How to Configure IPsec IKEv2 VPN for Android 13/14 or iPhone (With Troubleshooting Included)

How to Configure IPsec IKEv2 VPN for Android 13/14 or iPhone (With Troubleshooting Included)

How to Configure IPsec IKEv2 VPN for Android 13/14 or iPhone (With Troubleshooting Included)
How to Configure IPsec IKEv2 VPN for Android 13/14 or iPhone (With Troubleshooting Included)
2024-02-05 03:22:06 - last edited 2024-08-28 02:04:19

Background:

 

Most cell phones now support IKEv2 VPN connections. Especially since Android has removed L2TP VPN. When you are out of home without a computer around and want to access some resources from your home network, establishing a VPN connection with the router through your phone is an easy and secure way.

 

This Article Applies to:

 

Routers with IPsec VPN.

 

Application Scenario:

 

 

Configuration Steps:

 

1. Start your Controller and access the Organization, choose the site.

2. Go to Settings > VPN > Create New VPN Policy > Client-to-Site VPN > VPN Server - IPsec

 

  • Set up your VPN server as Responder in Advanced Settings.
  • Remote Host should be set as 0.0.0.0.
  • Local Networks are the resources your VPN client can access.
  • IP Pool is used for the VPN client.

 

3. Go to Advanced Settings.

 

Negotiation Mode is set to Responder Mode.

Remote ID Type as Name and Remote ID as 123. Or you can choose your own ID.

 

4. Click Create.

5. Set up the Android IKEv2 IPsec client now. If you have trouble with this step, please refer to your manufacturer's User Guide on how to set up VPN.

 

  • Name is only for identification.
  • Server IP should be your public IP address. The picture is only for demonstration purposes and varies in your scenario.
  • IPsec Identifier should be the Remote ID you set.
  • Preshared Key should match the key you set up on the server.

 

(Optional) 6. Set up the iOS. Based on the previous steps, in the Advanced Settings, enable Local ID Type and put Local ID.

 

 

(Optional) 7. Set up the iOS client.

 

 

 

Note:

 

1. The IPsec VPN server IP address is a private IP address. This is for demonstration purposes. In your scenario, you are supposed to use a public IP address. If you don't have a public IP address, please contact your ISP. We are not obliged to offer any help to resolve your issues with the IP address.

2. This is classified as a Client-to-Site IPsec tunnel. There is no full tunneling. If you need full tunnel and proxy, please consider a different type of VPN.

3. If your IPsec VPN server is behind a NAT, please set your modem router into bridge mode.

If there is a problem with your WAN IP address being a private IP, and behind a NAT, even if you have set up the port forwarding, but there is still a chance to experience the error failing to connect, we are NOT obliged to resolve issues in this situation.

This is mainly due to the Android IPsec IKEv2 limitation in Remote ID, there is a possibility of experiencing a connection problem.

4. Different Android phones may have different Phase 1 and 2 encryption proposals, we recommend you try different ones if you experience a problem with that.

5. Samsung cellphones, the Remote ID type should be selected as IP address

 

Update Log:

 

May 27th, 2024:

Add a note.

 

Feb 5th, 2024:

Release of this guide.

 

Recommended Threads:

 

How to connect to Omada Router using IKEv2 VPN of Android/iOS

Get the Latest Firmware Releases for Omada Routers Here - Subscribe for Updates

Get the Latest Omada SDN Controller Releases Here - Subscribe for Updates

 

Feedback:

 

  • If this was helpful, welcome to give us Kudos by clicking the upward triangle below.
  • If there is anything unclear in this solution post, please feel free to comment below.

 

Thank you in advance for your valuable feedback!

 

------------------------------------------------------------------------------------------------

Have other off-topic issues to report? 

Welcome to > Start a New Thread < and elaborate on the issue for assistance.

 

Background:

 

Most cell phones now support IKEv2 VPN connections. Especially since Android has removed L2TP VPN. When you are out of home without a computer around and want to access some resources from your home network, establishing a VPN connection with the router through your phone is an easy and secure way.

 

This Article Applies to:

 

Routers with IPsec VPN.

