How to configure VPN via IKEv2/IPSec for Android 11+ and Windows 11 client devices?
Hello!
I followed the instructions here: https://www.tp-link.com/us/support/faq/3447/ (see dark bottom right screenshot in the attachment).
But I could not achieve to configure a VPN server in my Omada controller web interface, using IKEv2/IPSec for connecting Android 11+ and Windows 11 client devices to my network.
Btw.: I have successfully configured a VPN policy with L2TP/IPSec PSK, which works fine with my Windows 11 device and an Android 11 device.
How can I configure an IKEv2/IPSEC VPN policy in the Omada controller web interface, that I can use with these operating systems that offer following VPN types:
- Android 11: IKEv2/IPSsec MSCHAPv2 | IKEv2/IPSsec PSK | IKEv2/IPSsec RSA (see dark upper screenshots in the attachment)
- Android 13: IKEv2/IPSsec MSCHAPv2 | IKEv2/IPSsec PSK | IKEv2/IPSsec RSA (see bright middle screenshots in the attachment)
- Windows 11: IKEv2 username and password | IKEv2 smart card | IKEv2 one-time password | IKEv2 certificate (see dark bottom left screenshot in the attachment)
Thank you very much for any useful hint!
Kind regards,
Gerald
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @gerba
If you can take a second to read the guide.
- Copy Link
- Report Inappropriate Content
Hi,
I'm not an expert on that connection, but as far as I know, if you are configuring that connection, especially when you are connecting from behind NAT (ISP's router, cellular) you should use NAME as a proper setting in Local and Remote ID Type.
The same info is in the instruction you have linked.
On you screenshots I can see that you have IP Address set up for that setting. Have you tried to change that according to the instruction you linked?
- Copy Link
- Report Inappropriate Content
Hi!
Yes, I tried that, too.
But the TP-Link support told me to set it to IP Address.
Then also having it set to Name does not work, as there actually is no field 'IPSec Identifier' in the Android 11 VPN settings, nor in the Windows 11 VPN settings.
Any other idea?
- Copy Link
- Report Inappropriate Content
I can see that IPsec ID (that's how NAME Type is called on android) option on my mobile when I'm trying to configure. You have this also on your screenshots - you need to go to Advanced options:
- Copy Link
- Report Inappropriate Content
On Android 11 there is no such field in the advanced settings:
- Copy Link
- Report Inappropriate Content
Sorry, I don't have Android 11, only 13.
I'll try to find some Android 12 emulator later and see how the settings looks like there :)
Don't you have any Android phone with newer Operating System?
- Copy Link
- Report Inappropriate Content
I tried now again to switch Remote ID Type to Name, entered 123 and on the Android 13 device I entered 123 into IPSec-ID.
No success on trying to establish the VPN connection:
"Not successful. Not secure."
- Copy Link
- Report Inappropriate Content
Do you have Public IP address without NAT device in front of it on WAN3?
according to the instruction:
2) Since IKEv2 for Android cannot edit Local ID Type, only IP address can be used. So it is required that there must be no NAT device on the front of Omada router, which means the WAN IP address of Omada router must be a public IP address for the client to be able to connect successfully.
- Copy Link
- Report Inappropriate Content
BTW, check you configuration with the instruction again. On your screen I can see that in Phase 1 you are using DH2, and the instruction says to use one of:
- Select sha256-aes256-dh16 / sha256-aes256-dh14 / sha1-aes256-dh14 / sha1-aes256-dh5 as the proposal.
Looks like each phone supports different Proposals so I guess you should test few of those:
"Since each phone supports different proposals, we only list some common proposal combinations here. If the above four combinations cannot be successfully connected"
- Copy Link
- Report Inappropriate Content
The internet modem in front of the router on WAN3 does forward everything as it comes to the router.
Therefore I do you have a public IP address. And this works with the other VPN policy as mentioned.
So NAT should not be any matter in my case.
I actually did try all possible combinations of proposals - that was really hard work.
But didn't succeed with any of it.
What else could be the problem?
- Copy Link
- Report Inappropriate Content
I'm not really sure. Sorry :(
Just a question, why do you want to use IPsec since it seems like a big struggle even to connect it for mobile?
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 3584
Replies: 22
Voters 0
No one has voted for it yet.