Community discussions

MikroTik App
  4. RouterOS
  5. General

L2TP/IPSec Android Cannot Connect

Post Reply
 
JordanReich
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 91
Joined: Sat Jul 20, 2019 7:31 am

L2TP/IPSec Android Cannot Connect

Tue Oct 15, 2019 11:44 pm

I have an L2TP/IPSec VPN setup on RB3011UiAS with a windows radius server. I can connect from anywhere to this system as long as I am on a windows machine, no problem. But for whatever reason I cannot make this work from an Android device.

Android Settings:
L2TP/IPSec PSK
Server Address: *Set-To-My-FQDN*
L2TP Secret: Blank
IPSec identifier: Blank
IPSec pre-shared key: *Set-To-My-PreSharedKey*
Username: domain\jreich_vpn
Password: **********

Routing Settings:
Code: Select all

[38636@ReichHub] > /ip ipsec export hide-sensitive
# oct/15/2019 13:43:58 by RouterOS 6.44.5
# software id = 1SBQ-KUIK
#
# model = RouterBOARD 3011UiAS
# serial number = 8EEE0A24B654
/ip ipsec peer
add name=peer1 passive=yes
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-maximum-failures=2 enc-algorithm=aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des pfs-group=none
/ip ipsec identity
add generate-policy=port-override peer=peer1 remote-id=ignore
[38636@ReichHub] > /ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder 
 0   R name="peer1" passive=yes profile=default exchange-mode=main send-initial-contact=yes 
[38636@ReichHub] > /interface l2tp-server export hide-sensitive
# oct/15/2019 13:44:12 by RouterOS 6.44.5
# software id = 1SBQ-KUIK
#
# model = RouterBOARD 3011UiAS
# serial number = 8EEE0A24B654
/interface l2tp-server
add name=reichnet-3978 user=3978
add name=reichnet-8794 user=8794
/interface l2tp-server server
set authentication=mschap2 default-profile=VPN-L2TP enabled=yes keepalive-timeout=disabled max-mtu=1500
[38636@ReichHub] >
Top
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: L2TP/IPSec Android Cannot Connect

Tue Oct 15, 2019 11:47 pm

The log always helps..!
What does the log of MikroTik say when you try to connect from your android device?
Top
 
JordanReich
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 91
Joined: Sat Jul 20, 2019 7:31 am

Re: L2TP/IPSec Android Cannot Connect

Wed Oct 16, 2019 12:28 am

I do not appear to be getting anything useful in the logging. I am capturing IPSEC/L2TP data and I do not see anything.

I have plenty of both data coming into the logs from the sites that are already connected to the box. But I don't see any calls from the public IP address of the phone itself.

Any other way I should be capturing this logging?

Edit: I lied. My router is showing my cell phone connecting to the network via an IP address that is not my IPv4 showing on the phone? Looking to see if I have logs relevant to that IP.

Additional: I found a log that appears to be a connection off of the phone (Phone IP is showing as 166. when the WhatIsMyIP shows it as 107.)
PHONE IP:21622->10.0.0.28:8082, NAT PHONE IP:21622->(HOME IP:8082->10.0.0.28:8082), len 40

So I do appear to be connectivity. But I still cannot find any L2TP and IPSEC based logs for any of those addresses.
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10221
Joined: Mon Jun 08, 2015 12:09 pm

Re: L2TP/IPSec Android Cannot Connect

Wed Oct 16, 2019 12:50 am

Maybe you have double-NAT between your phone and router?
Also, Android does not like some of the more "advanced" settings of IPsec profile...
Top
 
JordanReich
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 91
Joined: Sat Jul 20, 2019 7:31 am

Re: L2TP/IPSec Android Cannot Connect

Wed Oct 16, 2019 1:00 am

On the phone I get the following:

Public IPv6: 2600:387:*:*
IPv4 IP: 107.77.*.*
Local IP: 10.227.*.*

IP address coming into the home router is from 166.*.*.*

I am not connected to anything else that I am aware of on the device that should cause that. The phone is connected through an MDM but that is through the same home hub. No other special configurations should exist.

Any idea what "advanced" options I should think about excluding/altering?
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10221
Joined: Mon Jun 08, 2015 12:09 pm

Re: L2TP/IPSec Android Cannot Connect

Wed Oct 16, 2019 2:36 pm

Sorry I do not know which options do and do not work with current versions of Android, but in my case I got it working when resetting the IPsec profile entirely to defaults, and it stopped working when e.g. enabling sha256 in phase1.
Top
 
JordanReich
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 91
Joined: Sat Jul 20, 2019 7:31 am

