I saw a lot of folks are having trouble getting IKEv2/IPsec/PSK working post Android 13+ with the new IKEv2 requirement.

There are plenty of tutorials out there on getting IKEv2/IPsec/PSK set up on the Mikrotik, but if you want it to work with Android 13+ initiators (i.e., where the Android 13+ phone calls home to the Mikrotik router's network) there's one extra step.

This fix applies for the following situation: The Android 13+ device connects to the VPN, but then immediately disconnects from it and displays a "connection unsuccessful" message. The Mikrotik's ipsec log will show a perfectly normal connection followed by an immediate disconnection ("IPsec-SA established" followed after a few intervening messages by "payload seen: DELETE") in the "topic contains ipsec; topic contains not debug; topic contains not packet" filtered view of the log with the IPsec topic added to the log.

The issue is that the initiator is expecting the responder to return an fqdn ID_R (that is, the "My ID" in IPsec Identity) that contains the exact server name used in the VPN setup in Android. Why Android doesn't put up a more meaningful message than, "connection unsuccessful", is beyond me.

So, once you have a working IKEv2 VPN, all you have to do is to modify your identity entry on the IPSec Identity page and change My ID Type from Auto (or other) to fqdn, then copy the exact text you used for the "Server address" in the Android 13+ device into the "Remote ID" field, and presto, the device will stay connected.

You may need to create multiple identities if this configuration stops other clients from connecting!

However, a warning: on my Pixel 5, using this VPN repeatedly crashed my phone under the latest update (as of date of this post), so even though this gets the VPN working, at least the Pixel 5 implementation of IKEv2/IPsec/PSK implementation is buggy. Until Google fixes these crashes you probably still don't want to use this method to connect.

Hello! I still couldn’t set up my Redmi (Android 13) to work via VPN IKEv2/IPsec MSCHAPv2. I changed "Remote ID Type" from auto to fqdn, but it didn't bring any results.
Any other clients connect successfully.

Hello,

Thank you very much for this detailed sharing on configuring IKEv2/IPsec/PSK on Android 13+ devices with Mikrotik. It's interesting to see how a small change in the ID settings can solve a problem that seems, at first glance, quite complex.

This reminds me of the importance of detail and precise configuration in another area: email testing tools. Just as a VPN requires a specific configuration to work properly, email testing tools need to be meticulously tuned to ensure the effectiveness of email campaigns. A pertinent question would be: To what extent can attention to detail in the configuration of email testing tools influence the success of email marketing campaigns?