Android IPSEC (IKEv1) X-Auth

Andrzej
Andrzej Posts: 7
First Anniversary Friend Collector First Comment
edited April 2021 in Security
Hi guys, 
I'm trying to connect my Sony Xperia ZX2 (Android 9.0 Pie) to USG20W-VPN. I follow instruction under this link
https://businessforum.zyxel.com/discussion/comment/3036#Comment_3036 .

Result is that on Android I have IP assigned from VPN address pool. In USG20W-VPN logs I see successful IKE communication (see attachement).But can't access internet.

I have default routing setup and security policy.

How to fix this ?

Regards,
Andrzej


«1

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Andrzej  

    You can make sure you have added DNS setting in VPN connection first.

     

    And then add policy route to internet for VPN client IP pool.

    Source: VPN IP Pool, Destination: any, NextHop: WAN interface, SNAT: Outgoing interface

  • Andrzej
    Andrzej Posts: 7
    First Anniversary Friend Collector First Comment
    Zyxel_Stanley, thanks for prompt reply,
    it didn't help :-) I know I am very close to solve this riddle so I spent some time to prepare visual explanation.

    Still, target setup is that Android can talk through tunnel with PCs in LAN1_SUBNET and rest of the world (WAN).

    Baby step question: VPN_POOL (subnet) is connected to "IPSect Connection" so how I can setup routing between this subnet and, lets say, LAN1_SUBNET( where all my PCs are) ?.

    Regards,
    Andrzej

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited May 2019

    Hi @Andrzej  

    I have tested it on Android 9, and it should work.

    Go to make sure the NextHop interface is selected the interface which you connecting to Internet.

    (If the interface is VLAN PPPoE, then select the interface which actual configured ISP account)


    If the symptom still the same, you can go to Maintenance >Diagnostics > Routing traces > Click “Capture” button to check the routing status.

    e.g. Capture the packets during VPN client accessing 1.1.1.1


  • Andrzej
    Andrzej Posts: 7
    First Anniversary Friend Collector First Comment
    Zyxel_Stanley
    checked - I have correct WAN interface in Policy Route.
    After connecting mobile phone to VPN I tryied to get some traces as you proposed - no results !
    What is 1.1.1.1 IP (Cloudflare DNS ?)

    I attach files with my route settings & logs that proves communication between phone and zyxel (connection came from 37. at the bottom, then they are exchanging  R_U_THERE / R_U_THERE_ACK - I think that proves that IPSec session is established)

    Regards,
    Andrzej
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Andrzej  

    As your packet flow, there is no gateway IP exist of your Fiberlink interface…

    If there is no gateway IP, then this interface is unable access to internet.


    This is screenshot from my USG. The IP 10.XX.XX.254 is the gateway IP of WAN interface.

    And USG is able access to internet by this interface.

     

    Can you make sure if “Fiberlink“ is able access to internet first?

  • Andrzej
    Andrzej Posts: 7
    First Anniversary Friend Collector First Comment

    Zyxel_Stanley,
    Fiberlink is my PPPoE interface (with static IP) on VLAN on WAN port (check ppp.png). This is my main gate to internet without it I don't have access to internet. 

    For VPN Gateway I set Fiberlink as "My Address" I also tried with domain name (check vpn_gw / vpn_gw_settings). It also visible as configured in VPN Connection settings( check vpn_connection_settings). At the end routing setting like in routing_settings.png

    Andrzej


  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited June 2019

    Hi @Andrzej

    Your configuration seems to be correct, we’re not sure why it is not working in your environment since everything goes well in my testing.

    I will send you private message for checking on your settings more details.

  • Ian31
    Ian31 Posts: 165  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Andrzej,
    Does the IP Pool address for VPN client is same subnet as your lan ?

    You should configure the IP Pool address with any subnet not conflict with the local network.
    Since the direct route take higher priority than dynamic VPN route. 
  • Andrzej
    Andrzej Posts: 7
    First Anniversary Friend Collector First Comment
    Hi @Ian31
    VPN_SUBNET is set to 192.168.10.0/24 and its unique in system.

    Andrzej
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Andrzej  

    As our discussion, the VPN connection will work in strange condition…

    Client have to establish VPN tunnel by WiFi interface first, and tunnel can establish successfully.

    And then disable WiFi interface and establishing tunnel by LTE, the VPN tunnel can establish again.

    This issue should come from Android behavior.

Security Highlight