Page 1 of 1

Getting IPEv2/IPSec/PSK Mikrotik <-> Android 13+ VPNs working (and maybe other key sharing methods, too)

Posted: Thu Sep 14, 2023 2:36 am
by cwm9
I saw a lot of folks are having trouble getting IKEv2/IPsec/PSK working post Android 13+ with the new IKEv2 requirement.

There are plenty of tutorials out there on getting IKEv2/IPsec/PSK set up on the Mikrotik, but if you want it to work with Android 13+ initiators (i.e., where the Android 13+ phone calls home to the Mikrotik router's network) there's one extra step.

This fix applies for the following situation: The Android 13+ device connects to the VPN, but then immediately disconnects from it and displays a "connection unsuccessful" message. The Mikrotik's ipsec log will show a perfectly normal connection followed by an immediate disconnection ("IPsec-SA established" followed after a few intervening messages by "payload seen: DELETE") in the "topic contains ipsec; topic contains not debug; topic contains not packet" filtered view of the log with the IPsec topic added to the log.

The issue is that the initiator is expecting the responder to return an fqdn ID_R (that is, the "My ID" in IPsec Identity) that contains the exact server name used in the VPN setup in Android. Why Android doesn't put up a more meaningful message than, "connection unsuccessful", is beyond me.

So, once you have a working IKEv2 VPN, all you have to do is to modify your identity entry on the IPSec Identity page and change My ID Type from Auto (or other) to fqdn, then copy the exact text you used for the "Server address" in the Android 13+ device into the "Remote ID" field, and presto, the device will stay connected.

You may need to create multiple identities if this configuration stops other clients from connecting!

However, a warning: on my Pixel 5, using this VPN repeatedly crashed my phone under the latest update (as of date of this post), so even though this gets the VPN working, at least the Pixel 5 implementation of IKEv2/IPsec/PSK implementation is buggy. Until Google fixes these crashes you probably still don't want to use this method to connect.

Re: Getting IPEv2/IPSec/PSK Mikrotik <-> Android 13+ VPNs working (and maybe other key sharing methods, too)

Posted: Mon Nov 27, 2023 10:16 am
by thomsen
Hello! I still couldn’t set up my Redmi (Android 13) to work via VPN IKEv2/IPsec MSCHAPv2. I changed "Remote ID Type" from auto to fqdn, but it didn't bring any results.
Any other clients connect successfully.

Re: Getting IPEv2/IPSec/PSK Mikrotik <-> Android 13+ VPNs working (and maybe other key sharing methods, too)

Posted: Fri Dec 01, 2023 8:38 am
by Blake35
Hello,

Thank you very much for this detailed sharing on configuring IKEv2/IPsec/PSK on Android 13+ devices with Mikrotik. It's interesting to see how a small change in the ID settings can solve a problem that seems, at first glance, quite complex.

This reminds me of the importance of detail and precise configuration in another area: email testing tools. Just as a VPN requires a specific configuration to work properly, email testing tools need to be meticulously tuned to ensure the effectiveness of email campaigns. A pertinent question would be: To what extent can attention to detail in the configuration of email testing tools influence the success of email marketing campaigns?

Re: Getting IPEv2/IPSec/PSK Mikrotik <-> Android 13+ VPNs working (and maybe other key sharing methods, too)

Posted: Sun Jun 16, 2024 10:36 pm
by Damago1
Just in case (google points here) below is a working configuration of ipsec ikev2 / psk vpn:

notes:
1.this configuration is NOT touching the "default" profile, "default" identity etc. So it should work in parallel with other VPN types, for instance in paralell with L2TP/ipsec VPN which is creating dynamic identity/peer and cannot use anything else than default. So this configuration is glued together by a group named "ike2-group"
2. Android still claims this VPN as "insecure" however I did not dig deeper why, I wanted to just "make it work" because L2TP was removed.
3. You need to alter below scripts a bit, by filling in the [TEXT IN BRACKETS] with your names/passwords etc.
4. you need to create address pool for the VPN connections first, and give the pool's name as [ADDRESS_POOL] below
5. [FULL_DOMAIN_NAME_OF_ROUTER] is DNS name under which router will be available (like www.google.com)
6. [SECRET] is your pre-shared key.
7. In Android you have to give such VPN settings:
"name" whatever you like.
"type" is "IKEv2/IPSec PSK"
"Server address" the same as in [FULL_DOMAIN_NAME_OF_ROUTER]
"IPsec identifier" the same as in [FULL_DOMAIN_NAME_OF_ROUTER]
"Pre shared key" the same as in [SECRET]
8. Maybe proposal could be simplified. I was adding everything till it started to work.
# 2024-06-16 21:14:19 by RouterOS 7.13.2
# model = RB3011UiAS
/ip ipsec policy group
add name=ike2-group
/ip ipsec mode-config
add address-pool=[ADDRESS_POOL] name=ike2-config
/ip ipsec profile
add dh-group=ecp256,ecp384,ecp521,modp8192,modp6144,modp4096,modp3072,modp2048 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha512 name=ike2-profile proposal-check=claim
/ip ipsec peer
add exchange-mode=ike2 name=ike2-peer passive=yes profile=ike2-profile secret=[SECRET]
/ip ipsec proposal
add auth-algorithms=sha512,sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm name=ike2-proposal pfs-group=\
    modp4096
/ip ipsec identity
add comment="identity to be used in ikev2" generate-policy=port-strict mode-config=ike2-config my-id=fqdn:[FULL_DOMAIN_NAME_OF_ROUTER]\
  peer=ike2-peer policy-template-group=ike2-group
/ip ipsec policy
add comment="policy to be used in ike2-identity and ike2-policy" dst-address=0.0.0.0/0 group=ike2-group proposal=ike2-proposal src-address=0.0.0.0/0 template=yes