Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

NCP VPN won't connect Android to Cisco

Posted on 2013-05-25
16
Medium Priority
?
1,577 Views
Last Modified: 2014-01-23
I have a Samsung Galaxy Note II LTE GT-N7105 running Jelly Bean 4.1.1 and I've installed NCP's VPN software on it because I cannot get the built-in VPN to work with Cisco type VPN connection.

Settings I've been told to use by my VPN provider are:
(names and IPs changed of course)

Description: TripNet STIG
Connection type: CISCO
Server: 190.70.243.121
Account: STIGVPN001
Group Name: STIGVPNPHONE
Secret: secretkey

I've set this up on my iPhone using the iPhone's built-in CISCO VPN and it works like a charm.

In the Samsung NCP app settings I have:

Profile:
Profile Name
TripNet STIG

VPN Tunnelling:
Gateway (Tunnel Endpoint)
190.70.243.121

Extended Authentication (XAUTH) (ON)

VPN User ID
STIGVPN001

VPN Password
password

Security:
Pre-shared Key
secretkey

Exchange Mode
Mail Mode (IKEv1

IKE ID Type
ASN1 Group Name

IKE ID
STIGVPNPHONE

PFS-Group
None

Line Management:
Inactivity Timeout: 600 (sec)

IPsec Address Assignment:
Assignment of the private IP Address
IKE Config mode

Split Tunneling
OFF

Advanced IPsec Options
IPsec Compression = NONE

When I try to connect using the Android client, it disconnects after a short while. Here is the log extract:

25.05.13 11:02:46  IPSec: Start building connection
25.05.13 11:02:47  Ike: Outgoing connect request MAIN mode - gateway=190.70.243.121 : TripNet STIG
25.05.13 11:02:47  Ike: XMIT_MSG1_MAIN - TripNet STIG
25.05.13 11:02:47  Ike: RECV_MSG2_MAIN - TripNet STIG
25.05.13 11:02:47  Ike: IKE phase I: Setting LifeTime to 86400 seconds
25.05.13 11:02:47  Ike: Turning on XAUTH mode - TripNet STIG
25.05.13 11:02:47  Ike: IkeSa negotiated with the following properties -
25.05.13 11:02:47  IPSec: Final Tunnel EndPoint is:190.70.243.121
25.05.13 11:02:47    Authentication=XAUTH_INIT_PSK,Encryption=DES3,Hash=MD5,DHGroup=2,KeyLen=0
25.05.13 11:02:47  Ike: TripNet STIG ->Support for NAT-T version - 2
25.05.13 11:02:47  Ike: Turning on IKE fragment mode - TripNet STIG
25.05.13 11:02:47  Ike: XMIT_MSG3_MAIN - TripNet STIG
25.05.13 11:02:50  Ike: NOTIFY : TripNet STIG : RECEIVED : INVALID_COOKIE : 4
25.05.13 11:02:50  Ike: RECV_MSG4_MAIN - TripNet STIG
25.05.13 11:02:50  Ike: phase1:name(TripNet STIG - ERROR - INVALID_KEY_INFORMATION
25.05.13 11:02:50  IPSec: Disconnected from TripNet STIG on channel 1.

Really hoping there is someone out there who can help with this.

Cheers
Chris
0
Comment
Question by:kenwardc
  • 7
  • 7
  • 2
16 Comments
 
LVL 15

Expert Comment

by:Skyler Kincaid
ID: 39196461
Make sure you are typing everything correctly. It looks like it is finding that the key is incorrect:

"25.05.13 11:02:50  Ike: phase1:name(TripNet STIG - ERROR - INVALID_KEY_INFORMATION"

I am guessing that is the pre-shared key.
0
 

Author Comment

by:kenwardc
ID: 39196521
Hi xKincaidx

I'm pretty sure I have the secret correct as it's working on the iPhone fine.

The error also threw me a bit. Perhaps it's something else which is stopping the auth?

