IKEv2 VPN not working on Android 14 to ER605v2 (Galaxy S24 Ultra)
Hello all!
I have an ER605v2 running alongside an OC200 controller. I've previously tried to setup an IKEv2 VPN server to access my network from the internet using a flagship android device before I got the OC200, and if I remember correctly I had success.
After getting the OC200, and now using a Galaxy S24 Ultra, I cannot get the server to work. Things to consider:
- ER605 is NOT double NATted, the modem from the ISP is configured in Bridged Mode and the router has it's own public IP address.
- I've tried many, many proposal settings and I don't think that's the problem
Using the app "strongSwan" to connect, I get the following LOG:
[edited to remove info]
Any idea what can be causing the problem?
Couldn't get a Windows computer to connect either, no matter what proposals I select.
Thanks!
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @Hambert
Thanks for posting in our business forum.
Hambert wrote
@Clive_A I sincerely thank you so much for your help.
During testing I tried both using WiFi and cellular. Results are similar.
Yes, the VPN server is at work alongside with the OC200 controller and Omada network. I'm doing all the testing from home, in another location.
If you know more tests I can do or how to obtain more detailed logs please tell me and I'll try it.
Thank you very much again!
Humberto
Remove the Remote ID in the phase 1 and try again. Let me know the result.
- Copy Link
- Report Inappropriate Content
@Clive_A well, I got it to connect, but something seems very odd.
First of all I tried using IPv6 as my ISP supports it, but I couldn't get the server to respond (maybe IPv6 isn't supported on the VPN server yet?).
I changed Remote ID type on Phase 1 to "IP Adress".
- strongSwan won't let me connect without specifying an username, so I leave it as "123" but it still gives AUTH FAILED.
- On the integrated Android client I can leave the "IPSec identifier" field empty, but it would still not connect.
- ONLY if I fill in "123" on the identifier field, IT THEN CONNECTS!
So the ONLY way I got it to connect is setting Remote ID type on Phase 1 to "IP Adress" and still filling "123" as identifier on the Android client settings. That doesn't make sense at all.
Something is wrong and needs to be addressed, either by TP-Link or by Google. I can't see people using IKEv2 if the config is this kind of nightmare, even for network engineers.
PD: Windows is still unable to connect.
Thanks!
- Copy Link
- Report Inappropriate Content
Hi @Hambert
Thanks for posting in our business forum.
What's the cellphone config? Do you set the ID on it?
Please mosaic your sensitive information. Here is a list of information considered sensitive:
1. Public IP address on your WAN if your WAN is.
2. Real MAC address of your device.
3. Your personal information including address, domain name, and credentials.
For troubleshooting purposes, when a WAN IP is needed, please leave some values visible for identification.
- Copy Link
- Report Inappropriate Content
Sure. Here's both the config in the integrated VPN client and the strongSwan app:
[edited to remove info]
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@Clive_A I sincerely thank you so much for your help.
During testing I tried both using WiFi and cellular. Results are similar.
Yes, the VPN server is at work alongside with the OC200 controller and Omada network. I'm doing all the testing from home, in another location.
If you know more tests I can do or how to obtain more detailed logs please tell me and I'll try it.
Thank you very much again!
Humberto
- Copy Link
- Report Inappropriate Content
Hi @Hambert
Thanks for posting in our business forum.
Hambert wrote
@Clive_A I sincerely thank you so much for your help.
During testing I tried both using WiFi and cellular. Results are similar.
Yes, the VPN server is at work alongside with the OC200 controller and Omada network. I'm doing all the testing from home, in another location.
If you know more tests I can do or how to obtain more detailed logs please tell me and I'll try it.
Thank you very much again!
Humberto
Remove the Remote ID in the phase 1 and try again. Let me know the result.
- Copy Link
- Report Inappropriate Content
@Clive_A well, I got it to connect, but something seems very odd.
First of all I tried using IPv6 as my ISP supports it, but I couldn't get the server to respond (maybe IPv6 isn't supported on the VPN server yet?).
I changed Remote ID type on Phase 1 to "IP Adress".
- strongSwan won't let me connect without specifying an username, so I leave it as "123" but it still gives AUTH FAILED.
- On the integrated Android client I can leave the "IPSec identifier" field empty, but it would still not connect.
- ONLY if I fill in "123" on the identifier field, IT THEN CONNECTS!
So the ONLY way I got it to connect is setting Remote ID type on Phase 1 to "IP Adress" and still filling "123" as identifier on the Android client settings. That doesn't make sense at all.
Something is wrong and needs to be addressed, either by TP-Link or by Google. I can't see people using IKEv2 if the config is this kind of nightmare, even for network engineers.
PD: Windows is still unable to connect.
Thanks!
- Copy Link
- Report Inappropriate Content
Hi @Hambert
Thanks for posting in our business forum.
Hambert wrote
@Clive_A well, I got it to connect, but something seems very odd.
First of all I tried using IPv6 as my ISP supports it, but I couldn't get the server to respond (maybe IPv6 isn't supported on the VPN server yet?).
I changed Remote ID type on Phase 1 to "IP Adress".
- strongSwan won't let me connect without specifying an username, so I leave it as "123" but it still gives AUTH FAILED.
- On the integrated Android client I can leave the "IPSec identifier" field empty, but it would still not connect.
- ONLY if I fill in "123" on the identifier field, IT THEN CONNECTS!
So the ONLY way I got it to connect is setting Remote ID type on Phase 1 to "IP Adress" and still filling "123" as identifier on the Android client settings. That doesn't make sense at all.
Something is wrong and needs to be addressed, either by TP-Link or by Google. I can't see people using IKEv2 if the config is this kind of nightmare, even for network engineers.
PD: Windows is still unable to connect.
Thanks!
Windows does not work with the IPsec yet. We don't support it.
About the Remote ID, I confirmed that Samsung would be different from the traditional Android system. Remote ID on the router is not needed which means the IPsec identifier on the Samsung is not needed. Use the IP address would fix it.
Can you try it again after a clean reboot after deleting the current IPsec? Set up the IPsec again and connect the cellphone and check if it can work okay.
- Copy Link
- Report Inappropriate Content
Hi @Hambert
Is it resolved by the above suggestions?
- Copy Link
- Report Inappropriate Content
@Clive_A hello again, as I said in my last message, yes I could finally connect from my phone after changing the remote setting to "IP Adress" and still filling something like "123" on the "identifier" field on the phone's config. Sorry if I wasn't clear enough. Thanks a lot for your assistance.
I suggest adding a hint on the guide if this is a Samsung only problem.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 2486
Replies: 9
Voters 0
No one has voted for it yet.