Solved

NCP VPN won't connect Android to Cisco

Posted on 2013-05-25
16
1,464 Views
Last Modified: 2014-01-23
I have a Samsung Galaxy Note II LTE GT-N7105 running Jelly Bean 4.1.1 and I've installed NCP's VPN software on it because I cannot get the built-in VPN to work with Cisco type VPN connection.

Settings I've been told to use by my VPN provider are:
(names and IPs changed of course)

Description: TripNet STIG
Connection type: CISCO
Server: 190.70.243.121
Account: STIGVPN001
Group Name: STIGVPNPHONE
Secret: secretkey

I've set this up on my iPhone using the iPhone's built-in CISCO VPN and it works like a charm.

In the Samsung NCP app settings I have:

Profile:
Profile Name
TripNet STIG

VPN Tunnelling:
Gateway (Tunnel Endpoint)
190.70.243.121

Extended Authentication (XAUTH) (ON)

VPN User ID
STIGVPN001

VPN Password
password

Security:
Pre-shared Key
secretkey

Exchange Mode
Mail Mode (IKEv1

IKE ID Type
ASN1 Group Name

IKE ID
STIGVPNPHONE

PFS-Group
None

Line Management:
Inactivity Timeout: 600 (sec)

IPsec Address Assignment:
Assignment of the private IP Address
IKE Config mode

Split Tunneling
OFF

Advanced IPsec Options
IPsec Compression = NONE

When I try to connect using the Android client, it disconnects after a short while. Here is the log extract:

25.05.13 11:02:46  IPSec: Start building connection
25.05.13 11:02:47  Ike: Outgoing connect request MAIN mode - gateway=190.70.243.121 : TripNet STIG
25.05.13 11:02:47  Ike: XMIT_MSG1_MAIN - TripNet STIG
25.05.13 11:02:47  Ike: RECV_MSG2_MAIN - TripNet STIG
25.05.13 11:02:47  Ike: IKE phase I: Setting LifeTime to 86400 seconds
25.05.13 11:02:47  Ike: Turning on XAUTH mode - TripNet STIG
25.05.13 11:02:47  Ike: IkeSa negotiated with the following properties -
25.05.13 11:02:47  IPSec: Final Tunnel EndPoint is:190.70.243.121
25.05.13 11:02:47    Authentication=XAUTH_INIT_PSK,Encryption=DES3,Hash=MD5,DHGroup=2,KeyLen=0
25.05.13 11:02:47  Ike: TripNet STIG ->Support for NAT-T version - 2
25.05.13 11:02:47  Ike: Turning on IKE fragment mode - TripNet STIG
25.05.13 11:02:47  Ike: XMIT_MSG3_MAIN - TripNet STIG
25.05.13 11:02:50  Ike: NOTIFY : TripNet STIG : RECEIVED : INVALID_COOKIE : 4
25.05.13 11:02:50  Ike: RECV_MSG4_MAIN - TripNet STIG
25.05.13 11:02:50  Ike: phase1:name(TripNet STIG - ERROR - INVALID_KEY_INFORMATION
25.05.13 11:02:50  IPSec: Disconnected from TripNet STIG on channel 1.

Really hoping there is someone out there who can help with this.

Cheers
Chris
0
Comment
Question by:kenwardc
  • 7
  • 7
  • 2
16 Comments
 
LVL 15

Expert Comment

by:Skyler Kincaid
ID: 39196461
Make sure you are typing everything correctly. It looks like it is finding that the key is incorrect:

"25.05.13 11:02:50  Ike: phase1:name(TripNet STIG - ERROR - INVALID_KEY_INFORMATION"

I am guessing that is the pre-shared key.
0
 

Author Comment

by:kenwardc
ID: 39196521
Hi xKincaidx

I'm pretty sure I have the secret correct as it's working on the iPhone fine.

The error also threw me a bit. Perhaps it's something else which is stopping the auth?

Cheers
Chris
0
 
LVL 15

Expert Comment

by:Skyler Kincaid
ID: 39196528
Make sure it isn't capitalize the first letter automatically when you are typing it.
0
 

Author Comment

by:kenwardc
ID: 39196579
Yes - I've done that too, thanks.

