IPsec with default Android Client

Forum|Forum|9 years ago
November 17, 2016
1 reply
22872 views

In the Log files I get "peer SA proposal not match local policy". I guess this means the Phase 1 Settings from the Android Client don't match these from the Fortigate?!? Which settings and Encryption proposals I need for the Client? The Windows Forticlient works perfectly with these Server Settings.

5.2

x_member

New Member

For a native L2TP IPSEC Xauth VPN on iPhone (tested iOS 9+) and Android (tested v5+) we use:

config vpn ipsec phase1-interface

edit <name>

set type dynamic

set interface "wan1"

set mode-cfg enable

set proposal aes256-md5 3des-sha1 aes192-sha1 set dhgrp 14 5 2 set xauthtype auto

set authusrgrp <usergroup>

set ipv4-start-ip <start of range>

set ipv4-end-ip <end of range>

set dns-mode auto

set psksecret <very long psk>

end

... and phase2:

config vpn ipsec phase2-interface

edit <name> set phase1name <phase1 name> set proposal aes256-md5 3des-sha1 aes192-sha1 set pfs disable set keepalive enable

end

... and l2tp:

config vpn l2tp set eip <end of range> set sip <start of range> set status enable set usrgrp <usergroup> end

schmilAuthor

New Member

Wont work - aaaaah:

ike 7:L2TP_0: link is idle 13 1.2.3.4->80.187.123.91:23267 dpd=1 seqno=1
ike 7:L2TP_0:408: send IKEv1 DPD probe, seqno 1
ike 7:L2TP_0:408: enc 2D28BADF62499790A3767847F254FE949808100501D137D6C7000000500B000014942DA55CDFAD90A555DF7F9481632C1F000000200000000101108D282D28BAD54F62499790A3767847F2FE949800000001
ike 7:L2TP_0:408: out 2D28BADF62499790A3767847F2FE93449808100501D137D6C70000005C89BF3D940FC56E7C47EFDA59A8F428921B09C8E20F8179A5BA5968FC766F0D0D3D787152F410FDA1B3BAC28B8BD8EBC76CD926C9A2385C9B60C6EAFD37AD43FAD
ike 7:L2TP_0:408: sent IKE msg (R-U-THERE): 1.2.3.4:4500->80.187.123.91:23267, len=92, id=2d28badf62499790/a3767847f2fe9498:d137d6c7
ike 7: comes 80.187.123.91:23267->1.2.3.4:4500,ifindex=13....
ike 7: IKEv1 exchange=Informational id=2d28badf62499790/a3767847f2fe9498:f59f12c1 len=92
ike 7: in 2D28BADF62499790A3767847F2F45E949808100501F59F12C10000005C29BAAD1A7245AFC284C20115500686976C29A5B45B9A8A67AD160713B5FE1EA4599BFA592806C14553587B1A446F86F3EF7355D63DE9597BC2C60BB85843BAAF1F
ike 7:L2TP_0:408: dec 2D28BADF62499790A3767847F2FE94980810055301F59F12C10000005C0B0000142A8330899552CE661743C85F45B2A312000000200000000101108D29432D28BADF62499790A3767847F2FE94980000000100000000000000000000000C
ike 7:L2TP_0:408: notify msg received: R-U-THERE-ACK
ike 7: comes 80.187.123.91:23267->1.2.3.4:4500,ifindex=13....
ike 7: IKEv1 exchange=Quick id=2d28badf62499790/a3767847f2fe9498:a32e8520 len=316
ike 7: in 2D28BADF62499790A3767847F2FE949808102001A32E85200000013C12AA0FBB3CB63EA1E1EE0C80ECE75BBD2A7AC9DFEBF116E13E420852BB70BE4136B3F3BC894816071459D52CC0D31567F0BA9A2401582862D434B9DAC347DF5FAF1AE0C015E715F5B7D4F24883CC958763B0D64D6D60062F1420493D958537E407EF830B9FEF20A0DFD21E560F700040944EDFF8801D1F792C76D3E054077E4B0F9622775B4EFE2815B29BD1CCC9D700185B114FBA2F505E728147532CB1E8278972A2A5F6100581B98FFAAFAC32BCD159310194E7ADDBE906BCF45EC8C96D62303903785B452320927054BFC231D1520B33BF4998F37FB8866758C9B3A598E736A5EF3C60E8B2BDD8236A62718D0690FDD5870DCAAE44873CCBAC0E798A5541DC0D26DB5298B35B1CCD8659753D7D165E9A7E3B3405CD9E6615FC7E4799415D903
ike 7:L2TP_0:408: peer has not completed Configuration Method

x_member

New Member

Can you post your configuration please?

Are you trying to achieve the VPN using LDAP authentication, local user authentication, or ?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded