Getting IPEv2/IPSec/PSK Mikrotik <-> Android 13+ VPNs working (and maybe other key sharing methods, too)
Posted: Thu Sep 14, 2023 2:36 am
I saw a lot of folks are having trouble getting IKEv2/IPsec/PSK working post Android 13+ with the new IKEv2 requirement.
There are plenty of tutorials out there on getting IKEv2/IPsec/PSK set up on the Mikrotik, but if you want it to work with Android 13+ initiators (i.e., where the Android 13+ phone calls home to the Mikrotik router's network) there's one extra step.
This fix applies for the following situation: The Android 13+ device connects to the VPN, but then immediately disconnects from it and displays a "connection unsuccessful" message. The Mikrotik's ipsec log will show a perfectly normal connection followed by an immediate disconnection ("IPsec-SA established" followed after a few intervening messages by "payload seen: DELETE") in the "topic contains ipsec; topic contains not debug; topic contains not packet" filtered view of the log with the IPsec topic added to the log.
The issue is that the initiator is expecting the responder to return an fqdn ID_R (that is, the "My ID" in IPsec Identity) that contains the exact server name used in the VPN setup in Android. Why Android doesn't put up a more meaningful message than, "connection unsuccessful", is beyond me.
So, once you have a working IKEv2 VPN, all you have to do is to modify your identity entry on the IPSec Identity page and change My ID Type from Auto (or other) to fqdn, then copy the exact text you used for the "Server address" in the Android 13+ device into the "Remote ID" field, and presto, the device will stay connected.
You may need to create multiple identities if this configuration stops other clients from connecting!
However, a warning: on my Pixel 5, using this VPN repeatedly crashed my phone under the latest update (as of date of this post), so even though this gets the VPN working, at least the Pixel 5 implementation of IKEv2/IPsec/PSK implementation is buggy. Until Google fixes these crashes you probably still don't want to use this method to connect.
There are plenty of tutorials out there on getting IKEv2/IPsec/PSK set up on the Mikrotik, but if you want it to work with Android 13+ initiators (i.e., where the Android 13+ phone calls home to the Mikrotik router's network) there's one extra step.
This fix applies for the following situation: The Android 13+ device connects to the VPN, but then immediately disconnects from it and displays a "connection unsuccessful" message. The Mikrotik's ipsec log will show a perfectly normal connection followed by an immediate disconnection ("IPsec-SA established" followed after a few intervening messages by "payload seen: DELETE") in the "topic contains ipsec; topic contains not debug; topic contains not packet" filtered view of the log with the IPsec topic added to the log.
The issue is that the initiator is expecting the responder to return an fqdn ID_R (that is, the "My ID" in IPsec Identity) that contains the exact server name used in the VPN setup in Android. Why Android doesn't put up a more meaningful message than, "connection unsuccessful", is beyond me.
So, once you have a working IKEv2 VPN, all you have to do is to modify your identity entry on the IPSec Identity page and change My ID Type from Auto (or other) to fqdn, then copy the exact text you used for the "Server address" in the Android 13+ device into the "Remote ID" field, and presto, the device will stay connected.
You may need to create multiple identities if this configuration stops other clients from connecting!
However, a warning: on my Pixel 5, using this VPN repeatedly crashed my phone under the latest update (as of date of this post), so even though this gets the VPN working, at least the Pixel 5 implementation of IKEv2/IPsec/PSK implementation is buggy. Until Google fixes these crashes you probably still don't want to use this method to connect.