Business Community > Routers > IKEv2 VPN not working on Android 14 to ER605v2 (Galaxy S24 Ultra)
< Routers

IKEv2 VPN not working on Android 14 to ER605v2 (Galaxy S24 Ultra)

IKEv2 VPN not working on Android 14 to ER605v2 (Galaxy S24 Ultra)

IKEv2 VPN not working on Android 14 to ER605v2 (Galaxy S24 Ultra)
IKEv2 VPN not working on Android 14 to ER605v2 (Galaxy S24 Ultra)
2 weeks ago - last edited a week ago
Tags: #VPN #Routing #Network Connectivity
Model: ER605 (TL-R605)  
Hardware Version: V2
Firmware Version: 2.2.4

Hello all!

 

I have an ER605v2 running alongside an OC200 controller. I've previously tried to setup an IKEv2 VPN server to access my network from the internet using a flagship android device before I got the OC200, and if I remember correctly I had success. 

 

After getting the OC200, and now using a Galaxy S24 Ultra, I cannot get the server to work. Things to consider:

 

  • ER605 is NOT double NATted, the modem from the ISP is configured in Bridged Mode and the router has it's own public IP address. 
  • I've tried many, many proposal settings and I don't think that's the problem

 

Using the app "strongSwan" to connect, I get the following LOG:

 

 

