Android 14 VPN IPsec RUTX50 not working

I tried the whole day to establish a connection from Android phone to RUTX50.
I used this description from wiki: Setting up an IPsec tunnel between RUT and Android phone

But it come up always with the error:
Fri Dec 1 18:15:21 2023 daemon.info ipsec: 14[IKE] <MS-MS_c|11> unable to resolve %any, initiate aborted

May be this helps:

root@RUTX50:~# cat /var/ipsec/ipsec.conf                                                                             
# generated by /etc/init.d/ipsec                                                                                     
version 2                                                                                                            
                                                                                                                     
conn MS-MS_c                                                                                                         
  left=%any                                                                                                          
  right=%any                                                                                                         
  leftsourceip=10.0.1.0                                                                                              
  leftfirewall=yes                                                                                                   
  rightfirewall=no                                                                                                   
  ikelifetime=3h                                                                                                     
  lifetime=3h                                                                                                        
  margintime=9m                                                                                                      
  keyingtries=3                                                                                                      
  dpdaction=none                                                                                                     
  dpddelay=30s                                                                                                       
  dpdtimeout=90s                                                                                                     
  leftauth=psk                                                                                                       
  rightauth=psk                                                                                                      
  rightsourceip=10.0.2.0/24                                                                                          
  auto=start                                                                                                         
  leftsubnet=0.0.0.0/0                                                                                               
  leftid=192.168.2.1                                                                                                 
  aggressive=no                                                                                                      
  forceencaps=no                                                                                                     
  type=tunnel                                                                                                        
  keyexchange=ikev2                                                                                                  
  esp=aes256-sha256-modp1024                                                                                         
  ike=aes256-sha256-modp2048

Kind regards, Martin

Hello,

Does your RUTX50 have a public IP address? What are the first two octets (numbers) on your mobile interface? (mob1s1a1 interface in Network → WAN).

Also, are there any other IPSec logs? If not, it is likely that your android phone is not trying to connect (or cannot reach your RUTX50).

Kind Regards,

Hi AndzejJ,

thank you very much for your reply.

Yes, the RUTX50 has a public IP, starting with 37. PORT FORWARDS has the the rule ‘Exclude-IPsec-from-NAT’ and I’ve two other tools which can access my local net from outside so this part is working.

It seems that the error message ‘Fri Dec 1 18:15:21 2023 daemon.info ipsec: 14[IKE] <MS-MS_c|11> unable to resolve %any, initiate aborted’ is created for each try to access my local net with VPN, so it seems that the Android 14 phone can access the VPN entry point but than is rejected.
May be this setting is the point because it says %any but I don’t know how to change it.
conn MS-MS_c
left=%any
right=%any

I’m relatively new to RUTX50 so how can I activate IPSec logging?

Thanks.
Kind regards, Martin

Hello,

The error message is likely related to the fact that your device act as the server, and since there is no remote IP, you get this error message. The service, however, should work and this error is not an issue. Perhaps you can share more logs from the IPSec logs that are available from the WebUI?

Also, you can access the device via CLI/SSH (username ‘root’) and execute the following command to check IPSec status:

ipsec statusall

Also, could you please share your IPSec configurations from your android phone?

Please, before sharing any information on a public forum here, make sure you hide any sensitive information that may appear in the logs or configurations, such as public IP addresses, passwords, etc.

Kind Regards,

Hi,

see here:

root@RUTX50:~# ipsec statusall                                                                                      
Status of IKE charon daemon (strongSwan 5.9.2, Linux 5.10.188, armv7l):                                             
  uptime: 2 days, since Dec 01 18:10:20 2023                                                                        
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0                                  
  loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp p
em openssl gmp xcbc hmac kernel-netlink socket-default stroke vici updown eap-identity eap-mschapv2 xauth-generic   
Virtual IP pools (size/online/offline):                                                                             
  10.0.2.0/24: 254/0/0                                                                                              
Listening IP addresses:                                                                                             
  192.168.2.1                                                                                                       
  fd7f:...                                                                        
  37....
Connections:                                                                                                        
     MS-MS_c:  %any...%any  IKEv2                                                                                   
     MS-MS_c:   local:  [192.168.2.1] uses pre-shared key authentication                                            
     MS-MS_c:   remote: uses pre-shared key authentication                                                          
     MS-MS_c:   child:  0.0.0.0/0 === dynamic TUNNEL                                                                
Security Associations (0 up, 0 connecting):                                                                         
  none                                                   

I attached my Android Config as Picture.

Thank you.
Kind regards, Martin

I had a problem with my Android 14 Xperia to connect to the DrayTek router via IPSec VPN. From the router’s log was clear, that the VPN had been created and then the phone immediately closed it for no reason. When the server address was changed from the cname to the IP, the connection was created and held.

Hello,

Please, remove leftid (local identifier) and leftsourceip. Also, add DNS server (for example, 8.8.8.8).

