• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1634
  • Last Modified:

NCP VPN won't connect Android to Cisco

I have a Samsung Galaxy Note II LTE GT-N7105 running Jelly Bean 4.1.1 and I've installed NCP's VPN software on it because I cannot get the built-in VPN to work with Cisco type VPN connection.

Settings I've been told to use by my VPN provider are:
(names and IPs changed of course)

Description: TripNet STIG
Connection type: CISCO
Server: 190.70.243.121
Account: STIGVPN001
Group Name: STIGVPNPHONE
Secret: secretkey

I've set this up on my iPhone using the iPhone's built-in CISCO VPN and it works like a charm.

In the Samsung NCP app settings I have:

Profile:
Profile Name
TripNet STIG

VPN Tunnelling:
Gateway (Tunnel Endpoint)
190.70.243.121

Extended Authentication (XAUTH) (ON)

VPN User ID
STIGVPN001

VPN Password
password

Security:
Pre-shared Key
secretkey

Exchange Mode
Mail Mode (IKEv1

IKE ID Type
ASN1 Group Name

IKE ID
STIGVPNPHONE

PFS-Group
None

Line Management:
Inactivity Timeout: 600 (sec)

IPsec Address Assignment:
Assignment of the private IP Address
IKE Config mode

Split Tunneling
OFF

Advanced IPsec Options
IPsec Compression = NONE

When I try to connect using the Android client, it disconnects after a short while. Here is the log extract:

25.05.13 11:02:46  IPSec: Start building connection
25.05.13 11:02:47  Ike: Outgoing connect request MAIN mode - gateway=190.70.243.121 : TripNet STIG
25.05.13 11:02:47  Ike: XMIT_MSG1_MAIN - TripNet STIG
25.05.13 11:02:47  Ike: RECV_MSG2_MAIN - TripNet STIG
25.05.13 11:02:47  Ike: IKE phase I: Setting LifeTime to 86400 seconds
25.05.13 11:02:47  Ike: Turning on XAUTH mode - TripNet STIG
25.05.13 11:02:47  Ike: IkeSa negotiated with the following properties -
25.05.13 11:02:47  IPSec: Final Tunnel EndPoint is:190.70.243.121
25.05.13 11:02:47    Authentication=XAUTH_INIT_PSK,Encryption=DES3,Hash=MD5,DHGroup=2,KeyLen=0
25.05.13 11:02:47  Ike: TripNet STIG ->Support for NAT-T version - 2
25.05.13 11:02:47  Ike: Turning on IKE fragment mode - TripNet STIG
25.05.13 11:02:47  Ike: XMIT_MSG3_MAIN - TripNet STIG
25.05.13 11:02:50  Ike: NOTIFY : TripNet STIG : RECEIVED : INVALID_COOKIE : 4
25.05.13 11:02:50  Ike: RECV_MSG4_MAIN - TripNet STIG
25.05.13 11:02:50  Ike: phase1:name(TripNet STIG - ERROR - INVALID_KEY_INFORMATION
25.05.13 11:02:50  IPSec: Disconnected from TripNet STIG on channel 1.

Really hoping there is someone out there who can help with this.

Cheers
Chris
0
kenwardc
Asked:
kenwardc
  • 7
  • 7
  • 2
1 Solution
 
Skyler KincaidNetwork/Systems EngineerCommented:
Make sure you are typing everything correctly. It looks like it is finding that the key is incorrect:

"25.05.13 11:02:50  Ike: phase1:name(TripNet STIG - ERROR - INVALID_KEY_INFORMATION"

I am guessing that is the pre-shared key.
0
 
kenwardcAuthor Commented:
Hi xKincaidx

I'm pretty sure I have the secret correct as it's working on the iPhone fine.

The error also threw me a bit. Perhaps it's something else which is stopping the auth?

Cheers
Chris
0
 
Skyler KincaidNetwork/Systems EngineerCommented:
Make sure it isn't capitalize the first letter automatically when you are typing it.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
kenwardcAuthor Commented:
Yes - I've done that too, thanks.

