How to configure VPN via IKEv2/IPSec for Android 11+ and Windows 11 client devices?
Hello!
I followed the instructions here: https://www.tp-link.com/us/support/faq/3447/ (see dark bottom right screenshot in the attachment).
But I could not achieve to configure a VPN server in my Omada controller web interface, using IKEv2/IPSec for connecting Android 11+ and Windows 11 client devices to my network.
Btw.: I have successfully configured a VPN policy with L2TP/IPSec PSK, which works fine with my Windows 11 device and an Android 11 device.
How can I configure an IKEv2/IPSEC VPN policy in the Omada controller web interface, that I can use with these operating systems that offer following VPN types:
- Android 11: IKEv2/IPSsec MSCHAPv2 | IKEv2/IPSsec PSK | IKEv2/IPSsec RSA (see dark upper screenshots in the attachment)
- Android 13: IKEv2/IPSsec MSCHAPv2 | IKEv2/IPSsec PSK | IKEv2/IPSsec RSA (see bright middle screenshots in the attachment)
- Windows 11: IKEv2 username and password | IKEv2 smart card | IKEv2 one-time password | IKEv2 certificate (see dark bottom left screenshot in the attachment)
Thank you very much for any useful hint!
Kind regards,
Gerald
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @gerba
If you can take a second to read the guide.
- Copy Link
- Report Inappropriate Content
Thank you for that link.
If I'm not mistaken, this guide is similar to the guide I linked to in my initial post.
At least I did not find anything additional to try in comparison with the guide I already followed.
Any more ideas?
- Copy Link
- Report Inappropriate Content
gerba wrote
Thank you for that link.
If I'm not mistaken, this guide is similar to the guide I linked to in my initial post.
At least I did not find anything additional to try in comparison with the guide I already followed.
Any more ideas?
Did you read all the steps and notes?
If so, contact the support and see if the support can check the parameters and settings for you.
Or you post your config here and mosaic your sensitive information like IP address but leave it still readable for identifying the IP class.
- Copy Link
- Report Inappropriate Content
Hi!
I already contacted TP-Link support. After checking my VPN policy once, first level support promised to forward my issue to the next support level. This was at the beginning of January. Unfortunately I did not get any further feedback from them, yet.
What do you mean with "your config"? Do you mean the screen shots in my initial post?
- Copy Link
- Report Inappropriate Content
Hi @gerba
Thanks for posting in our business forum.
gerba wrote
Hi!
I already contacted TP-Link support. After checking my VPN policy once, first level support promised to forward my issue to the next support level. This was at the beginning of January. Unfortunately I did not get any further feedback from them, yet.
What do you mean with "your config"? Do you mean the screen shots in my initial post?
If you can take a second to read the whole guide earlier from me.
- Copy Link
- Report Inappropriate Content
I did already, and now I did again (see attached screenshot).
Btw.:
In my initial post I was writing not only about Android 13+ devices, but also about Android 11+ and Windows 11 devices.
i. e. in Android 11 there is even no field to enter the 'IPSec-ID' or 'Remote ID' at all - just 'Name' and 'Password' fields are available with 'IKEv2/IPSec PSK' type; also in Windows 11 I cannot enter 'IPSec-ID' or 'Remote ID'.
And as I already mentioned, I also read and tried the guide 'How to connect to Omada Router using IKEv2 VPN of Android/iOS'.
What can I do more, than trying everything written in the guide(s)?
- Copy Link
- Report Inappropriate Content
Hi @gerba
Thanks for posting in our business forum.
gerba wrote
I did already, and now I did again (see attached screenshot).
Btw.:
In my initial post I was writing not only about Android 13+ devices, but also about Android 11+ and Windows 11 devices.
i. e. in Android 11 there is even no field to enter the 'IPSec-ID' or 'Remote ID' at all - just 'Name' and 'Password' fields are available with 'IKEv2/IPSec PSK' type; also in Windows 11 I cannot enter 'IPSec-ID' or 'Remote ID'.And as I already mentioned, I also read and tried the guide 'How to connect to Omada Router using IKEv2 VPN of Android/iOS'.
What can I do more, than trying everything written in the guide(s)?
If you are on Android 11, which I don't have any Android 11 devices, does it still keep the L2TP? Then use the L2TP.
L2TP over IPsec, it is basically the same and with easier config. (Search L2TP Omada on the official website and you can find the guide.)
The whole question from the beginning should not be on IPsec. IPsec was recommended because 13 or above removed L2TP. You asked how to do it with IPsec, that's how you set it up with IPsec. Remote ID is required.
And, if you have read what I sent to you, you should see that Remote ID is needed. IPsec server is also not supposed to be placed behind a NAT.
- Copy Link
- Report Inappropriate Content
Hello!
Thank you, too, for participating in this thread.