Cheers
Chris
0
 
LVL 15

Expert Comment

by:Skyler Kincaid
ID: 39196528
Make sure it isn't capitalize the first letter automatically when you are typing it.
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 

Author Comment

by:kenwardc
ID: 39196579
Yes - I've done that too, thanks.

Cheers
Chris
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 39196812
You have X Auth enabled on the second example but not the first. If you do not need X Auth, it should not be used and can cause the error above. Conversely if you need it and do not have it, it can cause similar errors.

So check out whether X Auth is needed or not.

Also in the second example, split tunneling is where you assign the remote subnet, so you need it.

I have NCP running on Windows 8 for multiple clients (which is where I draw the above information) but I do not have a Samsung Galaxy.

.... Thinkpads_User
0
 

Author Comment

by:kenwardc
ID: 39196841
Hi there,

Thanks for your suggestion. On the iPhone there is a username and password. If I untick the XAUTH box then the username/password entry fields disappear.

I'll have a look at the split screen tunnelling to see whether adding the subnet works.

Cheers
Chris
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 39197511
@kenwardc - Please keep us posted.

I know that if you un-tick the X AUTH box, the user name / password fields disappear. However there are also user name / password fields for the main identity where you use Pre-Shared key. X AUTH is additional and you cannot use it if the Cisco does not use it.

Conversely, if the Cisco does use X AUTH, then the iPhone must be using it also.

The two configurations you showed us are not directly comparable.

... Thinkpads_User
0
 

Author Comment

by:kenwardc
ID: 39197531
Hi there

There is only one configuration in my original post. It's the entire list of options on the Android phone within the NCP application.

I've tried removing the XAUTH but it still gives the same error.

Cheers
Chris
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 39197546
You need to then look at the iPhone configuration which (according to your posts must also have X AUTH set) and see where the differences are.

Check the X AUTH settings with the Cisco as well.

And then with X AUTH ON, did setting Split Tunneling work?

.... Thinkpads_User
0
 
LVL 99

Accepted Solution

by:
John Hurst earned 2000 total points
ID: 39197600
I also should have mentioned that you need to check your 2 phases in the NCP setup and make sure that both phases match the Cisco.

So you need:
1. Basic setup
2. IPsec Setup: IKE Policy (Phase 1) and IPsec Policy (Phase 2), Exchange Mode and PFS
3. Identities: Type with Pre-shared key (for sure) and additionally X AUTH (optional but must be set as the Cisco demands).
4. Split tunneling to set up the Remote Subnet.

Lots of setup and all of it must be set properly.

... Thinkpads_User
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 39198091
@kenwardc - Did you have any luck?

How did the iPhone set up with no configuration? IPsec always needs specialized configuration. Or did the iPhone use PPTP VPN (easier to set up but generally less secure).

Please let us know if you had any progress.

... Thinkpads_User
0
 

Author Comment

by:kenwardc
ID: 39210278
Hi there

I don't understand the "split tunnelling" thing and am confused as to how to set it up.

Pulling hair out at the moment. ;)

Cheers
Chris
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 39210390
In NCP, go into the Split Tunneling menu item. On my NCP, the menus are down the left side of the application with all the other setup menus.

In the Split Tunneling setup, click on ADD and add the required subnet. So if the remote end is 192.168.75.x ADD 192.168.75.0 with subnet mask 255.255.255.0.

I don't know why they did it this way, but all you are doing is defining the remote subnet. You have to do this in any VPN application.

... Thinkpads_User
0
 

Author Comment

by:kenwardc
ID: 39330340
Hi there

Apologies for the delay getting back to you all. I have given up on this score. I cannot find the Split Tunnelling menu on NCP and kinda just abandoned the project.

Thanks very much for the attempt at helping me, Thinkpads_User.

All the best
Chris
0
 

Author Closing Comment

by:kenwardc
ID: 39803756
Thanks so much and sincere apologies for not updating the post before. The suggestion in this post from you helped me get it working, thanks very much.

Cheers
Chris
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 39803778
@kenwardc - Thank you for finally following up. I am glad you got it working and I was happy to help.

.... Thinkpads_User
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question