|
When connecting to an IPsec IKEv2 dial-up VPN using FortiClient on Android, the tunnel fails to establish and returns the following output when running IKE debugs:
diagnose vpn ike log filter name <tunnel name >
diagnose deb application ike -1
diagnose deb enable
....
ike V=root:0:MAIN_IKEV2_CLI:144510: responder received AUTH msg
ike V=root:0:MAIN_IKEV2_CLI:144510: received peer identifier KEY_ID 'TEST212'
ike V=root:0:MAIN_IKEV2_CLI:144510: re-validate gw ID
ike V=root:0:MAIN_IKEV2_CLI:144510: gw validation failed
Example of misconfigured Phase 1 setup:
edit "MAIN_IKEV2_CLI"
set type dynamic
set interface "wan1"
set ike-version 2
set peertype one
set net-device disable
set mode-cfg enable
set proposal aes128-sha1 aes256-sha256
set eap enable <-----
set eap-identity send-request
set authusrgrp "VPN_USERS"
set peerid "TEST212"
set ipv4-start-ip 10.4.6.10
set ipv4-end-ip 10.4.6.30
set dns-mode auto
set ipv4-split-include "MAIN_IKEV2_CLI_split"
set save-password enable
set psksecret "password" <---
next
end
While the ike debug shows the connection failed due to gateway validation, the connection on FortiGate will show as active. However, the connection on the Android device shows as failed.
Tunnel showing as established on FortiGate:
diagnose vpn tunnel list name MAIN_IKEV2_CLI
------------------------------------------------------
name=MAIN_IKEV2_CLI_2 ver=2 serial=75 10.3.255.9:4500->10.10.15.30:64917 nexthop=10.3.255.254 tun_id=110.4.6.10 tun_id6=::10.0.0.117 status=up dst_mtu=1500 weight=1
bound_if=5 real_if=5 lgwy=static/1 tun=intf mode=dial_inst/3 encap=none/74664 options[123a8]=npu rgwy-chg rport-chg frag-rfc run_state=0 role=sync-primary accept_traf
fic=1 overlay_id=0
parent=MAIN_IKEV2_CLI index=2
proxyid_num=1 child_num=0 refcnt=6 ilast=2 olast=2 ad=/0
stat: rxp=76946 txp=100693 rxb=18043488 txb=25676919
dpd: mode=on-demand on=1 status=ok idle=10000ms retry=3 count=0 seqno=0
natt: mode=keepalive draft=0 interval=10 remote_port=64917
fec: egress=0 ingress=0
proxyid=MAIN_IKEV2_CLI proto=0 sa=1 ref=36 serial=1 add-route
src: 0:0.0.0.0-255.255.255.255:0
dst: 0:10.4.6.10-10.4.6.30:0
SA: ref=6 options=6a7 type=00 soft=0 mtu=1422 expire=5422/0B replaywin=2048
seqno=7068 esn=0 replaywin_lastseq=00008c00 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=43188/43200
[..omitted..]
npu_flag=03 npu_rgwy=10.10.15.30 npu_lgwy=10.3.255.9 npu_selid=79 dec_npuid=1 enc_npuid=0
In this case, authentication is configured using a pre-shared key combined with Username and Password, which is not compatible with FortiClient on Android when using IKEv2 with EAP.
FortiClient (Android) supports IPsec VPN using either pre-shared key or X.509 certificate-based authentication, but does not support combining PSK with EAP (Username/Password).
If only a pre-shared key is used and EAP is disabled, the tunnel will connect successfully, as Username/Password authentication will not be triggered.
If Username and Password authentication is required, then certificate-based authentication should be used instead, as FortiClient (Android) supports X.509 certificates for IPSEC.
To configure IPsec Dial-up VPN using signature-based authentication, see Dial-up IPsec VPN with certificate authentication.
For further information on authentication methods supported by Android clients, see Creating an IPsec VPN IKEv2 connection.
|