 

Application Scenario:

 

 

Configuration Steps:

 

1. Start your Controller and access the Organization, choose the site.

2. Go to Settings > VPN > Create New VPN Policy > Client-to-Site VPN > VPN Server - IPsec

 

  • Set up your VPN server as Responder in Advanced Settings.
  • Remote Host should be set as 0.0.0.0.
  • Local Networks are the resources your VPN client can access.
  • IP Pool is used for the VPN client.

 

3. Go to Advanced Settings.

 

Negotiation Mode is set to Responder Mode.

Remote ID Type as Name and Remote ID as 123. Or you can choose your own ID.

Note: Samsung cellphones, the Remote ID type should be selected as IP Address

 

4. Click Create.

5. Set up the Android IKEv2 IPsec client now. If you have trouble with this step, please refer to your manufacturer's User Guide on how to set up VPN.

 

  • Name is only for identification.
  • Server IP should be your public IP address. The picture is only for demonstration purposes and varies in your scenario.
  • IPsec Identifier should be the Remote ID you set.
  • Preshared Key should match the key you set up on the server.

 

(Optional) 6. Set up the iOS. Based on the previous steps, in the Advanced Settings, enable Local ID Type and put Local ID.

 

 

(Optional) 7. Set up the iOS client.

 

 

 

Note:

 

1. The IPsec VPN server IP address is a private IP address. This is for demonstration purposes. In your scenario, you are supposed to use a public IP address. If you don't have a public IP address, please contact your ISP. We are not obliged to offer any help to resolve your issues with the IP address.

2. This is classified as a Client-to-Site IPsec tunnel. There is no full tunneling. If you need full tunnel and proxy, please consider a different type of VPN.

3. If your IPsec VPN server is behind a NAT, please set your modem router into bridge mode.

If there is a problem with your WAN IP address being a private IP, and behind a NAT, even if you have set up the port forwarding, but there is still a chance to experience the error failing to connect, we are NOT obliged to resolve issues in this situation.

This is mainly due to the Android IPsec IKEv2 limitation in Remote ID, there is a possibility of experiencing a connection problem.

 

 

4. Different Android phones may have different Phase 1 and 2 encryption proposals, we recommend you try different ones if you experience a problem with that.

5. Samsung cellphones, the Remote ID type should be selected as IP Address

 

Update Log:

 

Aug 28th, 2024:

Update the note and title.

 

May 27th, 2024:

Add a note.

 

Feb 5th, 2024:

Release of this guide.

 

Recommended Threads:

 

How to connect to Omada Router using IKEv2 VPN of Android/iOS

Get the Latest Firmware Releases for Omada Routers Here - Subscribe for Updates

Get the Latest Omada SDN Controller Releases Here - Subscribe for Updates

 

Feedback:

 

  • If this was helpful, welcome to give us Kudos by clicking the upward triangle below.
  • If there is anything unclear in this solution post, please feel free to comment below.

 

Thank you in advance for your valuable feedback!

 

------------------------------------------------------------------------------------------------

Have other off-topic issues to report? 

Welcome to > Start a New Thread < and elaborate on the issue for assistance.

 

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0      
  0      
#1
Options
6 Reply
Re:How to Configure IPsec IKEv2 VPN for Android 13/14 or iPhone
2024-02-07 00:57:24

  @Clive_A Should I set the IP Pool to a non-existing subnet or to an existing subnet?

  0  
  0  
#2
Options
Re:How to Configure IPsec IKEv2 VPN for Android 13/14 or iPhone
2024-02-10 02:19:33

Hi @ceejaybassist 

ceejaybassist wrote

  @Clive_A Should I set the IP Pool to a non-existing subnet or to an existing subnet?

It does not matter AFAICS.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#3
Options
Re:How to Configure IPsec IKEv2 VPN for Android 13/14 or iPhone
2024-04-01 15:07:56 - last edited 2024-04-01 16:38:53

  @Clive_A 

 

I'm using the ER605 with Omada Controller (v5.13.23) and followed this guide for both iOS and Android settings. I have a vpn connection setup for L2TP and that works fine when connecting from my iOS phone.

 

With IKEv2 however on iOS phone and Android tablet, I can't connect to the vpn server regardless of the Local/Remote ID's suggested on this site. And I've tried DH2 and DH14.

 

Any ideas?

