I have been unable to establish a IKEv2 IPSEC VPN connection from an android 13 phone to a RUT956. The system log on the RUT956 is below. Please advise what setting(s) may be wrong.
Tue Jan 9 15:51:25 2024 daemon.info ipsec: 08[NET] received packet: from yyy.yyy.yyy.yyy[13670] to xxx.xxx.xxx.xxx[500] (652 bytes)
Tue Jan 9 15:51:25 2024 daemon.info ipsec: 08[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
Tue Jan 9 15:51:25 2024 daemon.info ipsec: 08[IKE] yyy.yyy.yyy.yyy is initiating an IKE_SA
Tue Jan 9 15:51:25 2024 daemon.info ipsec: 08[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Tue Jan 9 15:51:25 2024 daemon.info ipsec: 08[IKE] remote host is behind NAT
Tue Jan 9 15:51:25 2024 daemon.info ipsec: 08[IKE] DH group MODP_2048_256 unacceptable, requesting MODP_2048
Tue Jan 9 15:51:25 2024 daemon.info ipsec: 08[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Tue Jan 9 15:51:25 2024 daemon.info ipsec: 08[NET] sending packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyy.yyy[13670] (38 bytes)
Tue Jan 9 15:51:26 2024 daemon.info ipsec: 09[NET] received packet: from yyy.yyy.yyy.yyy[13670] to xxx.xxx.xxx.xxx[500] (652 bytes)
Tue Jan 9 15:51:26 2024 daemon.info ipsec: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
Tue Jan 9 15:51:26 2024 daemon.info ipsec: 09[IKE] yyy.yyy.yyy.yyy is initiating an IKE_SA
Tue Jan 9 15:51:26 2024 daemon.info ipsec: 09[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Tue Jan 9 15:51:26 2024 daemon.info ipsec: 09[IKE] remote host is behind NAT
Tue Jan 9 15:51:26 2024 daemon.info ipsec: 09[IKE] DH group MODP_2048_256 unacceptable, requesting MODP_2048
Tue Jan 9 15:51:26 2024 daemon.info ipsec: 09[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Tue Jan 9 15:51:26 2024 daemon.info ipsec: 09[NET] sending packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyy.yyy[13670] (38 bytes)
Hello
Welcome to the Teltonika Community 
Regarding your query, from first glance
It appears that the Diffie-Hellman (DH) key exchange is involved in the problem. The log shows that although the DH group MODP_2048_256 is unacceptable, your system is requesting MODP_2048, and the remote host (yyy.yyy.yyy.yyy) is initiating an IKE_SA.
The following are some items you can examine and modify:
DH Group Settings: Ensure that the RUT956 and Android 13 phone are set up for the IKE phase with the same DH group. The RUT956 appears to favor MODP_2048, so make sure it’s using the correct DH group by checking the Android 13 VPN settings.
IPsec Proposal Configuration: Verify that the IPsec proposal configurations on both ends correspond. Make sure that these settings are the same on both devices as the logs indicate that AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 is the selected proposal.
Check for Typos: Double-check all the settings, including IP addresses, pre-shared keys, and any other configuration parameters for typos or discrepancies.
After making these adjustments, try establishing the IKEv2 IPsec VPN connection again and monitor the system logs for any changes or additional error messages. If the issue persists, there might be a need to further analyze the VPN configurations on both the Android 13 phone and the RUT956.
Please revert to us in case the issue persists
Thanks
Thank you for your reply. I am using the built-in VPN configuration on the Android phone and, as far as I can see, there is no way to see or change the DH Group Settings or the IPSec Proposal Configuration on the phone.
I have tried the strongSwan App but this doesn’t have PSK as an option, so tried setting it up using certificates and this didn’t seem to work either.
I have also tried OpenVPN, although the RUT956 configured as server says it’s active, connections to it from the android phone fail, with no error log details at all in the troubleshoot file on the RUT956. The log file on the OpenVPN app says a TCP connection was established but it fails to create a VPN tunnel. It reports TLS Error: TLS handshake failed.
Any suggestions on how to create a working VPN connection to the RUT956 from an Android phone using the built in configuration or an App would be greatly appreciated.
Many thanks,
Ian
The best way to deal with this would be comparing the built in settings for the Ipsec VPN in phone with the configuration running on the Router, for example log shows that although the DH group MODP_2048_256 is unacceptable, your system is requesting MODP_2048
Try setting up
Also try to refer this link, let us know if it is helpful, or if the issue persist, please update us
https://wiki.teltonika-networks.com/view/Setting_up_an_IPsec_tunnel_between_RUT_and_Android_phone
This topic was automatically closed after 15 days. New replies are no longer allowed.