AES CBC key len = 256, AES CTR key len = 192, AES CBC key len = 192, AES CTR key len = 128, AES CBC key len = 128, HMAC-SHA512-256, HMAC-SHA384-192, HMAC-SHA256-128, AES-XCBC-96, unknown integ
15/01/2025 15:34
info
IKE
[INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][NOTIFY]
15/01/2025 15:34
info
IKE
The cookie pair is : 0xf53bdd3c1a1ff2c5 / 0xaa86f3cef0f1fd4c
15/01/2025 15:34
info
IKE
Receiving IKEv2 request
15/01/2025 15:34
info
IKE
The cookie pair is : 0xf53bdd3c1a1ff2c5 / 0xaa86f3cef0f1fd4c
15/01/2025 15:33
info
IKE
IKE SA [ARTE_VPN_IKEv2] is disconnected
15/01/2025 15:33
info
IKE
The cookie pair is : 0xd9d1b89cc9e66897 / 0xe279dfcc237c86be
0 -
Does Android 14 build in VPN support IKEv2/IPSec PSK try that no need for certificate
for certificate support you might need strongSwan VPN Client
0
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 75 Security Highlight
