Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

NCP VPN won't connect Android to Cisco

Posted on 2013-05-25
16
Medium Priority
?
1,561 Views
Last Modified: 2014-01-23
I have a Samsung Galaxy Note II LTE GT-N7105 running Jelly Bean 4.1.1 and I've installed NCP's VPN software on it because I cannot get the built-in VPN to work with Cisco type VPN connection.

Settings I've been told to use by my VPN provider are:
(names and IPs changed of course)

Description: TripNet STIG
Connection type: CISCO
Server: 190.70.243.121
Account: STIGVPN001
Group Name: STIGVPNPHONE
Secret: secretkey

I've set this up on my iPhone using the iPhone's built-in CISCO VPN and it works like a charm.

In the Samsung NCP app settings I have:

Profile:
Profile Name
TripNet STIG

VPN Tunnelling:
Gateway (Tunnel Endpoint)
190.70.243.121

Extended Authentication (XAUTH) (ON)

VPN User ID
STIGVPN001

VPN Password
password

Security:
Pre-shared Key
secretkey

Exchange Mode
Mail Mode (IKEv1

IKE ID Type
ASN1 Group Name

IKE ID
STIGVPNPHONE

PFS-Group
None

Line Management:
Inactivity Timeout: 600 (sec)

IPsec Address Assignment:
Assignment of the private IP Address
IKE Config mode

Split Tunneling
OFF

Advanced IPsec Options
IPsec Compression = NONE

When I try to connect using the Android client, it disconnects after a short while. Here is the log extract:

25.05.13 11:02:46  IPSec: Start building connection
25.05.13 11:02:47  Ike: Outgoing connect request MAIN mode - gateway=190.70.243.121 : TripNet STIG
25.05.13 11:02:47  Ike: XMIT_MSG1_MAIN - TripNet STIG
25.05.13 11:02:47  Ike: RECV_MSG2_MAIN - TripNet STIG
25.05.13 11:02:47  Ike: IKE phase I: Setting LifeTime to 86400 seconds
25.05.13 11:02:47  Ike: Turning on XAUTH mode - TripNet STIG
25.05.13 11:02:47  Ike: IkeSa negotiated with the following properties -
25.05.13 11:02:47  IPSec: Final Tunnel EndPoint is:190.70.243.121
25.05.13 11:02:47    Authentication=XAUTH_INIT_PSK,Encryption=DES3,Hash=MD5,DHGroup=2,KeyLen=0
25.05.13 11:02:47  Ike: TripNet STIG ->Support for NAT-T version - 2
25.05.13 11:02:47  Ike: Turning on IKE fragment mode - TripNet STIG
25.05.13 11:02:47  Ike: XMIT_MSG3_MAIN - TripNet STIG
25.05.13 11:02:50  Ike: NOTIFY : TripNet STIG : RECEIVED : INVALID_COOKIE : 4
25.05.13 11:02:50  Ike: RECV_MSG4_MAIN - TripNet STIG
25.05.13 11:02:50  Ike: phase1:name(TripNet STIG - ERROR - INVALID_KEY_INFORMATION
25.05.13 11:02:50  IPSec: Disconnected from TripNet STIG on channel 1.

Really hoping there is someone out there who can help with this.

Cheers
Chris
0
Comment
Question by:kenwardc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
  • 2
16 Comments
 
LVL 15

Expert Comment

by:Skyler Kincaid
ID: 39196461
Make sure you are typing everything correctly. It looks like it is finding that the key is incorrect:

"25.05.13 11:02:50  Ike: phase1:name(TripNet STIG - ERROR - INVALID_KEY_INFORMATION"

I am guessing that is the pre-shared key.
0
 

Author Comment

by:kenwardc
ID: 39196521
Hi xKincaidx

I'm pretty sure I have the secret correct as it's working on the iPhone fine.

The error also threw me a bit. Perhaps it's something else which is stopping the auth?

Cheers
Chris
0
 
LVL 15

Expert Comment

by:Skyler Kincaid
ID: 39196528
Make sure it isn't capitalize the first letter automatically when you are typing it.
0
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

 

Author Comment

by:kenwardc
ID: 39196579
Yes - I've done that too, thanks.

Cheers
Chris
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 39196812
You have X Auth enabled on the second example but not the first. If you do not need X Auth, it should not be used and can cause the error above. Conversely if you need it and do not have it, it can cause similar errors.

So check out whether X Auth is needed or not.

Also in the second example, split tunneling is where you assign the remote subnet, so you need it.

I have NCP running on Windows 8 for multiple clients (which is where I draw the above information) but I do not have a Samsung Galaxy.

.... Thinkpads_User
0
 

Author Comment

by:kenwardc
ID: 39196841
Hi there,

Thanks for your suggestion. On the iPhone there is a username and password. If I untick the XAUTH box then the username/password entry fields disappear.

I'll have a look at the split screen tunnelling to see whether adding the subnet works.

Cheers
Chris
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 39197511
@kenwardc - Please keep us posted.

I know that if you un-tick the X AUTH box, the user name / password fields disappear. However there are also user name / password fields for the main identity where you use Pre-Shared key. X AUTH is additional and you cannot use it if the Cisco does not use it.

Conversely, if the Cisco does use X AUTH, then the iPhone must be using it also.

The two configurations you showed us are not directly comparable.

... Thinkpads_User
0
 

Author Comment

by:kenwardc
ID: 39197531
Hi there

There is only one configuration in my original post. It's the entire list of options on the Android phone within the NCP application.

I've tried removing the XAUTH but it still gives the same error.

Cheers
Chris
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 39197546
You need to then look at the iPhone configuration which (according to your posts must also have X AUTH set) and see where the differences are.

Check the X AUTH settings with the Cisco as well.

And then with X AUTH ON, did setting Split Tunneling work?

.... Thinkpads_User
0
 
LVL 98

Accepted Solution

by:
John Hurst earned 2000 total points
ID: 39197600
I also should have mentioned that you need to check your 2 phases in the NCP setup and make sure that both phases match the Cisco.

So you need:
1. Basic setup
2. IPsec Setup: IKE Policy (Phase 1) and IPsec Policy (Phase 2), Exchange Mode and PFS
3. Identities: Type with Pre-shared key (for sure) and additionally X AUTH (optional but must be set as the Cisco demands).
4. Split tunneling to set up the Remote Subnet.

Lots of setup and all of it must be set properly.

... Thinkpads_User
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 39198091
@kenwardc - Did you have any luck?

How did the iPhone set up with no configuration? IPsec always needs specialized configuration. Or did the iPhone use PPTP VPN (easier to set up but generally less secure).

Please let us know if you had any progress.

... Thinkpads_User
0
 

Author Comment

by:kenwardc
ID: 39210278
Hi there

I don't understand the "split tunnelling" thing and am confused as to how to set it up.

Pulling hair out at the moment. ;)

Cheers
Chris
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 39210390
In NCP, go into the Split Tunneling menu item. On my NCP, the menus are down the left side of the application with all the other setup menus.

In the Split Tunneling setup, click on ADD and add the required subnet. So if the remote end is 192.168.75.x ADD 192.168.75.0 with subnet mask 255.255.255.0.

I don't know why they did it this way, but all you are doing is defining the remote subnet. You have to do this in any VPN application.

... Thinkpads_User
0
 

Author Comment

by:kenwardc
ID: 39330340
Hi there

Apologies for the delay getting back to you all. I have given up on this score. I cannot find the Split Tunnelling menu on NCP and kinda just abandoned the project.

Thanks very much for the attempt at helping me, Thinkpads_User.

All the best
Chris
0
 

Author Closing Comment

by:kenwardc
ID: 39803756
Thanks so much and sincere apologies for not updating the post before. The suggestion in this post from you helped me get it working, thanks very much.

Cheers
Chris
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 39803778
@kenwardc - Thank you for finally following up. I am glad you got it working and I was happy to help.

.... Thinkpads_User
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
If you use the Google Now Launcher, as an aftermarket add on, have a Samsung Note 5 and are worried about power consumption be wary of using the ultra power saving mode.  Here is what happened to me when I made the mistake of trying this out...
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video is in connection to the article "The case of a missing mobile phone (https://www.experts-exchange.com/articles/28474/The-Case-of-a-Missing-Mobile-Phone.html)". It will help one to understand clearly the steps to track a lost android phone.

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question