Ask a question

2286 questions

2781 answers

3510 comments

1931 members

Ask a question
0 votes
352 views
asked in Networking by

Hi, all,
I cannot establish VPN connection from my Android phone to RUT230. Please look at the scheme below. It’s pretty simple.

The RUT230 has a public IP WAN address accessible everywhere in the world. (In fact this is a dynamic IP with DDNS name associated to it but it doesn’t matter here.) Behind the RUT230 there is a small HTTP server exposing private IP address 192.168.1.200. On the RUN230 I have configured IPsec and L2TP services with the following settings:

Then on the PC running Windows 10 I have configured VPN connection with all default parameters. This connection works like a charm, i.e. when I double-click the VPN connection icon, enter credentials configured in RUT230 L2TP settings page and open in the browser the private IP HTTP server address 192.168.1.200 then I’m getting the server front page. Bingo, VPN works.

The problem occurs when I try to do the same with my Android phone. I configured a VPN profile with the following settings:

Please note that the "IPSEC IDENTIFIER" field is set to the same value as "My identifier" in RUT230 IPsec field. Similarly, the "IPSEC PRE-SHARED KEY" contains the same string as the “Pre-shared key" on RUT230. When I try to establish this connection, Android asks for credentials (OK), then displays the "Connecting…" message and after some time returns to "Disconnected" state without providing any further details.
I ran packet capture on RUT230  wwan0 interface using tcpdump utility and did observe ISAKMP and L2TP message exchange. So, I am sure that Android reaches RUT230 and tries to set up VPN connection.
Summarizing, the problem is: why I am able to establish VPN connection from Windows 10 but not from Adnroid? The devil is in details and I guess that I the reason is a basic mistake in VPN settings.
Two question to you, guys:
1.    What is your experience in the case like this? How should I configure RUT230 and Android correctly?
2.    Is there any method to investigate VPN connection setup process both on RUT230 and Android, for example can I see any logs?
I use RUT230 with latest release 1.06.1 and quite an old Android 4.4.4 (but don’t expect that the software age is an issue here).
Any hints will be greatly appreciated. Please note that I’m not stuck to IPsec/L2TP VPN only. Any other VPN models (except OpenVPN) supported both on Windows and Android suit me fine. (Please do not point me to other posts on this forum. I have browsed thoroughly all of them touching VPN subject. Unsuccessfully, so far. :( )

Cheers,
Greg

1 Answer

0 votes
answered by
Hi,

According your screenshots and your descriptions seems you are using the same subnet for router LAN and for L2TP. They should be in different subnets.

Configuration example you can find here: https://wiki.teltonika.lt/view/L2TP_over_IPsec

Basically if it works with Windows PC, then try to use similar configuration in your phone as it is in your PC.
Best answer
commented by

Hello,
Thank you for info. I have updated L2TP configuration as per your advice and now it looks like below:

You can see that router IP and L2TP addresses are in different networks.
Unfortunately, this didn’t solve the problem. On Windows 10 this configuration does work but on Android doesn’t.
Instead of blindly guessing what the cause is I did the following:
1.    On RUT230 started packet capture with the command tcpdump -i wwan0 not port 22 -w vpn.pcap
2.    Tried to establish VPN connection on Android.
3.    Terminated packet capture on RUT230.
4.    Downloaded pcap file to PC and opened in Wireshark.
5.    Filtered out irrelevant packets, i.e. outside of RUT230 – Android IP conversation.
Below is the entire message exchange.

