1.- Customer wants to connect to mobile devices to the VPN.
2.- Customer enabled L2TP over IPSEC option but some devices connect successfully but other not.
3.- Android devices with the version 6.0 & 7.0 can't connect in the vpn using L2PT over IPSEC.
Just the devices with Android 5.0 and previous versions can connect to the VPN. The versions 6.0 and 7.0 are not able to connect.
SHA1 is recommended for the IPSEC authentication when mobile employees use Android 6 or 7 system to estableshing L2TP over IPSec tunnel with the FW.
Android 6 and 7 system implements the SHA2-256 algoritms based on the RFC draft and is different from that defined by the RFC. If the SHA2-256 algorithm is used to establish IPSec tunnels, the communication parties cannot communicate properly.
1.- Validate if the ike configuration have the option ike negotiate compatible disable, you can see the next script.
ike peer ike1151195437
ike negotiate compatible ===>undo ike negotiate compatible
2.- Validate if the ipsec proposal have esp authentication algorithm using the SHA1 mode, android 6.0 and 7.0 just support this algorithm, you can follow the next steps to change this option.
ipsec proposal prop1151195437
esp authentication-algorithm sha2-256 ===> esp authentication-algorithm sha1