Android IPSEC (IKEv1) X-Auth
I'm trying to connect my Sony Xperia ZX2 (Android 9.0 Pie) to USG20W-VPN. I follow instruction under this link
https://businessforum.zyxel.com/discussion/comment/3036#Comment_3036 .
Result is that on Android I have IP assigned from VPN address pool. In USG20W-VPN logs I see successful IKE communication (see attachement).But can't access internet.
I have default routing setup and security policy.
How to fix this ?
Regards,
Andrzej
All Replies
-
Hi @Andrzej
You can make sure you have added DNS setting in VPN connection first.
And then add policy route to internet for VPN client IP pool.
Source: VPN IP Pool, Destination: any, NextHop: WAN interface, SNAT: Outgoing interface
1 -
Zyxel_Stanley, thanks for prompt reply,
it didn't help :-) I know I am very close to solve this riddle so I spent some time to prepare visual explanation.
Still, target setup is that Android can talk through tunnel with PCs in LAN1_SUBNET and rest of the world (WAN).
Baby step question: VPN_POOL (subnet) is connected to "IPSect Connection" so how I can setup routing between this subnet and, lets say, LAN1_SUBNET( where all my PCs are) ?.
Regards,
Andrzej
0 -
Hi @Andrzej
I have tested it on Android 9, and it should work.
Go to make sure the NextHop interface is selected the interface which you connecting to Internet.
(If the interface is VLAN PPPoE, then select the interface which actual configured ISP account)
If the symptom still the same, you can go to Maintenance >Diagnostics > Routing traces > Click “Capture” button to check the routing status.
e.g. Capture the packets during VPN client accessing 1.1.1.1
0 -
Zyxel_Stanley,
checked - I have correct WAN interface in Policy Route.After connecting mobile phone to VPN I tryied to get some traces as you proposed - no results !What is 1.1.1.1 IP (Cloudflare DNS ?)I attach files with my route settings & logs that proves communication between phone and zyxel (connection came from 37. at the bottom, then they are exchanging R_U_THERE / R_U_THERE_ACK - I think that proves that IPSec session is established)
Regards,
Andrzej0 -
Hi @Andrzej
As your packet flow, there is no gateway IP exist of your Fiberlink interface…
If there is no gateway IP, then this interface is unable access to internet.
This is screenshot from my USG. The IP 10.XX.XX.254 is the gateway IP of WAN interface.
And USG is able access to internet by this interface.
Can you make sure if “Fiberlink“ is able access to internet first?
0 -
Zyxel_Stanley,
Fiberlink is my PPPoE interface (with static IP) on VLAN on WAN port (check ppp.png). This is my main gate to internet without it I don't have access to internet.
For VPN Gateway I set Fiberlink as "My Address" I also tried with domain name (check vpn_gw / vpn_gw_settings). It also visible as configured in VPN Connection settings( check vpn_connection_settings). At the end routing setting like in routing_settings.png
Andrzej
0 -
Hi @Andrzej
Your configuration seems to be correct, we’re not sure why it is not working in your environment since everything goes well in my testing.
I will send you private message for checking on your settings more details.
0 -
Hi @Andrzej
As our discussion, the VPN connection will work in strange condition…
Client have to establish VPN tunnel by WiFi interface first, and tunnel can establish successfully.
And then disable WiFi interface and establishing tunnel by LTE, the VPN tunnel can establish again.
This issue should come from Android behavior.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight