Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 9095 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't use VPN on Android Device

ArticediTor

I have a Samsung Galaxy S7 running Android 6.0.1 and a Sophos UTM device with firmware version 9.404-5 (holding off on updates because I was bit by the MTU "feature"). I have almost literally tried every combination of IPsec, L2TP, and PPTP configuration that exists on the phone and firewall and cannot get any of them to work. PPTP was my last resort due to what I've heard about it and I can't even get that to connect. For troubleshooting I turned on debugging and disabled every form of protection on the UTM and started allowing all traffic in through the firewall from my phone's IP and out from internal network to my phone -- which was not on wifi. 

I used to have the Galaxy S6 and was able to use IPsec without issue but the S7's VPN settings are far more limited and I can't figure out a combination of settings that will work.

The phone's VPN settings allow for:

  • IPSec IKEv2 RSA
  • IPSec IKEv2 PSK
  • IPSec Xauth RSA
  • IPSec Xauth PSK
  • IPSec Hybrid RSA
  • L2TP/IPSec RSA
  • L2TP/IPSec PSK

The only configurable options on the phone are server ip, user cert, CA cert, server cert, PFS (yes/no), PSK, IPSec identifier,  L2TP Secret, username, and password.

Unlike the S6 I cannot change the IKE encryption algorithm, IKE authentication algorithm, IKE SA lifetime, etc.

Any suggestions? 



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    if you are using a policy with SHA2, this could be a truncating problem.

    There are two different ways the SHA2 hashes are truncated for L2TP / IPSec RemoteAccess VPN by various manufacturers. One way is the official RFC defined way to handle SHA2 and the other one is the GOOGLE way. In the GOOGLE way a truncation after 96 bits is happening.

    If you have connections problems with a mobile device, Check the knowledge base article https://community.sophos.com/kb/en-us/125796 to get further information. Other customers have been able to solve their problem by adapting the policy ("SHA2 256" or "SHA 256 96bit" or by using the command line option.

    We are working on a solution to support both ways at the same.

    Greetings

    Holger

  • 0 in reply to HolgerLehn

    Thanks for the info. I tried this and still cannot connect. I've tried everything I can think of, used each Android preset for VPN, allowed everything through the firewall, etc. Still have not been able to use the VPN. I cannot find a working combination of settings between the UTM and Android phone.

  • 0 in reply to ArticediTor

    Just a question... why don't you use openVPN on the phone? Works like a charm on my phone, tab, 2nd phone...

    Viele Grüße / Best Regards,
    Manu

    - CISO -
    - Sophos SCA & Partner-

Reply Children
No Data
Unfiltered HTML