Technical Tip: Dial_up Native VPN (L2TP) is no longer supported in Android 13 and above android version

Android 13 and above do not support L2TP VPNs anymore due to security issues with L2TP which uses Ikev1.

From Andriod 13 and above, there are only 3 options to establish a VPN:

1. Ikev2/IPsec MSCHAPv2.
2. Ikev2/IPsec PSK (pre-shared key).
3. Ikev2/IPsec RSA.

To view these options on an Android phone go to Android system settings -> Connection & Sharing -> VPN -> Tap on the '+' button to add a VPN connection -> Select VPN type.

Native VPN in FortiGate firewall will use L2TP by default.

• Since L2TP is not supported in Android 13 and above VPN connection will not be established between the FortiGate firewall and Android device.

As a workaround to establish a VPN between an Android device and the FortiGate firewall, it is possible to configure a custom dial-up VPN with IKev2. 

This solution is feasible where end users do not want to connect to a VPN via the FortiClient application installed on the Android device.

To configure a VPN connection with the Ikev2-PSK method in the FortiGate firewall, follow the steps below:

Go to VPN -> IPsec Tunnels -> Create New -> IPsec Tunnel -> Select Template type as 'Custom', give a name to the VPN connection, and select Next settings.

Create a policy and route accordingly to allow traffic from the Android-VPN tunnel interface to the LAN interface. 

1 

CLI configuration.

Dail-UP ikev2 Cli config:

config vpn ipsec phase1-interface
    edit "Android-VPN"
        set type dynamic
        set interface "wan1"
        set ike-version 2
        set local-gw 1.1.1.1
        set peertype any
        set net-device disable
        set mode-cfg enable
        set ipv4-dns-server1 8.8.8.8
        set proposal aes128-sha256 aes192-sha384 aes256-sha512 aes128gcm-prfsha256 aes256gcm-prfsha512
        set dhgrp 16 15 14
        set ipv4-start-ip 192.168.140.1
        set ipv4-end-ip 192.168.140.254
        set ipv4-netmask 255.255.254.0
        set ipv4-split-include "Test_local_subnet_1"
        set psksecret ENC

FuEutStPeywrTFqw/8qo1XBl2fpJ9B8Ww5E+AibYu5i7k5mNZgM2jZwiwXNbL+DPJ1O/4UvNHIrwkRabgmad5gSuxo/KQIGU5ABGuhdo74A==
        set dpd-retryinterval 60
    next
end

config vpn ipsec phase2-interface
    edit "Android-VPN"
        set phase1name "Android-VPN"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set pfs disable
    next
end

config firewall policy
    edit 13
        set name "Android -VPN"
        set uuid de0f1e18-2148-51ee-f79f-5a640f7b4b50
        set srcintf "Android-VPN"
        set dstintf "port3"
        set action accept
        set srcaddr "all"
        set dstaddr "Test_local_subnet_1"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

Android Configuration:

1

2

Note:

1. If any peer-id in the ikev2 config (FortiGate) is specified, then use the same id in the 'IPsec Identifier' Field. 
2. If no peer ID is configured on the FortiGate firewall, then type any dummy value or name without any value in the 'IPsec Identifier' Field, it is not possible to save the VPN config in an Android phone. 
3. If having issues with split-tunneling a valid workaround would be to specify the source subnet in the phase2 configuration when connecting via Android/Chromebook devices.