Cheers
Chris
0
 
JohnBusiness Consultant (Owner)Commented:
You have X Auth enabled on the second example but not the first. If you do not need X Auth, it should not be used and can cause the error above. Conversely if you need it and do not have it, it can cause similar errors.

So check out whether X Auth is needed or not.

Also in the second example, split tunneling is where you assign the remote subnet, so you need it.

I have NCP running on Windows 8 for multiple clients (which is where I draw the above information) but I do not have a Samsung Galaxy.

.... Thinkpads_User
0
 
kenwardcAuthor Commented:
Hi there,

Thanks for your suggestion. On the iPhone there is a username and password. If I untick the XAUTH box then the username/password entry fields disappear.

I'll have a look at the split screen tunnelling to see whether adding the subnet works.

Cheers
Chris
0
 
JohnBusiness Consultant (Owner)Commented:
@kenwardc - Please keep us posted.

I know that if you un-tick the X AUTH box, the user name / password fields disappear. However there are also user name / password fields for the main identity where you use Pre-Shared key. X AUTH is additional and you cannot use it if the Cisco does not use it.

Conversely, if the Cisco does use X AUTH, then the iPhone must be using it also.

The two configurations you showed us are not directly comparable.

... Thinkpads_User
0
 
kenwardcAuthor Commented:
Hi there

There is only one configuration in my original post. It's the entire list of options on the Android phone within the NCP application.

I've tried removing the XAUTH but it still gives the same error.

Cheers
Chris
0
 
JohnBusiness Consultant (Owner)Commented:
You need to then look at the iPhone configuration which (according to your posts must also have X AUTH set) and see where the differences are.

Check the X AUTH settings with the Cisco as well.

And then with X AUTH ON, did setting Split Tunneling work?

.... Thinkpads_User
0
 
JohnBusiness Consultant (Owner)Commented:
I also should have mentioned that you need to check your 2 phases in the NCP setup and make sure that both phases match the Cisco.

So you need:
1. Basic setup
2. IPsec Setup: IKE Policy (Phase 1) and IPsec Policy (Phase 2), Exchange Mode and PFS
3. Identities: Type with Pre-shared key (for sure) and additionally X AUTH (optional but must be set as the Cisco demands).
4. Split tunneling to set up the Remote Subnet.

Lots of setup and all of it must be set properly.

... Thinkpads_User
0
 
JohnBusiness Consultant (Owner)Commented:
@kenwardc - Did you have any luck?

How did the iPhone set up with no configuration? IPsec always needs specialized configuration. Or did the iPhone use PPTP VPN (easier to set up but generally less secure).

Please let us know if you had any progress.

... Thinkpads_User
0
 
kenwardcAuthor Commented:
Hi there

I don't understand the "split tunnelling" thing and am confused as to how to set it up.

Pulling hair out at the moment. ;)

Cheers
Chris
0
 
JohnBusiness Consultant (Owner)Commented:
In NCP, go into the Split Tunneling menu item. On my NCP, the menus are down the left side of the application with all the other setup menus.

In the Split Tunneling setup, click on ADD and add the required subnet. So if the remote end is 192.168.75.x ADD 192.168.75.0 with subnet mask 255.255.255.0.

I don't know why they did it this way, but all you are doing is defining the remote subnet. You have to do this in any VPN application.

... Thinkpads_User
0
 
kenwardcAuthor Commented:
Hi there

Apologies for the delay getting back to you all. I have given up on this score. I cannot find the Split Tunnelling menu on NCP and kinda just abandoned the project.

Thanks very much for the attempt at helping me, Thinkpads_User.

All the best
Chris
0
 
kenwardcAuthor Commented:
Thanks so much and sincere apologies for not updating the post before. The suggestion in this post from you helped me get it working, thanks very much.

Cheers
Chris
0
 
JohnBusiness Consultant (Owner)Commented:
@kenwardc - Thank you for finally following up. I am glad you got it working and I was happy to help.

.... Thinkpads_User
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

  • 7
  • 7
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now