No. Time       Source    Destination  SrcPort DstPort Protocol Info
 1  0.000000   Android   RUT230       500     500     ISAKMP   Aggressive
 2  0.025945   RUT230    Android      500     500     ISAKMP   Informational
 6  2.210101   Android   RUT230       500     500     ISAKMP   Aggressive
 7  2.235996   RUT230    Android      500     500     ISAKMP   Informational
 8  5.834621   Android   RUT230       500     500     ISAKMP   Aggressive
 9  5.864292   RUT230    Android      500     500     ISAKMP   Informational
12  8.967370   Android   RUT230       500     500     ISAKMP   Aggressive
13  8.996031   RUT230    Android      500     500     ISAKMP   Informational
14  11.117451  Android   RUT230       500     500     ISAKMP   Aggressive
15  11.146009  RUT230    Android      500     500     ISAKMP   Informational
19  15.047368  Android   RUT230       500     500     ISAKMP   Aggressive
20  15.076041  RUT230    Android      500     500     ISAKMP   Informational
23  18.177491  Android   RUT230       500     500     ISAKMP   Aggressive
24  18.195955  RUT230    Android      500     500     ISAKMP   Informational
25  21.277863  Android   RUT230       500     500     ISAKMP   Aggressive
26  21.307832  RUT230    Android      500     500     ISAKMP   Informational
27  24.873384  Android   RUT230       500     500     ISAKMP   Aggressive
28  24.900275  RUT230    Android      500     500     ISAKMP   Informational
29  27.077345  Android   RUT230       500     500     ISAKMP   Aggressive
30  27.105968  RUT230    Android      500     500     ISAKMP   Informational
31  30.607615  Android   RUT230       58829   1701    L2TP     Control Message - SCCRQ (tunnel id=0, session id=0)
32  30.607947  Android   RUT230       58829   1701    L2TP     Control Message - StopCCN (tunnel id=0, session id=0)
33  30.608855  RUT230    Android      1701    58829   L2TP     Control Message - SCCRP (tunnel id=61080, session id=0)
34  30.747232  Android   RUT230       1701    58829   ICMP     Destination unreachable (Port unreachable)
35  31.608894  RUT230    Android      1701    58829   L2TP     Control Message - SCCRP (tunnel id=61080, session id=0)
36  31.917161  Android   RUT230       1701    58829   ICMP     Destination unreachable (Port unreachable)
37  33.610978  RUT230    Android      1701    58829   L2TP     Control Message - SCCRP (tunnel id=61080, session id=0)
38  33.768930  Android   RUT230       1701    58829   ICMP     Destination unreachable (Port unreachable)

Please look at messages #31 and #32. It seems that Android tries to establish the L2TP tunnel and immediately tears it down. Can you guess what that means?

More verbose output with complete packet dissection you can find here (this is a plain text file - don't worry :) ).

I appreciate you comments very much.

Regards,

Greg

commented by

Hi,

Still settings incorrect:

For example if router LAN IP:192.168.1.1, then:

 

commented by

Problem solved. For those who may need to marry Android VPN with Teltonika router I have listed necessary settings below.
On the router create an IPsec server service with the following settings:

Make sure to leave the field "My identifier" blank. Otherwise Android will refuse to establish IPsec connection due to authentication failure even if you enter the same identifier on your smartphone (really strange…).
More important is the DH group setting. Change it from default MODP1536 to MODP1024 both for phase 1 and phase 2. Android seems not to support this kind of group.
Then create L2TP service as below:

BTW: apparently, the local IP address have not to be in a different subnet than LAN IP address. In my case these two addresses are identical and this works:

On your Android create a new VPN profile of "L2TP/IPSec PSK" type with the following settings:

Leave the IPSEC IDENTIFIER field blank. In the IPSEC PRE-SHARED KEY field enter the same string as in the IPsec setting on your router.
When you try to connect Android will ask you for username and password. Enter the same credentials as you defined in the L2TP settings on the router.


You should successfully establish the connection and access private IP addresses behind the router.

If you experience problems I recommend to capture packets that Android exchanges with the router. To do this login to the router using Putty and enter the following command:

tcpdump -I wwan0 not port 22 -w vpn.pcap

Then try to establish VPN connection from your smartphone. After the success/failure press Ctrl-C in Putty to stop capturing packets. The vpn.pcap file should be created. Download it to your PC using WinSCP and open in Wireshark. In the filter field enter udp to display only ISAKMP/L2TP packets. Expand packet dissections and you should find useful hints there like authentication failure, unsupported parameters set etc. that are helpful to troubleshoot the VPN connection.

Greg