VPN Connection -Andriod not working. Working using IPhone

Users at my company are able to connect via VPN using there phone if they have IPhones but a few of us here have Android Phones and are not able to establish a VPN connection. Following the IT department directions the last step if it doesn't work states:
"The connection should then connect and function. If it does not work, check the IPsec logs and the Status > System Logs, VPN, L2TP Raw log to see more specific errors."

I don't see any logs on the phone to help troubleshoot, does anyone have any suggestions.
Tim OBrienSystems EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
better to verify that the VPN setting are correct as shared by your IT team. One instance of the VPN profile can be as below but different Android version and model may differs.
Settings --> Wireless and network ---> More ---> VPN --> Add VPN network
VPN field:
Name: Test
Type: IPSec Xauth PSK ---> (to use pre-shared-keys)
Server: VPN server's IP.
IPSec identifier: Connection profile
IPSec pre-shared-key: Secret key.
But the native VPN support can be irregular
i was having the same issue on my galaxy s4, i rooted my phone, replaced the racoon file, ipsec psk still didn't work. So i went back to the stock racoon and tried something else.

when setting up the L2TP IPsec PSK connection i used the following settings
NAME: what ever you want to call it
type: L2TP/IPSec PSK
server address: the address of the vpn server your are connecting to
IPSec Identifier: LEAVE BLANK
IPSec Pre-Shared Key: enter your pre-shared key

click save

now open your connection
enter your username for the connection
enter you L2TP password not your pre-shared password

tick the save box

click connect and see how that goes. THIS DID IT FOR ME.
Same problem, Nexus 4, stock Android 4.4.2

Confirms the same problem.
Also confirm that #264 works!! Edit your VPN info, leave "L2TP Secret" blank, and it connects normally.

...there is one instance of using Native Android VPN client to connect to ASA but the latter need to be of certain ver so good to check with your VPN server provider too
This document provides a sample configuration for the native L2TP/IPSec Android client. It takes you through all the necessary commands required on a Cisco Adaptive Security Appliance (ASA), as well as the steps to be taken on the Android device itself.

Android L2TP/IPSec requires Cisco ASA software version 8.2.5 or later, version or later, or version 8.4.1 or later.

Otherwise, most in the public tends to go for VPN Apps installed in Android instead using the VPN provider's client apps like Anyconnect VPN apps from Cisco which is mostly via SSL VPN.

Troubleshooting through Android or even getting its log is not going to be easy and I rather not go into that. but so far native VPN can work if  config is supplied by the provider themselves like Cisco example above...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tim OBrienSystems EngineerAuthor Commented:
Appreciate all the information you provided
Name: VPN Test
Type: L2TP/IPSec PSK
Server Address: vpn.server.com
L2TP Secret: <BLANK>
IPSEC INDENTIFIER: iPhone (used for VPN Connections on Mobile Phone)

I then enter my username and password and try's to connect:

These are the logs I am seeing from the ASA, please see attached file.

ASA Version is: 8.4(7) so ASA version is ok according to the link you provided. I am using the Default VPN App Provided by my HTC M8 Android Version5.0.1
Tim OBrienSystems EngineerAuthor Commented:
Sorry I forgot to upload, please see attached.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

btanExec ConsultantCommented:
The forum highlighted mostly due to mismatch in the "transform set"
If his configuration only broke iPhone vpn connection, yes, that's only thing you need.

per the log you provide, iPhone vpn connection was broken on phase 2, transform-set is the parameter which is negociated in phase 2.
Apple iPhone and MAC OS X Compatibility

The security appliance requires the following IKE (ISAKMP) policy settings for successful Apple iPhone or MAC OS X connections:
•IKE phase 1—3DES encryption with SHA1 hash method.
•IPSec phase 2—3DES or AES encryption with MD5 or SHA hash method.
The reason that the Remote Access (RA) VPN was unable to form successfully before the change from TRANS_ESP_3DES_MD5 to ESP_3DES_MD5 is that transport mode is not supported for RA VPN.  You must use Tunnel mode for the IPSec Transform set as we need to maintain the inside IP header so that once the packet is decapsulated and decrypted at the IPSec head end we can forward the packet.

From the logs you can see this failure

Dec 29 18:54:26 [IKEv1]: Phase 2 failure:  Mismatched attribute types  for class Encapsulation Mode:  Rcv'd: UDP Tunnel(NAT-T)  Cfg'd: UDP  Transport

repeats 4x

Rcv'd is the transform set sent by the RA Client.  Cfg'd is what the dynamic crypto map supports.
Tim OBrienSystems EngineerAuthor Commented:
Thanks again for all your information, it was very help.
Tim OBrienSystems EngineerAuthor Commented:
Fantastic information, much appreciated
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.