• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 717
  • Last Modified:

VPN Connection -Andriod not working. Working using IPhone

Users at my company are able to connect via VPN using there phone if they have IPhones but a few of us here have Android Phones and are not able to establish a VPN connection. Following the IT department directions the last step if it doesn't work states:
"The connection should then connect and function. If it does not work, check the IPsec logs and the Status > System Logs, VPN, L2TP Raw log to see more specific errors."

I don't see any logs on the phone to help troubleshoot, does anyone have any suggestions.
Tim OBrien
Tim OBrien
  • 4
  • 2
1 Solution
btanExec ConsultantCommented:
better to verify that the VPN setting are correct as shared by your IT team. One instance of the VPN profile can be as below but different Android version and model may differs.
Settings --> Wireless and network ---> More ---> VPN --> Add VPN network
VPN field:
Name: Test
Type: IPSec Xauth PSK ---> (to use pre-shared-keys)
Server: VPN server's IP.
IPSec identifier: Connection profile
IPSec pre-shared-key: Secret key.
But the native VPN support can be irregular
i was having the same issue on my galaxy s4, i rooted my phone, replaced the racoon file, ipsec psk still didn't work. So i went back to the stock racoon and tried something else.

when setting up the L2TP IPsec PSK connection i used the following settings
NAME: what ever you want to call it
type: L2TP/IPSec PSK
server address: the address of the vpn server your are connecting to
IPSec Identifier: LEAVE BLANK
IPSec Pre-Shared Key: enter your pre-shared key

click save

now open your connection
enter your username for the connection
enter you L2TP password not your pre-shared password

tick the save box

click connect and see how that goes. THIS DID IT FOR ME.
Same problem, Nexus 4, stock Android 4.4.2

Confirms the same problem.
Also confirm that #264 works!! Edit your VPN info, leave "L2TP Secret" blank, and it connects normally.

...there is one instance of using Native Android VPN client to connect to ASA but the latter need to be of certain ver so good to check with your VPN server provider too
This document provides a sample configuration for the native L2TP/IPSec Android client. It takes you through all the necessary commands required on a Cisco Adaptive Security Appliance (ASA), as well as the steps to be taken on the Android device itself.

Android L2TP/IPSec requires Cisco ASA software version 8.2.5 or later, version or later, or version 8.4.1 or later.

Otherwise, most in the public tends to go for VPN Apps installed in Android instead using the VPN provider's client apps like Anyconnect VPN apps from Cisco which is mostly via SSL VPN.

Troubleshooting through Android or even getting its log is not going to be easy and I rather not go into that. but so far native VPN can work if  config is supplied by the provider themselves like Cisco example above...
Tim OBrienSystems EngineerAuthor Commented:
Appreciate all the information you provided
Name: VPN Test
Type: L2TP/IPSec PSK
Server Address: vpn.server.com
L2TP Secret: <BLANK>
IPSEC INDENTIFIER: iPhone (used for VPN Connections on Mobile Phone)

I then enter my username and password and try's to connect:

These are the logs I am seeing from the ASA, please see attached file.

ASA Version is: 8.4(7) so ASA version is ok according to the link you provided. I am using the Default VPN App Provided by my HTC M8 Android Version5.0.1
Tim OBrienSystems EngineerAuthor Commented:
Sorry I forgot to upload, please see attached.
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

btanExec ConsultantCommented:
The forum highlighted mostly due to mismatch in the "transform set"
If his configuration only broke iPhone vpn connection, yes, that's only thing you need.

per the log you provide, iPhone vpn connection was broken on phase 2, transform-set is the parameter which is negociated in phase 2.
Apple iPhone and MAC OS X Compatibility

The security appliance requires the following IKE (ISAKMP) policy settings for successful Apple iPhone or MAC OS X connections:
•IKE phase 1—3DES encryption with SHA1 hash method.
•IPSec phase 2—3DES or AES encryption with MD5 or SHA hash method.
The reason that the Remote Access (RA) VPN was unable to form successfully before the change from TRANS_ESP_3DES_MD5 to ESP_3DES_MD5 is that transport mode is not supported for RA VPN.  You must use Tunnel mode for the IPSec Transform set as we need to maintain the inside IP header so that once the packet is decapsulated and decrypted at the IPSec head end we can forward the packet.

From the logs you can see this failure

Dec 29 18:54:26 [IKEv1]: Phase 2 failure:  Mismatched attribute types  for class Encapsulation Mode:  Rcv'd: UDP Tunnel(NAT-T)  Cfg'd: UDP  Transport

repeats 4x

Rcv'd is the transform set sent by the RA Client.  Cfg'd is what the dynamic crypto map supports.
Tim OBrienSystems EngineerAuthor Commented:
Thanks again for all your information, it was very help.
Tim OBrienSystems EngineerAuthor Commented:
Fantastic information, much appreciated
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Live Q & A: Securing Your Wi-Fi for Summer Travel

Traveling this summer? Join us on June 18, 2018 for a live stream to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now