@gerba 

Hi,

I'm not an expert on that connection, but as far as I know, if you are configuring that connection, especially when you are connecting from behind NAT (ISP's router, cellular) you should use NAME as a proper setting in Local and Remote ID Type.

The same info is in the instruction you have linked.

On you screenshots I can see that you have IP Address set up for that setting. Have you tried to change that according to the instruction you linked?

Hi!

Yes, I tried that, too.
But the TP-Link support told me to set it to IP Address.

Then also having it set to Name does not work, as there actually is no field 'IPSec Identifier' in the Android 11 VPN settings, nor in the Windows 11 VPN settings.

Any other idea?

  @gerba 

I can see that IPsec ID (that's how NAME Type is called on android) option on my mobile when I'm trying to configure. You have this also on your screenshots - you need to go to Advanced options:

On Android 11 there is no such field in the advanced settings:

  @gerba 

Sorry, I don't have Android 11, only 13.

I'll try to find some Android 12 emulator later and see how the settings looks like there :)

Don't you have any Android phone with newer Operating System?

I tried now again to switch Remote ID Type to Name, entered 123 and on the Android 13 device I entered 123 into IPSec-ID.
No success on trying to establish the VPN connection: 
"Not successful. Not secure."

  @gerba 

Do you have Public IP address without NAT device in front of it on WAN3?

according to the instruction:

2) Since IKEv2 for Android cannot edit Local ID Type, only IP address can be used. So it is required that there must be no NAT device on the front of Omada router, which means the WAN IP address of Omada router must be a public IP address for the client to be able to connect successfully.

  @gerba 

BTW, check you configuration with the instruction again. On your screen I can see that in Phase 1 you are using DH2, and the instruction says to use one of:

• Select sha256-aes256-dh16 / sha256-aes256-dh14 / sha1-aes256-dh14 / sha1-aes256-dh5 as the proposal.

Looks like each phone supports different Proposals so I guess you should test few of those:

"Since each phone supports different proposals, we only list some common proposal combinations here. If the above four combinations cannot be successfully connected"

The internet modem in front of the router on WAN3 does forward everything as it comes to the router.
Therefore I do you have a public IP address. And this works with the other VPN policy as mentioned.
So NAT should not be any matter in my case.

I actually did try all possible combinations of proposals - that was really hard work.
But didn't succeed with any of it.
What else could be the problem?

  @gerba 

I'm not really sure. Sorry :(

Just a question, why do you want to use IPsec since it seems like a big struggle even to connect it for mobile?