Apr 14 13:44:50 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Apr 14 13:44:50 00[DMN] Starting IKE service (strongSwan 5.9.13, Android 14 - UP1A.231005.007.S928BXXU1AXCA/2024-04-01, SM-S928B - samsung/e3qxxx/samsung, Linux 6.1.25-android14-11-28243294-abS928BXXU1AXCA, aarch64, orgDOTstrongswanDOTandroid)
Apr 14 13:44:50 00[LIB] providers loaded by OpenSSL: default legacy
Apr 14 13:44:50 00[LIB] loaded plugins: androidbridge charon android-log socket-default openssl nonce pkcs1 pem x509 xcbc kdf revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls
Apr 14 13:44:50 00[JOB] spawning 16 worker threads
Apr 14 13:44:50 11[IKE] initiating IKE_SA android[18] to 190.#.#.###
Apr 14 13:44:50 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr 14 13:44:50 11[NET] sending packet: from 192.168.#.###[[35856] to 190.#.#.###[500] (948 bytes)
Apr 14 13:44:50 08[NET] received packet: from 190.#.#.###[500] to 192.168.#.###[[35856] (38 bytes)
Apr 14 13:44:50 08[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Apr 14 13:44:50 08[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
Apr 14 13:44:50 08[IKE] initiating IKE_SA android[18] to 190.#.#.###
Apr 14 13:44:50 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr 14 13:44:50 08[NET] sending packet: from 192.168.#.###[[35856] to 190.#.#.###[500] (1140 bytes)
Apr 14 13:44:51 07[NET] received packet: from 190.#.#.###[500] to 192.168.#.###[[35856] (456 bytes)
Apr 14 13:44:51 07[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
Apr 14 13:44:51 07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Apr 14 13:44:51 07[IKE] local host is behind NAT, sending keep alives
Apr 14 13:44:51 07[IKE] sending cert request for "C=HU, L=Budapest, O=Microsec Ltd., CN=Microsec e-Szigno Root CA 2009, E=info@e-szignoDOThu"
Apr 14 13:44:51 07[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2"
Apr 14 13:44:51 07[IKE] sending cert request for "C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=wwwDOTdigicertDOTcom, CN=DigiCert High Assurance EV Root CA"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=DigiCert, Inc., CN=DigiCert TLS RSA4096 Root G5"
Apr 14 13:44:51 07[IKE] sending cert request for "C=TN, O=Agence Nationale de Certification Electronique, CN=TunTrust Root CA"
Apr 14 13:44:51 07[IKE] sending cert request for "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Root R46"
Apr 14 13:44:51 07[IKE] sending cert request for "C=JP, O=SECOM TrustDOTnet, OU=Security Communication RootCA1"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSLDOTcom Root Certification Authority ECC"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=wwwDOTdigicertDOTcom, CN=DigiCert Assured ID Root CA"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=Certainly, CN=Certainly Root R1"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, ST=Illinois, L=Chicago, O=Trustwave Holdings, Inc., CN=Trustwave Global ECC P384 Certification Authority"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=Google Trust Services LLC, CN=GTS Root R2"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, OU=wwwDOTxrampsecurityDOTcom, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority"
Apr 14 13:44:51 07[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3 G3"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=wwwDOTdigicertDOTcom, CN=DigiCert Assured ID Root G3"
Apr 14 13:44:51 07[IKE] sending cert request for "C=FR, O=Dhimyotis, OU=0002 48146308100036, CN=Certigna Root CA"
Apr 14 13:44:51 07[IKE] sending cert request for "C=CH, O=SwissSign AG, CN=SwissSign Silver CA - G2"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=Microsoft Corporation, CN=Microsoft ECC Root Certificate Authority 2017"
Apr 14 13:44:51 07[IKE] sending cert request for "C=CN, O=China Financial Certification Authority, CN=CFCA EV ROOT"
Apr 14 13:44:51 07[IKE] sending cert request for "C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication RootCA2"
Apr 14 13:44:51 07[IKE] sending cert request for "OU=GlobalSign Root CA - R6, O=GlobalSign, CN=GlobalSign"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=See wwwDOTentrustDOTnet/legal-terms, OU=(c) 2015 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G4"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Premium ECC"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=wwwDOTdigicertDOTcom, CN=DigiCert Trusted Root G4"
Apr 14 13:44:51 07[IKE] sending cert request for "C=PL, O=Krajowa Izba Rozliczeniowa S.A., CN=SZAFIR ROOT CA2"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=Google Trust Services LLC, CN=GTS Root R1"
Apr 14 13:44:51 07[IKE] sending cert request for "C=IT, L=Milan, O=Actalis S.p.A./03358520967, CN=Actalis Authentication Root CA"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=wwwDOTdigicertDOTcom, CN=DigiCert Global Root G3"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSLDOTcom Root Certification Authority RSA"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=SecureTrust Corporation, CN=Secure Global CA"
Apr 14 13:44:51 07[IKE] sending cert request for "C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA 2"
Apr 14 13:44:51 07[IKE] sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST EV Root CA 1 2020"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=See wwwDOTentrustDOTnet/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - EC1"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, OU=emSign PKI, O=eMudhra Inc, CN=emSign Root CA - C1"