If the issue persists, try connecting from your android and then execute the following command on the router to view logs:

logread | grep ipsec

Share the logs here. Before sharing the logs, make sure to hide any sensitive information that may appear in the logs, such as public IP addresses.

Kind Regards,

Hi,

first of all, thanks to all for trying to help. I removed the local identifier (left source ip) and
added the remote dns server.

It’s still not working.

Here’s the log.

Tue Dec  5 13:07:50 2023 daemon.info ipsec: 14[CFG] received stroke: initiate 'MS-MS_c'                            
Tue Dec  5 13:07:50 2023 daemon.info ipsec: 14[IKE] <MS-MS_c|10974> unable to resolve %any, initiate aborted       
Tue Dec  5 13:08:20 2023 daemon.info ipsec: 10[CFG] received stroke: initiate 'MS-MS_c'                            
Tue Dec  5 13:08:20 2023 daemon.info ipsec: 10[IKE] <MS-MS_c|10975> unable to resolve %any, initiate aborted       
Tue Dec  5 13:08:50 2023 daemon.info ipsec: 13[CFG] received stroke: initiate 'MS-MS_c'                            
Tue Dec  5 13:08:50 2023 daemon.info ipsec: 13[IKE] <MS-MS_c|10976> unable to resolve %any, initiate aborted       
Tue Dec  5 13:09:20 2023 daemon.info ipsec: 14[CFG] received stroke: initiate 'MS-MS_c'                            
Tue Dec  5 13:09:20 2023 daemon.info ipsec: 14[IKE] <MS-MS_c|10977> unable to resolve %any, initiate aborted       
Tue Dec  5 13:09:50 2023 daemon.info ipsec: 08[CFG] received stroke: initiate 'MS-MS_c'                            
Tue Dec  5 13:09:50 2023 daemon.info ipsec: 08[IKE] <MS-MS_c|10978> unable to resolve %any, initiate aborted       
Tue Dec  5 13:10:20 2023 daemon.info ipsec: 03[CFG] received stroke: initiate 'MS-MS_c'                            
Tue Dec  5 13:10:20 2023 daemon.info ipsec: 03[IKE] <MS-MS_c|10979> unable to resolve %any, initiate aborted       
Tue Dec  5 13:10:51 2023 daemon.info ipsec: 11[CFG] received stroke: initiate 'MS-MS_c'                            
Tue Dec  5 13:10:51 2023 daemon.info ipsec: 11[IKE] <MS-MS_c|10980> unable to resolve %any, initiate aborted       
Tue Dec  5 13:11:21 2023 daemon.info ipsec: 08[CFG] received stroke: initiate 'MS-MS_c'                            
Tue Dec  5 13:11:21 2023 daemon.info ipsec: 08[IKE] <MS-MS_c|10981> unable to resolve %any, initiate aborted       
Tue Dec  5 13:11:51 2023 daemon.info ipsec: 13[CFG] received stroke: initiate 'MS-MS_c'                            
Tue Dec  5 13:11:51 2023 daemon.info ipsec: 13[IKE] <MS-MS_c|10982> unable to resolve %any, initiate aborted       
Tue Dec  5 13:12:21 2023 daemon.info ipsec: 14[CFG] received stroke: initiate 'MS-MS_c'                            
Tue Dec  5 13:12:21 2023 daemon.info ipsec: 14[IKE] <MS-MS_c|10983> unable to resolve %any, initiate aborted       
Tue Dec  5 13:12:36 2023 kern.notice kernel: ipsec configuration has been changed                                  
Tue Dec  5 13:12:36 2023 kern.notice kernel: ipsec configuration has been changed                                  
Tue Dec  5 13:12:37 2023 daemon.info ipsec: 00[DMN] SIGINT received, shutting down                                 
Tue Dec  5 13:12:37 2023 authpriv.info ipsec_starter[1559]: charon stopped after 200 ms                            
Tue Dec  5 13:12:37 2023 authpriv.info ipsec_starter[1559]: ipsec starter stopped                                  
Tue Dec  5 13:12:38 2023 authpriv.info ipsec_starter[28270]: Starting strongSwan 5.9.2 IPsec [starter]...          
Tue Dec  5 13:12:38 2023 daemon.info ipsec: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.2, Linux 5.10.188, a
rmv7l)                                                                                                             
Tue Dec  5 13:12:38 2023 daemon.info ipsec: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'            
Tue Dec  5 13:12:38 2023 daemon.info ipsec: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'            
Tue Dec  5 13:12:38 2023 daemon.info ipsec: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' 
Tue Dec  5 13:12:38 2023 daemon.info ipsec: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'      
Tue Dec  5 13:12:38 2023 daemon.info ipsec: 00[CFG] loading crls from '/etc/ipsec.d/crls'                          
Tue Dec  5 13:12:38 2023 daemon.info ipsec: 00[CFG] loading secrets from '/etc/ipsec.secrets'                      
Tue Dec  5 13:12:38 2023 daemon.info ipsec: 00[CFG] loading secrets from '/var/ipsec/ipsec.secrets'                
Tue Dec  5 13:12:38 2023 daemon.info ipsec: 00[CFG]   loaded IKE secret for %any                                   
Tue Dec  5 13:12:38 2023 daemon.info ipsec: 00[LIB] loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x
509 revocation constraints pubkey pkcs1 pkcs8 pgp pem openssl gmp xcbc hmac kernel-netlink socket-default stroke vi
ci updown eap-identity eap-mschapv2 xauth-generic                                                                  
Tue Dec  5 13:12:38 2023 daemon.info ipsec: 00[JOB] spawning 16 worker threads                                     
Tue Dec  5 13:12:38 2023 authpriv.info ipsec_starter[28270]: charon (28272) started after 80 ms                    
Tue Dec  5 13:12:38 2023 daemon.info ipsec: 04[CFG] received stroke: add connection 'MS-MS_c'                      
Tue Dec  5 13:12:38 2023 daemon.info ipsec: 04[CFG] adding virtual IP address pool 10.0.2.0/24                     
Tue Dec  5 13:12:38 2023 daemon.info ipsec: 04[CFG] 'MS-MS_c' has both left- and rightsourceip, but IKE can negotia
te one virtual IP only, ignoring local virtual IP                                                                  
Tue Dec  5 13:12:38 2023 daemon.info ipsec: 04[CFG] added configuration 'MS-MS_c'                                  
Tue Dec  5 13:12:38 2023 daemon.info ipsec: 05[CFG] received stroke: initiate 'MS-MS_c'                            
Tue Dec  5 13:12:38 2023 daemon.info ipsec: 05[IKE] <MS-MS_c|1> unable to resolve %any, initiate aborted           
Tue Dec  5 13:13:08 2023 daemon.info ipsec: 13[CFG] received stroke: initiate 'MS-MS_c'                            
Tue Dec  5 13:13:08 2023 daemon.info ipsec: 13[IKE] <MS-MS_c|2> unable to resolve %any, initiate aborted           
Tue Dec  5 13:13:38 2023 daemon.info ipsec: 04[CFG] received stroke: initiate 'MS-MS_c'                            
Tue Dec  5 13:13:38 2023 daemon.info ipsec: 04[IKE] <MS-MS_c|3> unable to resolve %any, initiate aborted           
root@RUTX50:~#    

