No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

L2TP over IPSEC android version 6.0 & 7.0

Publication Date:  2017-10-16 Views:  348 Downloads:  0
Issue Description

1.- Customer wants to connect to mobile devices to the VPN.

2.- Customer enabled L2TP over IPSEC option but some devices connect successfully but other not.

3.- Android devices with the version 6.0 & 7.0 can't connect in the vpn using L2PT over  IPSEC.

Handling Process

Just the devices with Android 5.0 and previous versions can connect to the VPN. The versions 6.0 and 7.0 are not able to connect.

Solution

SHA1 is recommended for the IPSEC authentication when mobile employees use Android 6 or 7 system to estableshing L2TP over IPSec tunnel with the FW. 

Android 6 and 7 system implements the SHA2-256 algoritms based on the RFC draft and is different from that defined by the RFC. If the SHA2-256 algorithm is used to establish IPSec tunnels, the communication parties cannot communicate properly.


1.- Validate if the ike configuration have the option ike negotiate compatible disable, you can see the next script. 

#

ike peer ike1151195437

exchange-mode auto

pre-shared-key %$%$d[{&J_}mA=YW_}E)[<SV_~6-%$%$

ike negotiate compatible ===>undo ike negotiate compatible

ike-proposal 2

remote-id-type none


2.- Validate if the ipsec proposal have esp authentication algorithm using the SHA1 mode, android 6.0 and 7.0 just support this algorithm, you can follow the next steps to change this option.

#

ipsec proposal prop1151195437

encapsulation-mode auto

esp authentication-algorithm sha2-256 ===> esp authentication-algorithm sha1

#

END