Apr 14 13:44:51 07[IKE] sending cert request for "C=CN, O=iTrusChina Co.,Ltd., CN=vTrus Root CA"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, ST=Illinois, L=Chicago, O=Trustwave Holdings, Inc., CN=Trustwave Global Certification Authority"
Apr 14 13:44:51 07[IKE] sending cert request for "C=AT, O=e-commerce monitoring GmbH, CN=GLOBALTRUST 2020"
Apr 14 13:44:51 07[IKE] sending cert request for "C=RO, O=CERTSIGN SA, OU=certSIGN ROOT CA G2"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=DigiCert, Inc., CN=DigiCert TLS ECC P384 Root G5"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=GoDaddyDOTcom, Inc., CN=Go Daddy Root Certificate Authority - G2"
Apr 14 13:44:51 07[IKE] sending cert request for "C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R2"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Premium"
Apr 14 13:44:51 07[IKE] sending cert request for "C=GR, O=Hellenic Academic and Research Institutions CA, CN=HARICA TLS RSA Root CA 2021"
Apr 14 13:44:51 07[IKE] sending cert request for "C=CN, O=GUANG DON CERTIFICATE AUTHORITY CO.,LTD., CN=GDCA TrustAUTH R5 ROOT"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 2"
Apr 14 13:44:51 07[IKE] sending cert request for "C=ES, O=FNMT-RCM, OU=Ceres, 55:04:61=VATES-Q2826004J, CN=AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=SecureTrust Corporation, CN=SecureTrust CA"
Apr 14 13:44:51 07[IKE] sending cert request for "OU=GlobalSign ECC Root CA - R4, O=GlobalSign, CN=GlobalSign"
Apr 14 13:44:51 07[IKE] sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 Root CA"
Apr 14 13:44:51 07[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 1 G3"
Apr 14 13:44:51 07[IKE] sending cert request for "O=TeliaSonera, CN=TeliaSonera Root CA v1"
Apr 14 13:44:51 07[IKE] sending cert request for "C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA"
Apr 14 13:44:51 07[IKE] sending cert request for "C=JP, O=SECOM Trust Systems CO.,LTD., CN=Security Communication ECC RootCA1"
Apr 14 13:44:51 07[IKE] sending cert request for "C=IN, OU=emSign PKI, O=eMudhra Technologies Limited, CN=emSign Root CA - G1"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=Google Trust Services LLC, CN=GTS Root R3"
Apr 14 13:44:51 07[IKE] sending cert request for "C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2"
Apr 14 13:44:51 07[IKE] sending cert request for "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Root E46"
Apr 14 13:44:51 07[IKE] sending cert request for "C=CH, O=WISeKey, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GC CA"
Apr 14 13:44:51 07[IKE] sending cert request for "C=TW, O=Chunghwa Telecom Co., Ltd., OU=ePKI Root Certification Authority"
Apr 14 13:44:51 07[IKE] sending cert request for "C=PL, O=Asseco Data Systems S.A., OU=Certum Certification Authority, CN=Certum Trusted Root CA"
Apr 14 13:44:51 07[IKE] sending cert request for "C=KR, O=NAVER BUSINESS PLATFORM Corp., CN=NAVER Global Root Certification Authority"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 1"
Apr 14 13:44:51 07[IKE] sending cert request for "OU=GlobalSign ECC Root CA - R5, O=GlobalSign, CN=GlobalSign"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Networking"
Apr 14 13:44:51 07[IKE] sending cert request for "C=CN, O=UniTrust, CN=UCA Global G2 Root"
Apr 14 13:44:51 07[IKE] sending cert request for "C=HK, O=Hongkong Post, CN=Hongkong Post Root CA 1"
Apr 14 13:44:51 07[IKE] sending cert request for "O=EntrustDOTnet, OU=wwwDOTentrustDOTnet/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 EntrustDOTnet Limited, CN=EntrustDOTnet Certification Authority (2048)"
Apr 14 13:44:51 07[IKE] sending cert request for "C=FR, O=Dhimyotis, CN=Certigna"
Apr 14 13:44:51 07[IKE] sending cert request for "C=IN, OU=emSign PKI, O=eMudhra Technologies Limited, CN=emSign ECC Root CA - G3"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 3"
Apr 14 13:44:51 07[IKE] sending cert request for "C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority"
Apr 14 13:44:51 07[IKE] sending cert request for "CN=Atos TrustedRoot 2011, O=Atos, C=DE"
Apr 14 13:44:51 07[IKE] sending cert request for "OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign"
Apr 14 13:44:51 07[IKE] sending cert request for "C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 2"
Apr 14 13:44:51 07[IKE] sending cert request for "C=TR, L=Gebze - Kocaeli, O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK, OU=Kamu Sertifikasyon Merkezi - Kamu SM, CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
Apr 14 13:44:51 07[IKE] sending cert request for "C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=Google Trust Services LLC, CN=GTS Root R4"
Apr 14 13:44:51 07[IKE] sending cert request for "C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068"
Apr 14 13:44:51 07[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Certification Authority"
Apr 14 13:44:51 07[IKE] sending cert request for "C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068"
Apr 14 13:44:51 07[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3"
Apr 14 13:44:51 07[IKE] sending cert request for "C=CH, O=WISeKey, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GB CA"
