Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec with Android Problems

    Scheduled Pinned Locked Moved IPsec
    8 Posts 3 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Trel
      last edited by

      Has anyone gotten IPsec to work with the lastest release of PFSense and Android 4.4?

      I followed the tutorial in the Wiki, but I can never connect.

      It looks like it starts to work, but then

      
Apr 17 13:38:29 	racoon: ERROR: phase1 negotiation failed due to time up. 3e92ef9c45b7d058:c4e9a0229b25ce71
Apr 17 13:37:54 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by X.X.X.X[500] (1).
Apr 17 13:37:51 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by X.X.X.X[500] (1).
Apr 17 13:37:48 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by X.X.X.X[500] (1).
Apr 17 13:37:45 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by X.X.X.X[500] (1).
Apr 17 13:37:42 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by X.X.X.X[500] (1).

      (newest at top)

      Anyone have any idea what I could do here?

      1 Reply Last reply Reply Quote 0
      • S
        sofakng
        last edited by

        I've tried many, many times and can't get IPsec to work with my Android phone.ย  (Nexus 5 running KitKat 4.4)

        I'm able to connect to the VPN, but traffic never flows through and nothing else works.ย  However, the same configuration works with my iPad or iPhone perfectly.

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          I don't have anything running 4.4 yet to test. Due for a new phone in a week, I should have one then. Or I may get brave and install CM11 on my current phone since it's due to be replaced in a few days anyhow

          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • T
            Trel
            last edited by

            Ok, if/when you get a chance to check,
            this is the tutorial I'm following, and I'm using AOKP 4.4 on a Nexus 5 so VPN should be stock.

            https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              My new Moto X came in today, running Android 4.4.2, connected right up as always to mobile IPsec, could ping OK, no problems here using the settings from the wiki.

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • T
                Trel
                last edited by 

                
May 5 13:19:59 	racoon: ERROR: phase1 negotiation failed due to time up. ad238a0d2161838c:144b26fc7492d836
May 5 13:19:24 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by <remote ip="">[500] (1).
May 5 13:19:21 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by <remote ip="">[500] (1).
May 5 13:19:18 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by <remote ip="">[500] (1).
May 5 13:19:15 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by <remote ip="">[500] (1).
May 5 13:19:12 	racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by <remote ip="">[500] (1).
May 5 13:19:09 	racoon: INFO: Adding xauth VID payload.
May 5 13:19:09 	racoon: [Self]: [<local ip="">] INFO: Hashing <local ip="">[500] with algo #2 (NAT-T forced)
May 5 13:19:09 	racoon: [<remote ip="">] INFO: Hashing <remote ip="">[500] with algo #2 (NAT-T forced)
May 5 13:19:09 	racoon: INFO: Adding remote and local NAT-D payloads.
May 5 13:19:09 	racoon: [<remote ip="">] INFO: Selected NAT-T version: RFC 3947
May 5 13:19:09 	racoon: INFO: received Vendor ID: DPD
May 5 13:19:09 	racoon: INFO: received Vendor ID: CISCO-UNITY
May 5 13:19:09 	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
May 5 13:19:09 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
May 5 13:19:09 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 5 13:19:09 	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
May 5 13:19:09 	racoon: INFO: received Vendor ID: RFC 3947
May 5 13:19:09 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
May 5 13:19:09 	racoon: INFO: begin Aggressive mode.
May 5 13:19:09 	racoon: [Self]: INFO: respond new phase 1 negotiation: <local ip="">[500]<=><remote ip="">[500]</remote></local></remote></remote></remote></local></local></remote></remote></remote></remote></remote>

                That's what I'm getting.

                My settings on Android 4.4 are
                Name: Test VPN
                Type: IPSec Xauth PSK
                Server Address: <firewall wan="" ip="">IPSec identifier: vpnuser@example.comย  <โ€“- changed to a different address
                IPSec pre-shared key: <my psk="">DNS Search domains: <blank>DNS Servers: <blank>Forwarding Routes <blank>And then the above is what happens in my logs on pfsense when I try to connect.</blank></blank></blank></my>/vpnuser@example.com</firewall>

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  Well it's a bit odd now. I had connected on Friday with my Moto X (Android 4.4.2, Kernel version 3.4.42) but then I put CM11 on my Droid Razr and it would not connect (Android 4.4.2, Kernel 3.0.8).

                  Today, I can't connect with the Moto X or the Razr. I don't get the same error as you, though. It successfully builds the VPN but then won't pass traffic and then DPD kills the P1 saying it appears to be dead. Might need some extra nudging one way or another yet.ย  Reset racoon, rebooted the phones, etc. Same behavior all around now.

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • T
                    Trel
                    last edited by

                    Anything I could try?

                    I have never been able to get a successful ipsec connection, but openVPN is working.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.