IKEv2/IPSec VPN server to connect Android 12 clients to the network.

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

IKEv2/IPSec VPN server to connect Android 12 clients to the network.

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
IKEv2/IPSec VPN server to connect Android 12 clients to the network.
IKEv2/IPSec VPN server to connect Android 12 clients to the network.
2022-05-30 23:10:44 - last edited 2023-11-06 03:53:05
Model: ER605 (TL-R605)  
Hardware Version: V1
Firmware Version: v1.2.0

Dear members / technicians,

 

On Android 12 the old VPN types: PPTP and L2TP are no longet supported.

Only IKEv2/IPSec PSK, IKEv2/IPSec RSA, and IKEv2/IPSec MSCHAPv2, types are available.

 

Is there a tutorial, or example available, how to configurate VPN server for this IKEv2/IPSec VPN types?

I'm running a complete Omada network controlled by OC200. I can't get it work for now.

 

Hope someone can help me any further.

 

Best regards,

Alex

 

 

OMADA equipment: TL-R605 v1 | OC200 v1 | TL-SG2428P v1 | 3x EAP245(EU) v3 Other: MC220L | TL-SG105E V3
  2      
  2      
#1
Options
1 Accepted Solution
Re:IKEv2/IPSec VPN server to connect Android 12 clients to the network.-Solution
2023-11-05 14:29:05 - last edited 2023-11-06 03:53:05

  @PietroSpina

 

I got it working following the example from Intrax (post#6). I would like to point out a few things in case it isn't clear enough:

 

You have to create a vpn user despite the android client does not expect an user. And you have to provide a password when creating the user but the password is not actually used anywhere. You also cannot choose ipsec as the vpn server type, so just leave it blank.

 

On your android phone you enter the pre-shared key you used when you create the vpn profile (not the vpn user password), and put the vpn user name in the "IPSec identifier" even it explicitly says that it isn't being used.

 

I am using omada software controller 5.7.4 with a er605 v2

Recommended Solution
  0  
  0  
#18
Options
19 Reply
Re:IKEv2/IPSec VPN server to connect Android 12 clients to the network.
2022-05-31 06:34:03 - last edited 2022-08-21 15:59:12

  @Intrax 

 

If you are using ER605 in standalone mode then I think it is possible, the latest firmware version 1.2.0 already supports IKEv2.
However, the controller doesn't seem to support it at the moment, hope their R&D department can speed up the process.

Just striving to develop myself while helping others.
  3  
  3  
#2
Options
Re:IKEv2/IPSec VPN server to connect Android 12 clients to the network.
2022-05-31 13:33:38

  @Virgo 

Thank you Virgo,

 

Maybe that's the reason I can't get it to work.

Hopefully new firmware will solve this issue.

 

 

OMADA equipment: TL-R605 v1 | OC200 v1 | TL-SG2428P v1 | 3x EAP245(EU) v3 Other: MC220L | TL-SG105E V3
  4  
  4  
#3
Options
Re:IKEv2/IPSec VPN server to connect Android 12 clients to the network.
2022-08-17 03:57:20

  @Intrax I have been having issues with this whole VPN issue ever since android no longer allowed L2TP.

Here is what I have been able to find out.

 

According to Watchguards site, unfortunately I can't link it, newer version of android are expecting:

Phase 1 — SHA2(256)–AES(256)–DH2

Phase 2 — SHA2(256)–AES(256)

 

If you do a google search for "android default VPN transforms" it should be the top result.

 

Unfortunately, it seems that while using SHA2 and AES256, TP-Link doesn't have the DH2 group available. I don't know if this information on watchguard's site is correct, but it may give some sort of indication as to why we can't connect to out IKEv2 VPN with our android phones. I personally have tried DH14 (based off a recommendation from zyxel for their VPNS) and DH5 with no luck. I will work through all the other DH Groups and see if I have any luck.

  2  
  2  
#4
Options
Re:IKEv2/IPSec VPN server to connect Android 12 clients to the network.
2022-08-17 13:32:42 - last edited 2022-10-13 10:38:55

EDIT

  0  
  0  
#5
Options
Re:IKEv2/IPSec VPN server to connect Android 12 clients to the network.
2022-08-21 19:00:45

Thanks everyone for answering and testing.


Today I got it to work on my Android 12 phone by choosing VPN type 'IKEv2/IPSec PSK'


From the Omada controller (OC200), I first had to delete all VPN policies I created before, even if they were disabled"

It was necessary because otherwise it was not possible to define an IP Range in the new VPN policy rule.
Each time the message:

This IPsec VPN policy has the same IP addresses settings for peer routers on the VPN tunnel as the existing one, the Pre-Shared Key should be the same.

 

I have created the following VPN policy:

 

You must configure your own Pre-Shared Key in the yellow marked field.

Don't forget to set Negotiation Mode: to 'Responder Mode', only then you can set Remote Host: to '0.0.0.0' so you can connect to the VPN server from any IP address on the Internet.

I chose a different IP pool than my local LAN, 192.168.30.x. (Local LAN = 192.168.10.x)

-------------

 

Of course you still have to create a user:

 

 

Finally, create the VPN connection on the Android device:

Don't forget the Pre-Shared Key (yellow field)

--------------------------------------------------------------------

 

It works for me now. I can do anything on the network. The only thing I can't get to work yet is the Internet connection.
When my Android device is connected to the VPN server, I cannot access the Internet.

Maybe someone knows the solution for that.

 

Good luck and best regards,

Alex

 

 

OMADA equipment: TL-R605 v1 | OC200 v1 | TL-SG2428P v1 | 3x EAP245(EU) v3 Other: MC220L | TL-SG105E V3
  4  
  4  
#6
Options
Re:IKEv2/IPSec VPN server to connect Android 12 clients to the network.
2022-08-21 19:16:29 - last edited 2022-10-13 10:38:28

EDIT

  2  
  2  
#7
Options
Re:IKEv2/IPSec VPN server to connect Android 12 clients to the network.
2022-08-29 12:33:27

  @btx

 

Unfortunately, I've changed the DNS addresses but I can't access the internet from the connected VPN.

Everything within the network works fine but no internet access via the WAN port

OMADA equipment: TL-R605 v1 | OC200 v1 | TL-SG2428P v1 | 3x EAP245(EU) v3 Other: MC220L | TL-SG105E V3
  0  
  0  
#8
Options
Re:IKEv2/IPSec VPN server to connect Android 12 clients to the network.
2022-08-30 13:08:24 - last edited 2022-10-13 10:38:38

EDIT

  0  
  0  
#9
Options
Re:IKEv2/IPSec VPN server to connect Android 12 clients to the network.
2022-11-16 20:42:39

  @Intrax 

 

I've just discovered your post after having exactly the same issue!

 

The TP Link guidance of adding local ID names breaks it for me, however as you've done I can connect, my device shows connected, the router shows connected and I can get a local IP address via the VPN but I can't access any local or remote IPs when connected.

  1  
  1  
#10
Options
Re:IKEv2/IPSec VPN server to connect Android 12 clients to the network.
2023-03-20 19:39:54
hey did you ever get internet to work, im looking to buy an ER605 but will be a bit of a deal breaker if I cant get site-client internet working
  1  
  1  
#11
Options