L2TP/IPSEC and Android Disconnect after ~83 seconds

kevinsaye · July 2, 2019, 4:17am

I am attempting to connect my LG Android 9 phone to 2011UiAS running 6.44.3. My final goal is to setup the Always Connected Setting, which only works on IPSEC.

I can connect with L2TP/IPSEC, but it disconnects on the Router side after about 30 seconds. The Phone still thinks it is connected, but the Router shows it is disconnected.

Here is what I have tried (with no success):

disabling DPD
PPTP works just fine
3 changing the profile to default (from default-encryption).
If I connect from my Windows 10 machine, it does not have an issue
changed the keepalive timeout setting in the L2TP Server

Reviewing the IP → IPSEC → Policies, I notice this difference in the Android vs. the Windows
Android does not have a Dest Port and the PH2 State is established and PH Count is 1
Windows does have a Dest POrt 1701 and the PH2 State is ready to send and PH Count is 2

You can see the logs below (public IP address removed):
jul/01 23:03:57 ipsec,info purging ISAKMP-SA A.B.C.D[500]<=>192.168.15.45[500] spi=0eacc81d1cbf41e4:8e63f669cd75638a.
jul/01 23:03:57 ipsec,info ISAKMP-SA deleted A.B.C.D[500]-192.168.15.45[500] spi:0eacc81d1cbf41e4:8e63f669cd75638a rekey:1
jul/01 23:03:57 ipsec,info respond new phase 1 (Identity Protection): A.B.C.D[500]<=>192.168.15.45[500]
jul/01 23:03:58 ipsec,info ISAKMP-SA established A.B.C.D[500]-192.168.15.45[500] spi:cd79d8e1c6c27b42:55f9ad45c3efc1ac
jul/01 23:03:59 l2tp,info first L2TP UDP packet received from 192.168.15.45
jul/01 23:04:00 l2tp,ppp,info,account ksaye logged in, 192.168.89.234
jul/01 23:04:00 l2tp,ppp,info : authenticated
jul/01 23:04:00 interface,info detect UNKNOWN
jul/01 23:04:00 l2tp,ppp,info : connected
jul/01 23:04:06 interface,info detect WAN
jul/01 23:05:23 l2tp,ppp,info : terminating… - hungup
jul/01 23:05:23 l2tp,ppp,info,account ksaye logged out, 84 23364 49790 68 329
jul/01 23:05:23 l2tp,ppp,info : disconnected

Trying to stay native Android client, what am I missing or has anyone seen and solve this?

sindy · July 2, 2019, 6:47am

You’ll have to set ipsec logging and ppp logging to debug:
/system logging
add topics=ipsec,!packet
add topics=l2tp
and try again, the log will show you more details. Use /log print follow-only file=android-startup where topics~“ipsec|l2tp” to save the relevant log items into a file, as hundreds of lines will be generated for the single attempt.

kevinsaye · July 16, 2019, 6:46pm

Thank you for the reply. I have done what you asked. I do see where the router is sending a HELLO and the Android phone seems to not be responding, as shown below:

13:31:26 l2tp,debug,packet sent control message to %PhoneIPAddress%:55721 from %RouterWANIPAddress%:1701
13:31:26 l2tp,debug,packet tunnel-id=45592, session-id=0, ns=2, nr=4
13:31:26 l2tp,debug,packet (M) Message-Type=HELLO
13:31:34 l2tp,debug tunnel 56 received no replies, disconnecting
13:31:34 l2tp,debug tunnel 56 entering state: dead
13:31:34 l2tp,debug session 1 entering state: dead

The full log is here: https://1drv.ms/t/s!As1Irph5sA_-rrdXQGFXwuhv3bJvFg

Any suggestions on how to address this?

Kevin

sindy · July 16, 2019, 7:38pm

I agree with your analysis, everything comes up successfully and then the Android doesn’t respond the very first l2tp HELLO, except that before and after the HELLO messages, there are also IPsec keepalive (KA) messages (once every 20 s) which remain unresponded too.

There is a surprising item in the log,
13:30:17 interface,info detect WAN.
It is probably not related, but it has induced a dark suspicion in my head - could it be that you have misunderstood the role of the routes parameter of /ppp secret and set it to 0.0.0.0/0 for user ksaye? The thing is that the purpose of this route list is not to be pushed to the client but to be added locally when the client connection comes up, so by overriding the existing default gateway by a new one through the tunnel, the IPsec transport packets start looping through the tunnel and never reach the internet.

The only remaining explanations are

some very impatient firewall between the phone and your 'Tik, which closes the UDP pinhole for the IPsec tunnel sooner than in 20 second since the last packet seen,
a bug in that version of Android.

