How to configure VPN via IKEv2/IPSec for Android 11+ and Windows 11 client devices?

How to configure VPN via IKEv2/IPSec for Android 11+ and Windows 11 client devices?

How to configure VPN via IKEv2/IPSec for Android 11+ and Windows 11 client devices?
How to configure VPN via IKEv2/IPSec for Android 11+ and Windows 11 client devices?
2024-02-08 09:00:40 - last edited 2024-02-18 01:18:58
Model: ER7212PC  
Hardware Version: V1
Firmware Version: 1.1.2 Build 20240102 Rel.50640

Hello!

I followed the instructions here: https://www.tp-link.com/us/support/faq/3447/ (see dark bottom right screenshot in the attachment).

But I could not achieve to configure a VPN server in my Omada controller web interface, using IKEv2/IPSec for connecting Android 11+ and Windows 11 client devices to my network.

 

Btw.: I have successfully configured a VPN policy with L2TP/IPSec PSK, which works fine with my Windows 11 device and an Android 11 device.


How can I configure an IKEv2/IPSEC VPN policy in the Omada controller web interface, that I can use with these operating systems that offer following VPN types:
- Android 11: IKEv2/IPSsec MSCHAPv2 | IKEv2/IPSsec PSK | IKEv2/IPSsec RSA (see dark upper screenshots in the attachment)
- Android 13: IKEv2/IPSsec MSCHAPv2 | IKEv2/IPSsec PSK | IKEv2/IPSsec RSA (see bright middle screenshots in the attachment)
- Windows 11: IKEv2 username and password | IKEv2 smart card | IKEv2 one-time password | IKEv2 certificate (see dark bottom left screenshot in the attachment)

 

Thank you very much for any useful hint!

Kind regards,
Gerald

File:
Screenshots.pngDownload
  0      
  0      
#1
Options
1 Accepted Solution
Re:How to configure VPN via IKEv2/IPSec for Android 11+ and Windows 11 client devices?-Solution
2024-02-10 03:57:22 - last edited 2024-02-18 01:18:58

Hi @gerba 

If you can take a second to read the guide.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
Recommended Solution
  0  
  0  
#12
Options
22 Reply
Re:How to configure VPN via IKEv2/IPSec for Android 11+ and Windows 11 client devices?
2024-02-08 10:22:46

  @gerba 

 

Hi,

 

I'm not an expert on that connection, but as far as I know, if you are configuring that connection, especially when you are connecting from behind NAT (ISP's router, cellular) you should use NAME as a proper setting in Local and Remote ID Type.

 

The same info is in the instruction you have linked.

 

On you screenshots I can see that you have IP Address set up for that setting. Have you tried to change that according to the instruction you linked?

 

  0  
  0  
#2
Options
Re:How to configure VPN via IKEv2/IPSec for Android 11+ and Windows 11 client devices?
2024-02-08 10:42:32

Hi!

Yes, I tried that, too.
But the TP-Link support told me to set it to IP Address.

 

Then also having it set to Name does not work, as there actually is no field 'IPSec Identifier' in the Android 11 VPN settings, nor in the Windows 11 VPN settings.

Any other idea?

  0  
  0  
#3
Options
Re:How to configure VPN via IKEv2/IPSec for Android 11+ and Windows 11 client devices?
2024-02-08 10:54:51

  @gerba 

 

I can see that IPsec ID (that's how NAME Type is called on android) option on my mobile when I'm trying to configure. You have this also on your screenshots - you need to go to Advanced options:

 

  0  
  0  
#4
Options
Re:How to configure VPN via IKEv2/IPSec for Android 11+ and Windows 11 client devices?
2024-02-08 12:00:30

On Android 11 there is no such field in the advanced settings:
Android 11 VPN

  0  
  0  
#5
Options
Re:How to configure VPN via IKEv2/IPSec for Android 11+ and Windows 11 client devices?
2024-02-08 13:40:55

  @gerba 

Sorry, I don't have Android 11, only 13.

 

I'll try to find some Android 12 emulator later and see how the settings looks like there :)

Don't you have any Android phone with newer Operating System?

  0  
  0  
#6
Options
Re:How to configure VPN via IKEv2/IPSec for Android 11+ and Windows 11 client devices?
2024-02-08 17:27:41

I tried now again to switch Remote ID Type to Name, entered 123 and on the Android 13 device I entered 123 into IPSec-ID.
No success on trying to establish the VPN connection: 
"Not successful. Not secure."

  0  
  0  
#7
Options
Re:How to configure VPN via IKEv2/IPSec for Android 11+ and Windows 11 client devices?
2024-02-08 17:40:00

  @gerba 

 

Do you have Public IP address without NAT device in front of it on WAN3?

 

according to the instruction:

2) Since IKEv2 for Android cannot edit Local ID Type, only IP address can be used. So it is required that there must be no NAT device on the front of Omada router, which means the WAN IP address of Omada router must be a public IP address for the client to be able to connect successfully.

  0  
  0  
#8
Options
Re:How to configure VPN via IKEv2/IPSec for Android 11+ and Windows 11 client devices?
2024-02-08 17:46:06 - last edited 2024-02-08 17:48:11

  @gerba 

 

BTW, check you configuration with the instruction again. On your screen I can see that in Phase 1 you are using DH2, and the instruction says to use one of:

 

  • Select sha256-aes256-dh16 sha256-aes256-dh14 sha1-aes256-dh14 sha1-aes256-dh5 as the proposal.

 

Looks like each phone supports different Proposals so I guess you should test few of those:

"Since each phone supports different proposals, we only list some common proposal combinations here. If the above four combinations cannot be successfully connected"

  0  
  0  
#9
Options
Re:How to configure VPN via IKEv2/IPSec for Android 11+ and Windows 11 client devices?
2024-02-08 17:57:42

The internet modem in front of the router on WAN3 does forward everything as it comes to the router.
Therefore I do you have a public IP address. And this works with the other VPN policy as mentioned.
So NAT should not be any matter in my case.

I actually did try all possible combinations of proposals - that was really hard work.
But didn't succeed with any of it.
What else could be the problem?

  0  
  0  
#10
Options
Re:How to configure VPN via IKEv2/IPSec for Android 11+ and Windows 11 client devices?
2024-02-08 18:01:51

  @gerba 

 

I'm not really sure. Sorry :(

 

Just a question, why do you want to use IPsec since it seems like a big struggle even to connect it for mobile?

  0  
  0  
#11
Options