Apr 14 13:44:51 07[IKE] sending cert request for "C=PL, O=Asseco Data Systems S.A., OU=Certum Certification Authority, CN=Certum EC-384 CA"
Apr 14 13:44:51 07[IKE] sending cert request for "C=TW, O=Chunghwa Telecom Co., Ltd., CN=HiPKI Root CA - G1"
Apr 14 13:44:51 07[IKE] sending cert request for "CN=ACCVRAIZ1, OU=PKIACCV, O=ACCV, C=ES"
Apr 14 13:44:51 07[IKE] sending cert request for "C=JP, O=SECOM Trust Systems CO.,LTD., CN=Security Communication RootCA3"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=Internet Security Research Group, CN=ISRG Root X2"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority"
Apr 14 13:44:51 07[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECC Certification Authority"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 4"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=IdenTrust, CN=IdenTrust Public Sector Root CA 1"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=wwwDOTentrustDOTnet/CPS is incorporated by reference, OU=(c) 2006 Entrust, Inc., CN=Entrust Root Certification Authority"
Apr 14 13:44:51 07[IKE] sending cert request for "C=FI, O=Telia Finland Oyj, CN=Telia Root CA v2"
Apr 14 13:44:51 07[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSLDOTcom EV Root Certification Authority ECC"
Apr 14 13:44:51 07[IKE] sending cert request for "C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 3"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSLDOTcom EV Root Certification Authority RSA R2"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=wwwDOTdigicertDOTcom, CN=DigiCert Global Root CA"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=wwwDOTdigicertDOTcom, CN=DigiCert Global Root G2"
Apr 14 13:44:51 07[IKE] sending cert request for "C=CN, O=UniTrust, CN=UCA Extended Validation Root"
Apr 14 13:44:51 07[IKE] sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 EV 2009"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=Certainly, CN=Certainly Root E1"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, OU=emSign PKI, O=eMudhra Inc, CN=emSign ECC Root CA - C3"
Apr 14 13:44:51 07[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=Microsoft Corporation, CN=Microsoft RSA Root Certificate Authority 2017"
Apr 14 13:44:51 07[IKE] sending cert request for "serialNumber=G63287510, C=ES, O=ANF Autoridad de Certificacion, OU=ANF CA Raiz, CN=ANF Secure Server Root CA"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority"
Apr 14 13:44:51 07[IKE] sending cert request for "C=ES, O=IZENPE S.A., CN=IzenpeDOTcom"
Apr 14 13:44:51 07[IKE] sending cert request for "C=GR, O=Hellenic Academic and Research Institutions CA, CN=HARICA TLS ECC Root CA 2021"
Apr 14 13:44:51 07[IKE] sending cert request for "C=HU, L=Budapest, O=Microsec Ltd., 55:04:61=VATHU-23584497, CN=e-Szigno Root CA 2017"
Apr 14 13:44:51 07[IKE] sending cert request for "C=HU, L=Budapest, O=NetLock Kft., OU=Tan??s??tv??nykiad??k (Certification Services), CN=NetLock Arany (Class Gold) F??tan??s??tv??ny"
Apr 14 13:44:51 07[IKE] sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 Root CA"
Apr 14 13:44:51 07[IKE] sending cert request for "C=CN, O=iTrusChina Co.,Ltd., CN=vTrus ECC Root CA"
Apr 14 13:44:51 07[IKE] sending cert request for "C=ES, O=FNMT-RCM, OU=AC RAIZ FNMT-RCM"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=wwwDOTdigicertDOTcom, CN=DigiCert Assured ID Root G2"
Apr 14 13:44:51 07[IKE] sending cert request for "C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions ECC RootCA 2015"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, ST=Illinois, L=Chicago, O=Trustwave Holdings, Inc., CN=Trustwave Global ECC P256 Certification Authority"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=See wwwDOTentrustDOTnet/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2"
Apr 14 13:44:51 07[IKE] sending cert request for "C=RO, O=certSIGN, OU=certSIGN ROOT CA"
Apr 14 13:44:51 07[IKE] sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST BR Root CA 1 2020"
Apr 14 13:44:51 07[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Root Certificate Authority - G2"
Apr 14 13:44:51 07[IKE] sending cert request for "C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Global Root CA"
Apr 14 13:44:51 07[IKE] sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 2009"
Apr 14 13:44:51 07[IKE] sending cert request for "C=HK, ST=Hong Kong, L=Hong Kong, O=Hongkong Post, CN=Hongkong Post Root CA 3"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Commercial"
Apr 14 13:44:51 07[IKE] sending cert request for "C=JP, O=Japan Certification Services, Inc., CN=SecureSign RootCA11"
Apr 14 13:44:51 07[IKE] sending cert request for "C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2015"
Apr 14 13:44:51 07[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2"
Apr 14 13:44:51 07[IKE] establishing CHILD_SA android{16}
Apr 14 13:44:51 07[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Apr 14 13:44:51 07[NET] sending packet: from 192.168.#.###[[40071] to 190.#.#.###[4500] (3116 bytes)
Apr 14 13:44:51 12[NET] received packet: from 190.#.#.###[4500] to 192.168.#.###[[40071] (76 bytes)
Apr 14 13:44:51 12[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Apr 14 13:44:51 12[IKE] received AUTHENTICATION_FAILED notify error