I appreciate every constuctive comment.
And I can only repeat, what I already wrote:
I tried everything, you recommended and what is written in the guides you shared with me.
Maybe you did not not notice that.
And maybe you also did not notice, that I explained, that actually neither in Android 11 nor in Windows 11 there is a field to enter the Remote ID.
And even the Android 13 device with the configuration using the Remote ID cannot connect to the VPN server.
But anyway - If I understood you right, it is not possible to establish a VPN connection via IKEv2/IPSec PSK with Android 11+ and Windows 11+ client devices, right?
And concerning your comment about IPSec server behind NAT devices:
Physically my ER7212PC is "behind" the internet router of the ISP. But on that internet router DMZ is configured - so it is forwarding everything to and from the ER7212PC, no NAT is happening there. I have been successfully using this VPN configuration via IPSec/L2TP PSK with my ER6120 and my Android 11 and Windows 10/11 devices for years.
But as newer Android versions stopped supporting L2TP, I had to move forward to a more "state-of-the-art" VPN protocol, which is supported by native Android 11+ and Windows 11+ VPN functionality. And I thought the ER7212PC would be a good choice for that.
If IPSec is the wrong choice for that, which secure VPN type do you recommend, which I can configure on the mentioned operating systems?
Kind regards,
Gerald
- Copy Link
- Report Inappropriate Content
Hi @gerba
Thanks for posting in our business forum.
gerba wrote
Hello!
Thank you, too, for participating in this thread.
I appreciate every constuctive comment.
And I can only repeat, what I already wrote:
I tried everything, you recommended and what is written in the guides you shared with me.Maybe you did not not notice that.
And maybe you also did not notice, that I explained, that actually neither in Android 11 nor in Windows 11 there is a field to enter the Remote ID.
And even the Android 13 device with the configuration using the Remote ID cannot connect to the VPN server.
But anyway - If I understood you right, it is not possible to establish a VPN connection via IKEv2/IPSec PSK with Android 11+ and Windows 11+ client devices, right?
And concerning your comment about IPSec server behind NAT devices:
Physically my ER7212PC is "behind" the internet router of the ISP. But on that internet router DMZ is configured - so it is forwarding everything to and from the ER7212PC, no NAT is happening there. I have been successfully using this VPN configuration via IPSec/L2TP PSK with my ER6120 and my Android 11 and Windows 10/11 devices for years.
But as newer Android versions stopped supporting L2TP, I had to move forward to a more "state-of-the-art" VPN protocol, which is supported by native Android 11+ and Windows 11+ VPN functionality. And I thought the ER7212PC would be a good choice for that.
If IPSec is the wrong choice for that, which secure VPN type do you recommend, which I can configure on the mentioned operating systems?
Kind regards,
Gerald
In your config in the OP, you did not set up a Remote ID. I don't know too much about Windows or Android 11.
As far as I can see, at the very beginning of the setup on Windows 10, there is no option to fill in the Remote ID. Maybe later in the Properties, you may. I did not look into this as it is not my job.
In the docs, I am told that Android lacks of Remote ID option and that is the reason why you cannot make a connection.
In addition, I have iterated that you do not put it behind a NAT even if you have port forward or DMZ. Same concept and the same thing. I have iterated this and I will not further explain on this matter. This will be my last reply on it as it is behind a NAT and there is a possibility of experiencing an issue because of this.
This is the whole point I am asking for your screenshots. It was indeed put behind a NAT.
When both were happening, with no Remote ID and behind a NAT, you would not be able to make a connection because the peer is using the IP address to look for a connection instead of the "remote ID" the other peer has.
This is what it looks like when Remote ID is missing and it is using IP to look for the other device. And it is behind a NAT even if it is an open port.
WG is using a single port. Both OVPN and WG can be an option when hosting behind a NAT, unlike the IPsec.
- Copy Link
- Report Inappropriate Content
Hi!
What do you mean with 'WG'? Wireguard?
I have to avoid any third party VPN solution.
What I need to know is, how I can establish VPN connection with built-in VPN functionalities of Android 11+ and Windows 11+.
This is what TP-Link product support promised me to work, before I replaced my previous VPN router (ER6120) and my whole other network periphery.
Little update:
I reset the ER7212PC now.
Before that neither the L2TP nor the IKev2 connection worked anymore.
Now I configured only the L2TP VPN server and my Android 11 device quickly connects via VPN again.
So obviously no problem with my setting (ER7212PC "behind" internet router having DMZ configured).
I have this suspicion:
It seems not to be possible to configure more than one VPN policy.
If you do so, none is working - even if you have enabled just one of them.
Can that be true?
If yes, what sense does it make to be able to configure several VPN policies?
Kind regards,
Gerald
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 3498
Replies: 22
Voters 0
No one has voted for it yet.