Re: L2TP/IPSec Android Cannot Connect

Wed Oct 16, 2019 6:56 pm

Finally been able to get some error logging on the mobile phone connection attempt ...
Code: Select all
08:53:12 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
08:53:12 ipsec,debug type=Life Duration, flag=0x8000, lorv=28800 
08:53:12 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=DES-CBC 
08:53:12 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
08:53:12 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=4 
08:53:12 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
08:53:12 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#14) = AES-CBC:DES-CBC 
08:53:12 ipsec rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#14) = SHA:4 
08:53:12 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#14) = 2048-bit MODP group:1024-bit MODP group 
08:53:12 ipsec rejected enctype: DB(prop#1:trns#2):Peer(prop#1:trns#14) = AES-CBC:DES-CBC 
08:53:12 ipsec rejected hashtype: DB(prop#1:trns#2):Peer(prop#1:trns#14) = SHA:4 
08:53:12 ipsec rejected dh_group: DB(prop#1:trns#2):Peer(prop#1:trns#14) = 2048-bit MODP group:1024-bit MODP group 
08:53:12 ipsec rejected enctype: DB(prop#1:trns#3):Peer(prop#1:trns#14) = 3DES-CBC:DES-CBC 
08:53:12 ipsec rejected hashtype: DB(prop#1:trns#3):Peer(prop#1:trns#14) = SHA:4 
08:53:12 ipsec rejected dh_group: DB(prop#1:trns#3):Peer(prop#1:trns#14) = 2048-bit MODP group:1024-bit MODP group 
08:53:12 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
08:53:12 ipsec,debug type=Life Duration, flag=0x8000, lorv=28800 
08:53:12 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=DES-CBC 
08:53:12 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
08:53:12 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA 
08:53:12 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
08:53:12 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#15) = AES-CBC:DES-CBC 
08:53:12 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#15) = 2048-bit MODP group:1024-bit MODP group 
08:53:12 ipsec rejected enctype: DB(prop#1:trns#2):Peer(prop#1:trns#15) = AES-CBC:DES-CBC 
08:53:12 ipsec rejected dh_group: DB(prop#1:trns#2):Peer(prop#1:trns#15) = 2048-bit MODP group:1024-bit MODP group 
08:53:12 ipsec rejected enctype: DB(prop#1:trns#3):Peer(prop#1:trns#15) = 3DES-CBC:DES-CBC 
08:53:12 ipsec rejected dh_group: DB(prop#1:trns#3):Peer(prop#1:trns#15) = 2048-bit MODP group:1024-bit MODP group 
08:53:12 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds 
08:53:12 ipsec,debug type=Life Duration, flag=0x8000, lorv=28800 
08:53:12 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=DES-CBC 
08:53:12 ipsec,debug type=Authentication Method, flag=0x8000, lorv=pre-shared key 
08:53:12 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=MD5 
08:53:12 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group 
08:53:12 ipsec rejected enctype: DB(prop#1:trns#1):Peer(prop#1:trns#16) = AES-CBC:DES-CBC 
08:53:12 ipsec rejected hashtype: DB(prop#1:trns#1):Peer(prop#1:trns#16) = SHA:MD5 
08:53:12 ipsec rejected dh_group: DB(prop#1:trns#1):Peer(prop#1:trns#16) = 2048-bit MODP group:1024-bit MODP group 
08:53:12 ipsec rejected enctype: DB(prop#1:trns#2):Peer(prop#1:trns#16) = AES-CBC:DES-CBC 
08:53:12 ipsec rejected hashtype: DB(prop#1:trns#2):Peer(prop#1:trns#16) = SHA:MD5 
08:53:12 ipsec rejected dh_group: DB(prop#1:trns#2):Peer(prop#1:trns#16) = 2048-bit MODP group:1024-bit MODP group 
08:53:12 ipsec rejected enctype: DB(prop#1:trns#3):Peer(prop#1:trns#16) = 3DES-CBC:DES-CBC 
08:53:12 ipsec rejected hashtype: DB(prop#1:trns#3):Peer(prop#1:trns#16) = SHA:MD5 
08:53:12 ipsec rejected dh_group: DB(prop#1:trns#3):Peer(prop#1:trns#16) = 2048-bit MODP group:1024-bit MODP group 
08:53:12 ipsec,error no suitable proposal found. 
08:53:12 ipsec,error DEVICE-IP-ADDRESS failed to get valid proposal. 
08:53:12 ipsec,error DEVICE-IP-ADDRESS failed to pre-process ph1 packet (side: 1, status 1). 
08:53:12 ipsec,error DEVICE-IP-ADDRESS phase1 negotiation failed.
Top
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: L2TP/IPSec Android Cannot Connect

Wed Oct 16, 2019 7:12 pm

I see ipsec rejected encryption type...
Maybe you should try changing IPsec encryption algorithm to one that your android device supports...
Top
 
JordanReich
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 91
Joined: Sat Jul 20, 2019 7:31 am

Re: L2TP/IPSec Android Cannot Connect

Fri Oct 18, 2019 1:06 am

Have had some development in this area ...

I have confirmed that the VPN connection is working from a public WIFI hotspot. But it is coming back as unsuccessful when the connection is attempted over the cellular network. I am currently using AT&T on this particular device. Any idea why this would be working from the WIFI connection but not through the cellular connection?

Thanks!
Top
 
pe1chl
Forum Guru
Forum Guru
Posts: 10221
Joined: Mon Jun 08, 2015 12:09 pm

Re: L2TP/IPSec Android Cannot Connect

Fri Oct 18, 2019 10:44 am

See posting #4.
Top
Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot], biomesh, deatras, Google [Bot] and 95 guests
  4. RouterOS
  5. General