IKEv2/IPSec VPN server to connect Android 12 clients to the network.
IKEv2/IPSec VPN server to connect Android 12 clients to the network.
Dear members / technicians,
On Android 12 the old VPN types: PPTP and L2TP are no longet supported.
Only IKEv2/IPSec PSK, IKEv2/IPSec RSA, and IKEv2/IPSec MSCHAPv2, types are available.
Is there a tutorial, or example available, how to configurate VPN server for this IKEv2/IPSec VPN types?
I'm running a complete Omada network controlled by OC200. I can't get it work for now.
Hope someone can help me any further.
Best regards,
Alex
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
I got it working following the example from Intrax (post#6). I would like to point out a few things in case it isn't clear enough:
You have to create a vpn user despite the android client does not expect an user. And you have to provide a password when creating the user but the password is not actually used anywhere. You also cannot choose ipsec as the vpn server type, so just leave it blank.
On your android phone you enter the pre-shared key you used when you create the vpn profile (not the vpn user password), and put the vpn user name in the "IPSec identifier" even it explicitly says that it isn't being used.
I am using omada software controller 5.7.4 with a er605 v2
- Copy Link
- Report Inappropriate Content
If you are using ER605 in standalone mode then I think it is possible, the latest firmware version 1.2.0 already supports IKEv2.
However, the controller doesn't seem to support it at the moment, hope their R&D department can speed up the process.
- Copy Link
- Report Inappropriate Content
Thank you Virgo,
Maybe that's the reason I can't get it to work.
Hopefully new firmware will solve this issue.
- Copy Link
- Report Inappropriate Content
@Intrax I have been having issues with this whole VPN issue ever since android no longer allowed L2TP.
Here is what I have been able to find out.
According to Watchguards site, unfortunately I can't link it, newer version of android are expecting:
Phase 1 — SHA2(256)–AES(256)–DH2
Phase 2 — SHA2(256)–AES(256)
If you do a google search for "android default VPN transforms" it should be the top result.
Unfortunately, it seems that while using SHA2 and AES256, TP-Link doesn't have the DH2 group available. I don't know if this information on watchguard's site is correct, but it may give some sort of indication as to why we can't connect to out IKEv2 VPN with our android phones. I personally have tried DH14 (based off a recommendation from zyxel for their VPNS) and DH5 with no luck. I will work through all the other DH Groups and see if I have any luck.
- Copy Link
- Report Inappropriate Content
EDIT
- Copy Link
- Report Inappropriate Content
Thanks everyone for answering and testing.
Today I got it to work on my Android 12 phone by choosing VPN type 'IKEv2/IPSec PSK'
From the Omada controller (OC200), I first had to delete all VPN policies I created before, even if they were disabled"
It was necessary because otherwise it was not possible to define an IP Range in the new VPN policy rule.
Each time the message:
This IPsec VPN policy has the same IP addresses settings for peer routers on the VPN tunnel as the existing one, the Pre-Shared Key should be the same.
I have created the following VPN policy:
You must configure your own Pre-Shared Key in the yellow marked field.
Don't forget to set Negotiation Mode: to 'Responder Mode', only then you can set Remote Host: to '0.0.0.0' so you can connect to the VPN server from any IP address on the Internet.
I chose a different IP pool than my local LAN, 192.168.30.x. (Local LAN = 192.168.10.x)
-------------
Of course you still have to create a user:
Finally, create the VPN connection on the Android device:
Don't forget the Pre-Shared Key (yellow field)
--------------------------------------------------------------------
It works for me now. I can do anything on the network. The only thing I can't get to work yet is the Internet connection.
When my Android device is connected to the VPN server, I cannot access the Internet.
Maybe someone knows the solution for that.
Good luck and best regards,
Alex
- Copy Link
- Report Inappropriate Content
EDIT
- Copy Link
- Report Inappropriate Content
Unfortunately, I've changed the DNS addresses but I can't access the internet from the connected VPN.
Everything within the network works fine but no internet access via the WAN port
- Copy Link
- Report Inappropriate Content
EDIT
- Copy Link
- Report Inappropriate Content
I've just discovered your post after having exactly the same issue!
The TP Link guidance of adding local ID names breaks it for me, however as you've done I can connect, my device shows connected, the router shows connected and I can get a local IP address via the VPN but I can't access any local or remote IPs when connected.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Information
Helpful: 2
Views: 18640
Replies: 19