Solved

NCP VPN won't connect Android to Cisco

Posted on 2013-05-25
16
1,477 Views
Last Modified: 2014-01-23
I have a Samsung Galaxy Note II LTE GT-N7105 running Jelly Bean 4.1.1 and I've installed NCP's VPN software on it because I cannot get the built-in VPN to work with Cisco type VPN connection.

Settings I've been told to use by my VPN provider are:
(names and IPs changed of course)

Description: TripNet STIG
Connection type: CISCO
Server: 190.70.243.121
Account: STIGVPN001
Group Name: STIGVPNPHONE
Secret: secretkey

I've set this up on my iPhone using the iPhone's built-in CISCO VPN and it works like a charm.

In the Samsung NCP app settings I have:

Profile:
Profile Name
TripNet STIG

VPN Tunnelling:
Gateway (Tunnel Endpoint)
190.70.243.121

Extended Authentication (XAUTH) (ON)

VPN User ID
STIGVPN001

VPN Password
password

Security:
Pre-shared Key
secretkey

Exchange Mode
Mail Mode (IKEv1

IKE ID Type
ASN1 Group Name

IKE ID
STIGVPNPHONE

PFS-Group
None

Line Management:
Inactivity Timeout: 600 (sec)

IPsec Address Assignment:
Assignment of the private IP Address
IKE Config mode

Split Tunneling
OFF

Advanced IPsec Options
IPsec Compression = NONE

When I try to connect using the Android client, it disconnects after a short while. Here is the log extract:

25.05.13 11:02:46  IPSec: Start building connection
25.05.13 11:02:47  Ike: Outgoing connect request MAIN mode - gateway=190.70.243.121 : TripNet STIG
25.05.13 11:02:47  Ike: XMIT_MSG1_MAIN - TripNet STIG
25.05.13 11:02:47  Ike: RECV_MSG2_MAIN - TripNet STIG
25.05.13 11:02:47  Ike: IKE phase I: Setting LifeTime to 86400 seconds
25.05.13 11:02:47  Ike: Turning on XAUTH mode - TripNet STIG
25.05.13 11:02:47  Ike: IkeSa negotiated with the following properties -
25.05.13 11:02:47  IPSec: Final Tunnel EndPoint is:190.70.243.121
25.05.13 11:02:47    Authentication=XAUTH_INIT_PSK,Encryption=DES3,Hash=MD5,DHGroup=2,KeyLen=0
25.05.13 11:02:47  Ike: TripNet STIG ->Support for NAT-T version - 2
25.05.13 11:02:47  Ike: Turning on IKE fragment mode - TripNet STIG
25.05.13 11:02:47  Ike: XMIT_MSG3_MAIN - TripNet STIG
25.05.13 11:02:50  Ike: NOTIFY : TripNet STIG : RECEIVED : INVALID_COOKIE : 4
25.05.13 11:02:50  Ike: RECV_MSG4_MAIN - TripNet STIG
25.05.13 11:02:50  Ike: phase1:name(TripNet STIG - ERROR - INVALID_KEY_INFORMATION
25.05.13 11:02:50  IPSec: Disconnected from TripNet STIG on channel 1.

Really hoping there is someone out there who can help with this.

Cheers
Chris
0
Comment
Question by:kenwardc
  • 7
  • 7
  • 2
16 Comments
 
LVL 15

Expert Comment

by:Skyler Kincaid
ID: 39196461
Make sure you are typing everything correctly. It looks like it is finding that the key is incorrect:

"25.05.13 11:02:50  Ike: phase1:name(TripNet STIG - ERROR - INVALID_KEY_INFORMATION"

I am guessing that is the pre-shared key.
0
 

Author Comment

by:kenwardc
ID: 39196521
Hi xKincaidx

I'm pretty sure I have the secret correct as it's working on the iPhone fine.

The error also threw me a bit. Perhaps it's something else which is stopping the auth?

Cheers
Chris
0
 
LVL 15

Expert Comment

by:Skyler Kincaid
ID: 39196528
Make sure it isn't capitalize the first letter automatically when you are typing it.
0
 

Author Comment

by:kenwardc
ID: 39196579
Yes - I've done that too, thanks.

Cheers
Chris
0
 
LVL 92

Expert Comment

by:John Hurst
ID: 39196812
You have X Auth enabled on the second example but not the first. If you do not need X Auth, it should not be used and can cause the error above. Conversely if you need it and do not have it, it can cause similar errors.

So check out whether X Auth is needed or not.

Also in the second example, split tunneling is where you assign the remote subnet, so you need it.

I have NCP running on Windows 8 for multiple clients (which is where I draw the above information) but I do not have a Samsung Galaxy.

.... Thinkpads_User
0
 

Author Comment

by:kenwardc
ID: 39196841
Hi there,

Thanks for your suggestion. On the iPhone there is a username and password. If I untick the XAUTH box then the username/password entry fields disappear.

I'll have a look at the split screen tunnelling to see whether adding the subnet works.

Cheers
Chris
0
 
LVL 92

Expert Comment

by:John Hurst
ID: 39197511
@kenwardc - Please keep us posted.

I know that if you un-tick the X AUTH box, the user name / password fields disappear. However there are also user name / password fields for the main identity where you use Pre-Shared key. X AUTH is additional and you cannot use it if the Cisco does not use it.

Conversely, if the Cisco does use X AUTH, then the iPhone must be using it also.

The two configurations you showed us are not directly comparable.

... Thinkpads_User
0
 

Author Comment

by:kenwardc
ID: 39197531
Hi there

There is only one configuration in my original post. It's the entire list of options on the Android phone within the NCP application.

I've tried removing the XAUTH but it still gives the same error.

Cheers
Chris
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 92

Expert Comment

by:John Hurst
ID: 39197546
You need to then look at the iPhone configuration which (according to your posts must also have X AUTH set) and see where the differences are.

Check the X AUTH settings with the Cisco as well.

And then with X AUTH ON, did setting Split Tunneling work?

.... Thinkpads_User
0
 
LVL 92

Accepted Solution

by:
John Hurst earned 500 total points
ID: 39197600
I also should have mentioned that you need to check your 2 phases in the NCP setup and make sure that both phases match the Cisco.

So you need:
1. Basic setup
2. IPsec Setup: IKE Policy (Phase 1) and IPsec Policy (Phase 2), Exchange Mode and PFS
3. Identities: Type with Pre-shared key (for sure) and additionally X AUTH (optional but must be set as the Cisco demands).
4. Split tunneling to set up the Remote Subnet.

Lots of setup and all of it must be set properly.

... Thinkpads_User
0
 
LVL 92

Expert Comment

by:John Hurst
ID: 39198091
@kenwardc - Did you have any luck?

How did the iPhone set up with no configuration? IPsec always needs specialized configuration. Or did the iPhone use PPTP VPN (easier to set up but generally less secure).

Please let us know if you had any progress.

... Thinkpads_User
0
 

Author Comment

by:kenwardc
ID: 39210278
Hi there

I don't understand the "split tunnelling" thing and am confused as to how to set it up.

Pulling hair out at the moment. ;)

Cheers
Chris
0
 
LVL 92

Expert Comment

by:John Hurst
ID: 39210390
In NCP, go into the Split Tunneling menu item. On my NCP, the menus are down the left side of the application with all the other setup menus.

In the Split Tunneling setup, click on ADD and add the required subnet. So if the remote end is 192.168.75.x ADD 192.168.75.0 with subnet mask 255.255.255.0.

I don't know why they did it this way, but all you are doing is defining the remote subnet. You have to do this in any VPN application.

... Thinkpads_User
0
 

Author Comment

by:kenwardc
ID: 39330340
Hi there

Apologies for the delay getting back to you all. I have given up on this score. I cannot find the Split Tunnelling menu on NCP and kinda just abandoned the project.

Thanks very much for the attempt at helping me, Thinkpads_User.

All the best
Chris
0
 

Author Closing Comment

by:kenwardc
ID: 39803756
Thanks so much and sincere apologies for not updating the post before. The suggestion in this post from you helped me get it working, thanks very much.

Cheers
Chris
0
 
LVL 92

Expert Comment

by:John Hurst
ID: 39803778
@kenwardc - Thank you for finally following up. I am glad you got it working and I was happy to help.

.... Thinkpads_User
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article we will discuss all things related to StageFright bug, the most vulnerable bug of android devices.
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
This video is in connection to the article "The case of a missing mobile phone (https://www.experts-exchange.com/articles/28474/The-Case-of-a-Missing-Mobile-Phone.html)". It will help one to understand clearly the steps to track a lost android phone.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now