 

 

 

Currently, this is my config, following the guide that is provided in the forum:

 

 

 

Any idea what can be causing the problem?

 

Couldn't get a Windows computer to connect either, no matter what proposals I select.

 

Thanks!

  0      
 
  0      
 
#1
Options
2 Accepted Solutions
Re:IKEv2 VPN not working on Android 14 to ER605v2 (Galaxy S24 Ultra)-Solution
2 weeks ago - last edited a week ago

Hi @Hambert 

Thanks for posting in our business forum.

Hambert wrote

  @Clive_A I sincerely thank you so much for your help.

 

During testing I tried both using WiFi and cellular. Results are similar.

 

Yes, the VPN server is at work alongside with the OC200 controller and Omada network. I'm doing all the testing from home, in another location. 

 

If you know more tests I can do or how to obtain more detailed logs please tell me and I'll try it.

 

Thank you very much again!

Humberto

 

Remove the Remote ID in the phase 1 and try again. Let me know the result.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Beta firmware got some NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
Recommended Solution
  0  
  0  
#6
Options
Re:IKEv2 VPN not working on Android 14 to ER605v2 (Galaxy S24 Ultra)-Solution
2 weeks ago - last edited a week ago

  @Clive_A well, I got it to connect, but something seems very odd.

 

First of all I tried using IPv6 as my ISP supports it, but I couldn't get the server to respond (maybe IPv6 isn't supported on the VPN server yet?).

 

I changed Remote ID type on Phase 1 to "IP Adress".

 

- strongSwan won't let me connect without specifying an username, so I leave it as "123" but it still gives AUTH FAILED.

 

- On the integrated Android client I can leave the "IPSec identifier" field empty, but it would still not connect.

 

- ONLY if I fill in "123" on the identifier field, IT THEN CONNECTS! 

 

So the ONLY way I got it to connect is setting Remote ID type on Phase 1 to "IP Adress" and still filling "123" as identifier on the Android client settings. That doesn't make sense at all.

 

Something is wrong and needs to be addressed, either by TP-Link or by Google. I can't see people using IKEv2 if the config is this kind of nightmare, even for network engineers.

 

PD: Windows is still unable to connect.

 

Thanks!

Recommended Solution
  0  
  0  
#7
Options
9 Reply
Re:IKEv2 VPN not working on Android 14 to ER605v2 (Galaxy S24 Ultra)
2 weeks ago - last edited a week ago

Hi @Hambert 

Thanks for posting in our business forum.
What's the cellphone config? Do you set the ID on it?

Please mosaic your sensitive information. Here is a list of information considered sensitive:

1. Public IP address on your WAN if your WAN is.

2. Real MAC address of your device.

3. Your personal information including address, domain name, and credentials.

For troubleshooting purposes, when a WAN IP is needed, please leave some values visible for identification.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Beta firmware got some NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
  0  
  0  
#2
Options
Re:IKEv2 VPN not working on Android 14 to ER605v2 (Galaxy S24 Ultra)
2 weeks ago

Sure. Here's both the config in the integrated VPN client and the strongSwan app:

 

  0  
  0  
#3
Options
Re:IKEv2 VPN not working on Android 14 to ER605v2 (Galaxy S24 Ultra)
2 weeks ago

Hi @Hambert 

Thanks for posting in our business forum.

Hambert wrote

Sure. Here's both the config in the integrated VPN client and the strongSwan app:

 

 

 

Can you connect it via your LTE? Not the WIFI.

Are you still connected to your VPN server LAN(WIFI)?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Beta firmware got some NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
  1  
  1  
#4
Options
Re:IKEv2 VPN not working on Android 14 to ER605v2 (Galaxy S24 Ultra)
2 weeks ago

  @Clive_A I sincerely thank you so much for your help.

 

During testing I tried both using WiFi and cellular. Results are similar.

 

Yes, the VPN server is at work alongside with the OC200 controller and Omada network. I'm doing all the testing from home, in another location. 

 

If you know more tests I can do or how to obtain more detailed logs please tell me and I'll try it.

 

Thank you very much again!

Humberto

 

  0  
  0  
#5
Options
Re:IKEv2 VPN not working on Android 14 to ER605v2 (Galaxy S24 Ultra)-Solution
2 weeks ago - last edited a week ago

Hi @Hambert 

Thanks for posting in our business forum.

Hambert wrote

  @Clive_A I sincerely thank you so much for your help.

 

During testing I tried both using WiFi and cellular. Results are similar.

 

Yes, the VPN server is at work alongside with the OC200 controller and Omada network. I'm doing all the testing from home, in another location. 

 

If you know more tests I can do or how to obtain more detailed logs please tell me and I'll try it.

 

Thank you very much again!