Cheers
Chris
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39196812
You have X Auth enabled on the second example but not the first. If you do not need X Auth, it should not be used and can cause the error above. Conversely if you need it and do not have it, it can cause similar errors.

So check out whether X Auth is needed or not.

Also in the second example, split tunneling is where you assign the remote subnet, so you need it.

I have NCP running on Windows 8 for multiple clients (which is where I draw the above information) but I do not have a Samsung Galaxy.

.... Thinkpads_User
0
 

Author Comment

by:kenwardc
ID: 39196841
Hi there,

Thanks for your suggestion. On the iPhone there is a username and password. If I untick the XAUTH box then the username/password entry fields disappear.

I'll have a look at the split screen tunnelling to see whether adding the subnet works.

Cheers
Chris
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39197511
@kenwardc - Please keep us posted.

I know that if you un-tick the X AUTH box, the user name / password fields disappear. However there are also user name / password fields for the main identity where you use Pre-Shared key. X AUTH is additional and you cannot use it if the Cisco does not use it.

Conversely, if the Cisco does use X AUTH, then the iPhone must be using it also.

The two configurations you showed us are not directly comparable.

... Thinkpads_User
0
 

Author Comment

by:kenwardc
ID: 39197531
Hi there

There is only one configuration in my original post. It's the entire list of options on the Android phone within the NCP application.

I've tried removing the XAUTH but it still gives the same error.

Cheers
Chris
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 90

Expert Comment

by:John Hurst
ID: 39197546
You need to then look at the iPhone configuration which (according to your posts must also have X AUTH set) and see where the differences are.

Check the X AUTH settings with the Cisco as well.

And then with X AUTH ON, did setting Split Tunneling work?

.... Thinkpads_User
0
 
LVL 90

Accepted Solution

by:
John Hurst earned 500 total points
ID: 39197600
I also should have mentioned that you need to check your 2 phases in the NCP setup and make sure that both phases match the Cisco.

So you need:
1. Basic setup
2. IPsec Setup: IKE Policy (Phase 1) and IPsec Policy (Phase 2), Exchange Mode and PFS
3. Identities: Type with Pre-shared key (for sure) and additionally X AUTH (optional but must be set as the Cisco demands).
4. Split tunneling to set up the Remote Subnet.

Lots of setup and all of it must be set properly.

... Thinkpads_User
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39198091
@kenwardc - Did you have any luck?

How did the iPhone set up with no configuration? IPsec always needs specialized configuration. Or did the iPhone use PPTP VPN (easier to set up but generally less secure).

Please let us know if you had any progress.

... Thinkpads_User
0
 

Author Comment

by:kenwardc
ID: 39210278
Hi there

I don't understand the "split tunnelling" thing and am confused as to how to set it up.

Pulling hair out at the moment. ;)

Cheers
Chris
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39210390
In NCP, go into the Split Tunneling menu item. On my NCP, the menus are down the left side of the application with all the other setup menus.

In the Split Tunneling setup, click on ADD and add the required subnet. So if the remote end is 192.168.75.x ADD 192.168.75.0 with subnet mask 255.255.255.0.

I don't know why they did it this way, but all you are doing is defining the remote subnet. You have to do this in any VPN application.

... Thinkpads_User
0
 

Author Comment

by:kenwardc
ID: 39330340
Hi there

Apologies for the delay getting back to you all. I have given up on this score. I cannot find the Split Tunnelling menu on NCP and kinda just abandoned the project.

Thanks very much for the attempt at helping me, Thinkpads_User.

All the best
Chris
0
 

Author Closing Comment

by:kenwardc
ID: 39803756
Thanks so much and sincere apologies for not updating the post before. The suggestion in this post from you helped me get it working, thanks very much.

Cheers
Chris
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39803778
@kenwardc - Thank you for finally following up. I am glad you got it working and I was happy to help.

.... Thinkpads_User
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

Working settings for French ISP Orange "Prêt à Surfer" SIM cards for data connections only. Can't be found anywhere else !
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
This video is in connection to the article "The case of a missing mobile phone (https://www.experts-exchange.com/articles/28474/The-Case-of-a-Missing-Mobile-Phone.html)". It will help one to understand clearly the steps to track a lost android phone.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now