USG IPSEC VPN not working with new android 14
Freshman Member
Hello, i found no way to have a working VPN between an Android 14 phone (or tablet) and my USG FLEX 200 Firewall.
With IPSEC / PSK there is no way to insert username/password in the phone (no support for Xauth) so i tried MSCHAPv2 but even if i follow the step by step guide the VPN connection stop with a "phase 1 local id mismatch" error in Zyxel's log.
Did someone had any luck connecting an android platform? Any working guide that can explain how to do this?
Thank you in advance
Luca
All Replies
-
After trying lot of different options now i obtain a Phase 2 Local policy mismatch.
The router is behind a firewall and it has already a configured L2TP vpn up and running with no problem
IKE
IKE SA [ARTE_VPN_IKEv2] is disconnected
IKE
The cookie pair is : 0x86c374adec9e2cc2 / 0x3d332d23f9dbbe74
IKE
[SA] : No proposal chosen
IKE
The cookie pair is : 0x86c374adec9e2cc2 / 0x3d332d23f9dbbe74
IKE
[ID] : Tunnel [ARTE_VPN_IKEv2] Phase 2 Local policy mismatch
IKE
The cookie pair is : 0x86c374adec9e2cc2 / 0x3d332d23f9dbbe74
IKE
[SA] : No proposal chosen
IKE
The cookie pair is : 0x86c374adec9e2cc2 / 0x3d332d23f9dbbe74
IKE
[ID] : Tunnel [ARTE_VPN_IKEv2] Phase 2 Local policy mismatch
IKE
The cookie pair is : 0x86c374adec9e2cc2 / 0x3d332d23f9dbbe74
IKE
[AUTH] Recv:[IDi][IDr][SA][TSi][TSr][CONF]
IKE
The cookie pair is : 0x3d332d23f9dbbe74 / 0x86c374adec9e2cc2
IKE
[INIT] Send:[SAr1][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][CERTREQ][VID][VID][VID][VID][VID][VID]
IKE
The cookie pair is : 0x86c374adec9e2cc2 / 0x3d332d23f9dbbe74
IKE
Recv IKE sa: SA([0] protocol = IKE (1), AES CTR key len = 256, AES CBC key len = 256, AES CTR key len = 192, AES CBC key len = 192, AES CTR key len = 128, AES CBC key len = 128, HMAC-SHA512-256, HMAC-SHA384-192, HMAC-SHA256-128, AES-XCBC-96, unknown integ
IKE
[INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][NOTIFY]
IKE
The cookie pair is : 0x3d332d23f9dbbe74 / 0x86c374adec9e2cc2
IKE
Receiving IKEv2 request
IKE
The cookie pair is : 0x3d332d23f9dbbe74 / 0x86c374adec9e2cc2
IKE
IKE SA [ARTE_VPN_IKEv2] is disconnected
IKE
The cookie pair is : 0x87b4a3e1c92dde61 / 0xb9dfccdbbff6d900
IKE
Recv IKE sa: SA([0] protocol = IKE (1), AES CTR key len = 256, AES CBC key len = 256, AES CTR key len = 192, AES CBC key len = 192, AES CTR key len = 128, AES CBC key len = 128, HMAC-SHA512-256, HMAC-SHA384-192, HMAC-SHA256-128, AES-XCBC-96, unknown integ
IKE
[INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][NOTIFY]
IKE
The cookie pair is : 0xb9dfccdbbff6d900 / 0x87b4a3e1c92dde61
IKE
Receiving IKEv2 request
IKE
The cookie pair is : 0xb9dfccdbbff6d900 / 0x87b4a3e1c92dde61
Any ideas?