Humberto

 

Remove the Remote ID in the phase 1 and try again. Let me know the result.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Beta firmware got some NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
Recommended Solution
  0  
  0  
#6
Options
Re:IKEv2 VPN not working on Android 14 to ER605v2 (Galaxy S24 Ultra)-Solution
2 weeks ago - last edited a week ago

  @Clive_A well, I got it to connect, but something seems very odd.

 

First of all I tried using IPv6 as my ISP supports it, but I couldn't get the server to respond (maybe IPv6 isn't supported on the VPN server yet?).

 

I changed Remote ID type on Phase 1 to "IP Adress".

 

- strongSwan won't let me connect without specifying an username, so I leave it as "123" but it still gives AUTH FAILED.

 

- On the integrated Android client I can leave the "IPSec identifier" field empty, but it would still not connect.

 

- ONLY if I fill in "123" on the identifier field, IT THEN CONNECTS! 

 

So the ONLY way I got it to connect is setting Remote ID type on Phase 1 to "IP Adress" and still filling "123" as identifier on the Android client settings. That doesn't make sense at all.

 

Something is wrong and needs to be addressed, either by TP-Link or by Google. I can't see people using IKEv2 if the config is this kind of nightmare, even for network engineers.

 

PD: Windows is still unable to connect.

 

Thanks!

Recommended Solution
  0  
  0  
#7
Options
Re:IKEv2 VPN not working on Android 14 to ER605v2 (Galaxy S24 Ultra)
2 weeks ago

Hi @Hambert 

Thanks for posting in our business forum.

Hambert wrote

  @Clive_A well, I got it to connect, but something seems very odd.

 

First of all I tried using IPv6 as my ISP supports it, but I couldn't get the server to respond (maybe IPv6 isn't supported on the VPN server yet?).

 

I changed Remote ID type on Phase 1 to "IP Adress".

 

- strongSwan won't let me connect without specifying an username, so I leave it as "123" but it still gives AUTH FAILED.

 

- On the integrated Android client I can leave the "IPSec identifier" field empty, but it would still not connect.

 

- ONLY if I fill in "123" on the identifier field, IT THEN CONNECTS! 

 

So the ONLY way I got it to connect is setting Remote ID type on Phase 1 to "IP Adress" and still filling "123" as identifier on the Android client settings. That doesn't make sense at all.

 

Something is wrong and needs to be addressed, either by TP-Link or by Google. I can't see people using IKEv2 if the config is this kind of nightmare, even for network engineers.

 

PD: Windows is still unable to connect.

 

Thanks!

Windows does not work with the IPsec yet. We don't support it.

About the Remote ID, I confirmed that Samsung would be different from the traditional Android system. Remote ID on the router is not needed which means the IPsec identifier on the Samsung is not needed. Use the IP address would fix it.

 

Can you try it again after a clean reboot after deleting the current IPsec? Set up the IPsec again and connect the cellphone and check if it can work okay.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Beta firmware got some NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
  1  
  1  
#8
Options
Re:IKEv2 VPN not working on Android 14 to ER605v2 (Galaxy S24 Ultra)
2 weeks ago

Hi @Hambert 

Is it resolved by the above suggestions?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Beta firmware got some NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting Manual ★ ☚ (Disclaimer: Short links are used above solely for guidance to TP-Link subdomains and are safe and tracker-free. Exercise caution with short links from non-official members on forums. We are not liable for external content or damage from non-official members' link use.)
  1  
  1  
#9
Options
Re:IKEv2 VPN not working on Android 14 to ER605v2 (Galaxy S24 Ultra)
a week ago

  @Clive_A hello again, as I said in my last message, yes I could finally connect from my phone after changing the remote setting to "IP Adress" and still filling something like "123" on the "identifier" field on the phone's config. Sorry if I wasn't clear enough. Thanks a lot for your assistance.

 

I suggest adding a hint on the guide if this is a Samsung only problem. 

  1  
  1  
#10
Options

Information

Helpful: 0

Views: 267

Replies: 9

Tags

VPN Routing Network Connectivity
Related Articles
VPN IPSEC IKEv2 on er605 v2
1078 0
Wireguard Site-To-Site not working / ER605, V2, Firmware 2.2.2
310 0
VPN Ipsec IKE v2 PSK
93 0
ER605-V2 connected as VPN Client, but not pinging and not pingable
219 0
Android VPN Client IP-SEC IKEv2 supported at ER707-M2 ???
1959 0
Problem with IKEv2 for Site2Site VPN?
459 0
About Us
Press
Copyright © TP-LINK CORPORATION PTE. LTD. All rights reserved.