  0  
  0  
#4
Options
Re:How to Configure IPsec IKEv2 VPN for Android 13/14 or iPhone
2024-04-02 01:44:13

Hi @yorkman 

Thanks for posting in our business forum.

yorkman wrote

  @Clive_A 

 

I'm using the ER605 with Omada Controller (v5.13.23) and followed this guide for both iOS and Android settings. I have a vpn connection setup for L2TP and that works fine when connecting from my iOS phone.

 

With IKEv2 however on iOS phone and Android tablet, I can't connect to the vpn server regardless of the Local/Remote ID's suggested on this site. And I've tried DH2 and DH14.

 

Any ideas?

1. Is the IPsec on your iPhone Cisco IPsec? If it is Cisco IPsec, there might be a compatibility issue.

2. Android has been tested and working by myself several times. You should check if your IP is public or not. Read the notes. It is very important to bypass the double-NAT if that's your case.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#5
Options
Re:How to Configure IPsec IKEv2 VPN for Android 13/14 or iPhone
2024-04-02 02:25:34

  @Clive_A 

 

Thanks for your response.

 

My Android tablet doesn't have the option of connecting to the internet via sim card so I have to hotspot through my iPhone. I'm guessing the connection gets lost there. I was also hoping maybe I could connect to Omada's L2TP vpn from my iPhone (since that works fine) and that'd give me LAN access on my android trablet once I connect via hotspot but it doesn't work.

 

As an alternative though, I'd like to get ipsec/ikev2 vpn working on the Omada controller with my iPhone 12 at least but that won't work either. Omada does have a WAN public ip that it gets from my ISP. I tried NAT'ing ports 500 & 4500 UDP but that didn't make a difference. I'd like to get the iPhone to connect using ipsec/ikev2 as then I could concentrate on getting the android tablet to connect to the same vpn because I can't have both L2TP and IKEv2 on Omada. Why? Because once the L2TP vpn is created & configured it won't let me create the IKEv2 vpn due to an error "This IPSEC VPN policy has the same IP addresses settings for peer routers on the VPN tunnel as the existing one, the Phase-1 settings should be the same." So again, that is why I'd prefer to get IPSEC vpn working on Omada since both the iPhone & Android devices can connect to it.

 

On my iPhone, am I supposed to use Cisco IPSEC or IKEv2 for VPN Type if Omada's configured for IKEv2? I tried both anyway but still it won't connect to the vpn on Omada.

  0  
  0  
#6
Options
Re:How to Configure IPsec IKEv2 VPN for Android 13/14 or iPhone
2024-04-02 06:51:42

Hi @yorkman 

Thanks for posting in our business forum.

yorkman wrote

  @Clive_A 

 

Thanks for your response.

 

My Android tablet doesn't have the option of connecting to the internet via sim card so I have to hotspot through my iPhone. I'm guessing the connection gets lost there. I was also hoping maybe I could connect to Omada's L2TP vpn from my iPhone (since that works fine) and that'd give me LAN access on my android trablet once I connect via hotspot but it doesn't work.

 

As an alternative though, I'd like to get ipsec/ikev2 vpn working on the Omada controller with my iPhone 12 at least but that won't work either. Omada does have a WAN public ip that it gets from my ISP. I tried NAT'ing ports 500 & 4500 UDP but that didn't make a difference. I'd like to get the iPhone to connect using ipsec/ikev2 as then I could concentrate on getting the android tablet to connect to the same vpn because I can't have both L2TP and IKEv2 on Omada. Why? Because once the L2TP vpn is created & configured it won't let me create the IKEv2 vpn due to an error "This IPSEC VPN policy has the same IP addresses settings for peer routers on the VPN tunnel as the existing one, the Phase-1 settings should be the same." So again, that is why I'd prefer to get IPSEC vpn working on Omada since both the iPhone & Android devices can connect to it.

 

On my iPhone, am I supposed to use Cisco IPSEC or IKEv2 for VPN Type if Omada's configured for IKEv2? I tried both anyway but still it won't connect to the vpn on Omada.

You can start a new thread on your problem.

Please make sure you upload the screenshots for the verification on your settings. Since you mentioned double-NAT, I require a WAN screenshot.

Please mosaic your sensitive information. Here is a list of information considered sensitive:

1. Public IP address on your WAN if your WAN is.

2. Real MAC address of your device.

3. Your personal information including address, domain name, and credentials.

For troubleshooting purposes, when a WAN IP is needed, please leave some values visible for identification.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#7
Options