Guscht · March 30, 2020, 7:49am

Hi, I have the exact same problem, after ~83 secs. the connections terminates in the same way as the OP said.
A Apple/iOS stays connected (same VPN-secret).

kevinsaye · March 30, 2020, 2:55pm

I have found that using the LG VPN Client, which came with my phone, it stays connected longer. Clearly it is a bug/feature/limitation in the native VPN client.

Guscht · March 30, 2020, 10:04pm

Did a bit testing today:

Win10: stays connected
Win7: stays connected
iOS 12: stays connected
Android 6: stays connected
Android 9: terminates after about 83 seconds…

Cha0s · April 24, 2020, 12:54am

Also Android 10 on Samsung Galaxy S9+
Prior to the recent Android 10 upgrade from Android 9, it was definitely working for me without problems.

Has anyone found out any solution?

sindy · April 24, 2020, 5:25am

I’m afraid the most efficient way out is to install Strongswan on these Android phones. Sniffing on the WiFi AP to which the phone is connected might reveal something useful but chances aren’t big. I can’t do that due to lack of Android 9, 10 phones in my reach.

Jotne · April 24, 2020, 5:43am

Huawei with andorid 9
RouterOS 6.45.8
L2TP/IPSec stats connected.

Alexei · April 24, 2020, 10:53am

Xiaomi MI8 Android 9 to 2011UiAS 6.46.4: terminates after about 83 seconds…

14:55:29 ipsec,info respond new phase 1 (Identity Protection): 79.xxx.xx.xxx[500]<=>31.xxx.xx.xx[20506]
14:55:29 ipsec,info ISAKMP-SA established 79.xxx.xx.xxx[4500]-31.xxx.xx.xx[17402] spi:9e852f0917fd9078:08c71eb54e4a23a0
14:55:31 l2tp,info first L2TP UDP packet received from 31.xxx.xx.xx
14:55:31 l2tp,ppp,info,account vpn_user1 logged in, 192.168.74.103
14:55:31 l2tp,ppp,info l2tp-client1: authenticated
14:55:31 l2tp,ppp,info l2tp-client1: connected
14:56:55 l2tp,ppp,info l2tp-client1: terminating… - hungup
14:56:55 l2tp,ppp,info,account vpn_user1 logged out, 84 367426 1812360 2299 2302
14:56:55 l2tp,ppp,info l2tp-client1: disconnected
14:58:08 ipsec,info purging ISAKMP-SA 79.xxx.xx.xxx[4500]<=>31.xxx.xx.xx[17402] spi=9e852f0917fd9078:08c71eb54e4a23a0.
14:58:08 ipsec,info ISAKMP-SA deleted 79.xxx.xx.xxx[4500]-31.xxx.xx.xx[17402] spi:9e852f0917fd9078:08c71eb54e4a23a0 rekey:1

Cha0s · April 24, 2020, 12:25pm

From what I understand this is an Android bug and it’s not specific to MikroTik.
So I don’t see this one getting fixed any time soon (even if it’s fixed, it will probably never make it to each vendor’s updates).

For the time being I switched to Wireguard, and so far I am very happy with it. I’ll probably stick with it for “road warrior” vpns.

sindy · April 24, 2020, 4:22pm

The newest Android I could find was a 9 on an Xperia, works normally via mobile data (PSK authentication).

Cha0s · April 25, 2020, 1:01pm

Wow! Talk about bad prediction!
Just today I got an update from Samsung! And while it didn’t mention anything in the changelog, it appears that they included a fix for L2TP/IPSec.

So far it has been connected for over 10 minutes with not a single packet lost.

Still, I’ll keep using Wireguard for the time being.
It handles network switching (WiFi/LTE) much more gracefully (I even managed to switch from WiFi to LTE and not lose a single ping).

adrianTNT · June 22, 2020, 11:45pm

I have the same problem.

Android 10 disconnects after around ~80 seconds
Old iPhone 5 SE remains connected.

This seems way to serious for IPSec+L2TP to be fully broken on Android.
Nothing we can do at our end ? What I noticed is that IPSec session remains on, and L2TP session disconnects.
(IPSec > Active Peers vs PPP > Active Connections).

ronal01 · October 13, 2020, 5:20pm

I had a similar problem, and it was, the DHCP offer, when the ip address expired

sec · September 21, 2021, 6:05pm

Hello,

same problem here - tested from Xiaomi 9 Lite with MIUI 10.3.4 and from Xiaomi Redmi 6A 11.0.8, disconnection approximately after 1min and 20sec