0 -
set for VPN connection for Policy for Local policy to 0.0.0.0
0 -
I configured the local policy as suggested but i still get "Phase 2 Local Policy Mismatch"
15/01/2025 12:05info
IKE
[SA] : No proposal chosen
15/01/2025 12:05
info
IKE
The cookie pair is : 0x30a964cb0377b9e4 / 0x33283ea1e534379d
15/01/2025 12:05
info
IKE
[ID] : Tunnel [ARTE_VPN_IKEv2] Phase 2 Local policy mismatch
15/01/2025 12:05
info
IKE
The cookie pair is : 0x30a964cb0377b9e4 / 0x33283ea1e534379d
15/01/2025 12:05
info
IKE
[SA] : No proposal chosen
15/01/2025 12:05
info
IKE
The cookie pair is : 0x30a964cb0377b9e4 / 0x33283ea1e534379d
15/01/2025 12:05
info
IKE
[ID] : Tunnel [ARTE_VPN_IKEv2] Phase 2 Local policy mismatch
15/01/2025 12:05
info
IKE
The cookie pair is : 0x30a964cb0377b9e4 / 0x33283ea1e534379d
15/01/2025 12:05
info
IKE
[AUTH] Recv:[IDi][IDr][SA][TSi][TSr][CONF]
15/01/2025 12:05
info
IKE
The cookie pair is : 0x33283ea1e534379d / 0x30a964cb0377b9e4
15/01/2025 12:05
info
IKE
[INIT] Send:[SAr1][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][CERTREQ][VID][VID][VID][VID][VID][VID]
15/01/2025 12:05
info
IKE
The cookie pair is : 0x30a964cb0377b9e4 / 0x33283ea1e534379d
15/01/2025 12:05
info
IKE
Recv IKE sa: SA([0] protocol = IKE (1), AES CTR key len = 256, AES CBC key len = 256, AES CTR key len = 192, AES CBC key len = 192, AES CTR key len = 128, AES CBC key len = 128, HMAC-SHA512-256, HMAC-SHA384-192, HMAC-SHA256-128, AES-XCBC-96, unknown integ
15/01/2025 12:05
info
IKE
[INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][NOTIFY]
15/01/2025 12:05
info
IKE
The cookie pair is : 0x33283ea1e534379d / 0x30a964cb0377b9e4
15/01/2025 12:05
info
IKE
Receiving IKEv2 request
0 -
Do you have other tunnels setup?
I suggest you use strongSwan VPN Client
0 -
I found that the error about the Phase 2 was related to the Encapsulation, was "transport" but need "Tunnel".
Now phase 2 seems to be ok but i obtain a Auth Fail! error, certificates are ok (self signed, created with zyxel and configured on my android phone both for CA and Server). I tried both AD user and local zyxel user with same results.
On the USG there is configured a L2TP vpn and a SSL vpn both working with the same user database.
Any ideas? (thanks again for your help)
15/01/2025 15:34
info
IKE
AUTH fail!
15/01/2025 15:34
info
IKE
The cookie pair is : 0xac5377f720d12564 / 0xad94eef6f6272593
15/01/2025 15:34
info
IKE
[AUTH] Recv:[EAP]
15/01/2025 15:34
info
IKE
The cookie pair is : 0xad94eef6f6272593 / 0xac5377f720d12564
15/01/2025 15:34
info
IKE
[AUTH] Recv:[IDi][IDr][SA][TSi][TSr][CONF]
15/01/2025 15:34
info
IKE
The cookie pair is : 0xad94eef6f6272593 / 0xac5377f720d12564
15/01/2025 15:34
info
IKE
[INIT] Send:[SAr1][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][CERTREQ][VID][VID][VID][VID][VID][VID]
15/01/2025 15:34
info
IKE
The cookie pair is : 0xac5377f720d12564 / 0xad94eef6f6272593
15/01/2025 15:34
info
IKE
Recv IKE sa: SA([0] protocol = IKE (1), AES CTR key len = 256, AES CBC key len = 256, AES CTR key len = 192, AES CBC key len = 192, AES CTR key len = 128, AES CBC key len = 128, HMAC-SHA512-256, HMAC-SHA384-192, HMAC-SHA256-128, AES-XCBC-96, unknown integ
15/01/2025 15:34
info
IKE
[INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][NOTIFY]
15/01/2025 15:34
info
IKE
The cookie pair is : 0xad94eef6f6272593 / 0xac5377f720d12564
15/01/2025 15:34
info
IKE
Receiving IKEv2 request
15/01/2025 15:34
info
IKE
The cookie pair is : 0xad94eef6f6272593 / 0xac5377f720d12564
15/01/2025 15:34
info
IKE
IKE SA [ARTE_VPN_IKEv2] is disconnected
15/01/2025 15:34
info
IKE
The cookie pair is : 0xaa86f3cef0f1fd4c / 0xf53bdd3c1a1ff2c5
15/01/2025 15:34
info
IKE
Recv IKE sa: SA([0] protocol = IKE (1), AES CTR key len = 256, AES CBC key len = 256, AES CTR key len = 192, AES CBC key len = 192, AES CTR key len = 128, AES CBC key len = 128, HMAC-SHA512-256, HMAC-SHA384-192, HMAC-SHA256-128, AES-XCBC-96, unknown integ
15/01/2025 15:34
info
IKE
[INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][NOTIFY]
15/01/2025 15:34
info
IKE
The cookie pair is : 0xf53bdd3c1a1ff2c5 / 0xaa86f3cef0f1fd4c
15/01/2025 15:34
info
IKE
Receiving IKEv2 request
15/01/2025 15:34
info
IKE
The cookie pair is : 0xf53bdd3c1a1ff2c5 / 0xaa86f3cef0f1fd4c
15/01/2025 15:33
info
IKE
IKE SA [ARTE_VPN_IKEv2] is disconnected
15/01/2025 15:33
info
IKE
The cookie pair is : 0xd9d1b89cc9e66897 / 0xe279dfcc237c86be
0 -
Does Android 14 build in VPN support IKEv2/IPSec PSK try that no need for certificate
for certificate support you might need strongSwan VPN Client
0 -
Android 14 has support for IKEv2/IPSec PSK but no XAuth so i cannot enter my user/pass … i don't know what's used for this setting.
