<![CDATA[Able to connect to IKEv2 IPSec from Windows but not from Android - Going insane, what am I doing wrong?]]>PFSense IPSec log: https://pastebin.com/kFSY4tas
strongSwan log on Android: https://pastebin.com/jwUxHhYS

I'm not sure whats wrong with my config and I why I am unable to connect, but I'm about 6 hours deep into this today alone and I'm going absolutely nuts. Instant fail, auth related error. Please assist.

]]>https://forum.netgate.com/topic/139018/able-to-connect-to-ikev2-ipsec-from-windows-but-not-from-android-going-insane-what-am-i-doing-wrongRSS for NodeFri, 13 Mar 2026 05:13:27 GMTMon, 24 Dec 2018 16:46:46 GMT60<![CDATA[Reply to Able to connect to IKEv2 IPSec from Windows but not from Android - Going insane, what am I doing wrong? on Tue, 25 Dec 2018 07:17:26 GMT]]>@matt4542 Hey
https://www.netgate.com/docs/pfsense/book/ipsec/mobile-ipsec.html
https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClient
Show Phase 1 IPSEC PFSense settings
And Strongswan Android settings
Pay attention to the selected text
You don't have that in your logs.

Dec 25 09:06:44 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Dec 25 09:06:44 00[DMN] Starting IKE service (strongSwan 5.7.1, Android 8.0.0 - ANE-LX1 8.0.0.162(C432)/2018-10-01, ANE-LX1 - HUAWEI/ANE-LX1/HUAWEI, Linux 4.4.23+, aarch64)
Dec 25 09:06:44 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Dec 25 09:06:44 00[JOB] spawning 16 worker threads
Dec 25 09:06:44 04[CFG] loaded user certificate 'C=ES, O=XXX, CN=sony_xperia.XXXXX' and private key
Dec 25 09:06:45 04[IKE] initiating IKE_SA android[1] to 94.177.XXX.XXX
Dec 25 09:06:45 04[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Dec 25 09:06:45 04[NET] sending packet: from 192.168.1.42[42086] to XXXX.XXXX[500] (716 bytes)
Dec 25 09:06:45 09[NET] received packet: from 94.177.XXX.XXX[500] to 192.168.1.42[42086] (38 bytes)
Dec 25 09:06:45 09[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Dec 25 09:06:45 09[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
Dec 25 09:06:45 09[IKE] initiating IKE_SA android[1] to 94.177.XXXX
Dec 25 09:06:45 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Dec 25 09:06:45 09[NET] sending packet: from 192.168.1.42[42086] to 94.177.XXX[500] (908 bytes)
Dec 25 09:06:45 10[NET] received packet: from 94.177.XXX[500] to 192.168.1.42[42086] (489 bytes)
Dec 25 09:06:45 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Dec 25 09:06:45 10[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Dec 25 09:06:45 10[IKE] local host is behind NAT, sending keep alives
Dec 25 09:06:45 10[IKE] received cert request for "C=ES, O=XXX, CN=XXX"
Dec 25 09:06:45 10[IKE] sending cert request for "C=ES, O=XXX, CN=XXXX"
Dec 25 09:06:45 10[IKE] establishing CHILD_SA android{1}

]]>https://forum.netgate.com/post/813238https://forum.netgate.com/post/813238Tue, 25 Dec 2018 07:17:26 GMT