Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MBruenisholz
New Contributor

Android VPN with IPSec/XAuth

Hi everyone I' m trying to establish a VPN-Connection between an android-tablet (Android 4.0.3) with our Fortigate (MR3Patch8). I know the cookbook-article about how to establish a connection using L2TP over IPSec... but that' s not what i want. Since it is possible to use IPSec with Xauth since Android 4, i want to use this. We' re already using it with iPhones/iPads. And some blog-articles state that it' s also possible with android... but i cant get it to work. Actually i see just one single " negotiate progress IPsec phase 1" message with status success, that' s all. Not a proposal mismatch or error. And after a short time, i get a timeout on the tablet and see a delete_phase1_sa in the eventlog. My configuration looks like this atm Phase1
 config vpn ipsec phase1-interface
     edit " v_test_android" 
         set type dynamic
         set interface " cc_inet" 
         set dhgrp 2
         set peertype one
         set xauthtype auto
         set mode aggressive
         set mode-cfg enable
         set proposal aes128-sha1
         set peerid " androidvpn" 
         set authusrgrp " androidvpn" 
         set ipv4-start-ip 192.168.244.30
         set ipv4-end-ip 192.168.244.40
         set ipv4-netmask 255.255.255.0
         set dns-mode auto
         set psksecret ***
     next
 end
 
Phase2
config vpn ipsec phase2-interface
     edit " v_test_android_ph2" 
         set phase1name " v_test_android" 
         set proposal aes128-sha1
     next
 end
On the tablet i' ve configured a " IPSec Xauth PSK" connection, using the " androidvpn" as IPsec-ID. I' ve already tried many combinations with different proposals, with or without peertype, with PAP or CHAP instead of auto... nothing worked. I' m sure it' s no matter of user/password or PSK, because on an iPad i can connect with this proposals. Does anyone already made this to work or has some hints for me? Thx a lot Mike
4 REPLIES 4
MBruenisholz
New Contributor

Little update: Obviously i had an error with the psk (don' t know how this could happen...) But now i' m stuck at " XAUTH authentication failed"
MBruenisholz
New Contributor

OK, we can close this case... seems to be an android-bug. Here my observations, hope i can help someone else who' s stuck with something similar. I did some debugging, with diag debug app ike 255, and found this:
2012-08-30 14:35:23 ike 0:v_test_android_0:232958: received XAUTH_USER_NAME ' andr2'  length 5
 2012-08-30 14:35:23 ike 0:v_test_android_0:232958: received XAUTH_USER_PASSWORD length 9
 2012-08-30 13:56:27 ike 0:v_test_android_0: XAUTH failed for user " andr2" , retry(2).
I was confused about the XAUTH_USER_PASSWORD length 9... because the password of this user is only 8 characters long. Tried some other passwords with other lengts, and every try was one digit longer than it should be. I found the " VpnCilla" App in the Play store and gave it a try. It worked like a charm!
2012-08-30 14:35:23 ike 0:v_test_android_0:232958: received XAUTH_USER_NAME ' andr2'  length 5
 2012-08-30 14:35:23 ike 0:v_test_android_0:232958: received XAUTH_USER_PASSWORD length 8
 2012-08-30 14:35:23 ike 0:v_test_android_0: XAUTH user " andr2"  in group ' androidvpn'  (9)
 2012-08-30 14:35:23 ike 0:v_test_android_0: XAUTH succeeded for user " andr2
You can see, the length is now 8, exactly as it should be. Seems like the built-in vpn client does not submit the password the right way. I' m happy to see it was no problem on the fortigate Will now see if this is a known bug in android, otherwise i' ll try to submit it.
IT_Operations
New Contributor

I had this same problem on ICS, both tablet and phone. Must be some sort of android bug in their client, because i also ended up going the VpnCilla route, which i' m very happy with. -Tony
MBruenisholz
New Contributor

Thanks for your reply, good to know that i' m not the only one with this problem. I' ve created a bugreport ( [link]https://code.google.com/p/android/issues/detail?id=36879&thanks=36879&ts=1346334949[/link] ), but no reaction untill yet. Mike
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors