Tim OBrien
asked on
VPN Connection -Andriod not working. Working using IPhone
Users at my company are able to connect via VPN using there phone if they have IPhones but a few of us here have Android Phones and are not able to establish a VPN connection. Following the IT department directions the last step if it doesn't work states:
"The connection should then connect and function. If it does not work, check the IPsec logs and the Status > System Logs, VPN, L2TP Raw log to see more specific errors."
I don't see any logs on the phone to help troubleshoot, does anyone have any suggestions.
"The connection should then connect and function. If it does not work, check the IPsec logs and the Status > System Logs, VPN, L2TP Raw log to see more specific errors."
I don't see any logs on the phone to help troubleshoot, does anyone have any suggestions.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry I forgot to upload, please see attached.
VPNFailureAndroid.JPG
VPNFailureAndroid.JPG
The forum highlighted mostly due to mismatch in the "transform set"
If his configuration only broke iPhone vpn connection, yes, that's only thing you need.https://supportforums.cisco.com/discussion/11175401/iphone-vpn-client-stopped-working
per the log you provide, iPhone vpn connection was broken on phase 2, transform-set is the parameter which is negociated in phase 2.
Apple iPhone and MAC OS X Compatibilityhttps://supportforums.cisco.com/discussion/11201156/ask-experts-connect-your-iphoneipad-ipsec-and-sslvpn
The security appliance requires the following IKE (ISAKMP) policy settings for successful Apple iPhone or MAC OS X connections:
•IKE phase 1—3DES encryption with SHA1 hash method.
•IPSec phase 2—3DES or AES encryption with MD5 or SHA hash method.
The reason that the Remote Access (RA) VPN was unable to form successfully before the change from TRANS_ESP_3DES_MD5 to ESP_3DES_MD5 is that transport mode is not supported for RA VPN. You must use Tunnel mode for the IPSec Transform set as we need to maintain the inside IP header so that once the packet is decapsulated and decrypted at the IPSec head end we can forward the packet.https://supportforums.cisco.com/discussion/11077441/asa-82-ipsec-ike-phase2-failure
From the logs you can see this failure
Dec 29 18:54:26 [IKEv1]: Phase 2 failure: Mismatched attribute types for class Encapsulation Mode: Rcv'd: UDP Tunnel(NAT-T) Cfg'd: UDP Transport
repeats 4x
Rcv'd is the transform set sent by the RA Client. Cfg'd is what the dynamic crypto map supports.
ASKER
Thanks again for all your information, it was very help.
ASKER
Fantastic information, much appreciated
ASKER
Name: VPN Test
Type: L2TP/IPSec PSK
Server Address: vpn.server.com
L2TP Secret: <BLANK>
IPSEC INDENTIFIER: iPhone (used for VPN Connections on Mobile Phone)
IPSEC PRE=SHARED KEY: <*******>
I then enter my username and password and try's to connect:
These are the logs I am seeing from the ASA, please see attached file.
ASA Version is: 8.4(7) so ASA version is ok according to the link you provided. I am using the Default VPN App Provided by my HTC M8 Android Version5.0.1