I skipped a lot of messages on the front because they are the same to the first visible log entries.

Edit: added Pictures from the Config.




Kind regards, Martin

Hello,

I would suggest removing local souce IP as well from the WebUI.

However, the issue appears to be that the phone doesn’t even attempt to connect.

Are the default IPSec firewall rules enabled?

Please verify that you have entered the correct IP address on your Android phone.

Do you get an error on your phone? If so, what error do you get?

Kind Regards,

Hi,

removing local source IP doesn’t help.

All IPSec Traffic Rules are on.

The phone just tries to connect without ending the try or giving an error.

If I open the DynDNS Name on phone with chrome I get an ‘AVGC Login’ Page.
So accessing the local net from phone should work. Also my 2 other tool can
access my local server with the port forwardings from outside from the phone.


Kind regards, Martin

Hello,

Could you try entering the IP address instead of a DDNS name?

Also, are you connecting to the router over 4G or through a WiFi?

Kind Regards,

Hi,

I tried the IP but this changed nothing. I’m using 5G but switched for testing to 4G but
this is also working.

I’ll try and old tablet to see, if this works.

Kind regards, Martin

Hi,

tablet can’t connect, too.

Tue Dec  5 14:25:46 2023 daemon.info ipsec: 13[CFG] received stroke: initiate 'MS-MS_c'                             
Tue Dec  5 14:25:46 2023 daemon.info ipsec: 13[IKE] <MS-MS_c|92> unable to resolve %any, initiate aborted 

How do I remove these 2 error messages? Maybe this is the key?

Kind regards, Martin

Hello,

These messages are normal and are not the cause of these issues. It simply says that the IPSec will not try to connect to a remote IPSec server. Since your router acts as a server, this is irrelevant (you are waiting for a connection, not initiating it). The issue can potentially be related to your firewall. Whenever you configure the IPSec, the rules should be automatically created. Thus, the first thing that I would suggest is to go over all firewall rules - traffic rules, port forwarding, SNAT, and ensure that all IPSec rules are enabled. In case this does not help, then this might indicate that some of the configurations are corrupted. Thus, the suggestion here would be to reset the device to factory defaults and then reconfigure it.

If you are unable to connect even then with these settings, then the issue is somewhere else and the phone simply does not reach the router.

Kind Regards,

1 Like

I’m relatively new to RUTX50 so how can I activate IPSec logging?

Hi,

it should be activated by default.

But don’t try to use IPsec with Android 14. It is not working.

Kind regards, Martin.

Thanks. As I wrote in my opening post I used a step by step doc issued by Teltonika, so this should work. But it doesn’t.

Kind regards, Martin

This topic was automatically closed after 15 days. New replies are no longer allowed.