FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 263802
Description This article describes that Native VPN (L2TP VPN) is no longer supported in Android 13 and above android version.

Android 13 and above do not support L2TP VPNs anymore due to security issues with L2TP which use Ikev1.


From Andriod 13 and above we only have 3-options to establish a VPN:

  1. Ikev2/IPsec MSCHAPv2.
  2. Ikev2/IPsec PSK (pre-shared key).
  3. Ikev2/IPsec RSA.


To view these options on an Android phone go to Android system settings -> Connection & Sharing -> VPN -> Tap on the '+' button to add a VPN connection -> Select VPN type.


Android VPN type.jpeg


Native VPN in FortiGate firewall will use L2TP by default.

  • Since L2TP is not supported in Android 13 and above VPN connection will not be established between the FortiGate firewall and Android device.

As a workaround to establish a VPN between an Android device and the FortiGate firewall, it is possible to configure a custom dail-up VPN with IKev2. 


This solution is feasible where end users do not want to connect to VPN via the Forticlient application installed in their Android device.

To configure a VPN connection with the Ikev2-PSK method in the FortiGate firewall, follow the steps below:

Go to VPN -> IPsec Tunnels -> Create New -> IPsec Tunnel -> Select Template type as 'Custom', give a name to the VPN connection, and select Next.


  1. image.png








Create a policy and route accordingly to allow traffic from the Andriod-VPN tunnel interface to the LAN interface. 


CLI configuration.


Dail-UP ikev2 Cli config:


config vpn ipsec phase1-interface
    edit "Android-VPN"
        set type dynamic
        set interface "wan1"
        set ike-version 2
        set local-gw
        set peertype any
        set net-device disable
        set mode-cfg enable
        set ipv4-dns-server1
        set proposal aes128-sha256 aes192-sha384 aes256-sha512 aes128gcm-prfsha256 aes256gcm-prfsha512
        set dhgrp 16 15 14
        set ipv4-start-ip
        set ipv4-end-ip
        set ipv4-netmask
        set ipv4-split-include "Test_local_subnet_1"
        set psksecret ENC

        set dpd-retryinterval 60

config vpn ipsec phase2-interface
    edit "Android-VPN"
        set phase1name "Android-VPN"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set pfs disable

config firewall policy
    edit 13
        set name "Android -VPN"
        set uuid de0f1e18-2148-51ee-f79f-5a640f7b4b50
        set srcintf "Android-VPN"
        set dstintf "port3"
        set action accept
        set srcaddr "all"
        set dstaddr "Test_local_subnet_1"
        set schedule "always"
        set service "ALL"
        set nat enable


Android Configuration:








  1. If any peer-id in the ikev2 config (FortiGate firewall) is specified, then use the same id in the 'IPsec Identifier' Field. 
  2. If no peer id is configured on the FortiGate firewall, then type any dummy value or name. without any value in the 'IPsec Identifier' Field, it is not possible to save the VPN config in an Android phone.