Using strongSwan i succesfully connected to the VPN, i get the correct IP but i'm not able to access anything inside my network (same network configuration with L2TP clients works fine). In strongSwan i get this log (can "handling INTERNAL_IP4_NETMASK attribute failed" be the reasong?):
:
Jan 16 09:40:01 15[NET] sending packet: from 10.69.100.59[42984] to _PUBLIC_IP_VPN_SERVER[4500] (112 bytes)
Jan 16 09:40:01 08[NET] received packet: from _PUBLIC_IP_VPN_SERVER[4500] to 10.69.100.59[42984] (256 bytes)
Jan 16 09:40:01 08[ENC] parsed IKE_AUTH response 6 [ AUTH CPRP(ADDR MASK DNS DNS) SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Jan 16 09:40:01 08[IKE] authentication of '_PUBLIC_IP_VPN_SERVER' with EAP successful
Jan 16 09:40:01 08[CFG] handling INTERNAL_IP4_NETMASK attribute failed
Jan 16 09:40:01 08[IKE] installing DNS server 10.136.125.155
Jan 16 09:40:01 08[CFG] handling INTERNAL_IP4_DNS attribute failed
Jan 16 09:40:01 08[IKE] installing new virtual IP 10.136.127.60
Jan 16 09:40:01 08[IKE] IKE_SA android[7] established between 10.69.100.59[vpnuser]..._PUBLIC_IP_VPN_SERVER[_PUBLIC_IP_VPN_SERVER]
Jan 16 09:40:01 08[IKE] scheduling rekeying in 35974s
Jan 16 09:40:01 08[IKE] maximum IKE_SA lifetime 37774s
Jan 16 09:40:01 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jan 16 09:40:01 08[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Jan 16 09:40:01 08[IKE] CHILD_SA android{7} established with SPIs 98d7f653_i 9f430528_o and TS 10.136.127.60/32 === 0.0.0.0/24
Jan 16 09:40:01 08[DMN] setting up TUN device for CHILD_SA android{7}
Jan 16 09:40:01 08[DMN] successfully created TUN device
Jan 16 09:40:32 07[NET] received packet: from _PUBLIC_IP_VPN_SERVER[4500] to 10.69.100.59[42984] (80 bytes)
Jan 16 09:40:32 07[ENC] parsed INFORMATIONAL request 0 [ ]
Jan 16 09:40:32 07[ENC] generating INFORMATIONAL response 0 [ ]
Jan 16 09:40:32 07[NET] sending packet: from 10.69.100.59[42984] to _PUBLIC_IP_VPN_SERVER[4500] (80 bytes)
Jan 16 09:41:03 08[NET] received packet: from _PUBLIC_IP_VPN_SERVER[4500] to 10.69.100.59[42984] (80 bytes)
Jan 16 09:41:03 08[ENC] parsed INFORMATIONAL request 1 [ ]
Jan 16 09:41:03 08[ENC] generating INFORMATIONAL response 1 [ ]
Jan 16 09:41:03 08[NET] sending packet: from 10.69.100.59[42984] to _PUBLIC_IP_VPN_SERVER[4500] (80 bytes)
Jan 16 09:41:33 02[NET] received packet: from _PUBLIC_IP_VPN_SERVER[4500] to 10.69.100.59[42984] (80 bytes)
Jan 16 09:41:33 02[ENC] parsed INFORMATIONAL request 2 [ ]
Jan 16 09:41:33 02[ENC] generating INFORMATIONAL response 2 [ ]Thanks again
Luca
0 -
Hello Peter, after fixing up Local Policy and creating a new rule under Network → Routing finally i made it work with strongSwan, Android client still give an "Auth Fail!" message.
Thanks for your help
0
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 152 Nebula Ideas
- 100 Nebula Status and Incidents
- 5.8K Security
- 285 USG FLEX H Series
- 278 Security Ideas
- 1.5K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.5K Consumer Product
- 251 Service & License
- 396 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 86 About Community
- 75 Security Highlight
