DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

IKEv2 Dial-in VPN from Android

More
06 Feb 2022 17:58 #1 by gsb1
IKEv2 Dial-in VPN from Android was created by gsb1
Hi,

I have a 2860ac running the current latest firmware (3.9.1_BT).

I have VPN access configured on the router to allow me to "dial-in" from my Android 12 device (primarily to view my IP cameras remotely).

On the phone side I have an L2TP/IPSec connection configured in native Android settings and also SSL (via the Draytek Smart VPN App). Both work just fine with one time password setup also.

However Android 12 now tells me L2TP/IPSec is insecure and I should use IKEv2.

I have configured DrayDNS succesfully along with a Let's Encrypt Certificate. However I cannot see options for a suitable IKEv2 connection within native Android 12. Is this possible? Or do I need a VPN client app client like Stongswan? At this point I have hit a wall as I am not sure on what I need to do to configure the IKEv2 VPN on the phone (tried a few native VPN connection settings and the Strongswan client, but no joy).

Any help appreciated, thanks.

Please Log in or Create an account to join the conversation.

More
07 Feb 2022 11:28 #2 by gsb1
Replied by gsb1 on topic Re: IKEv2 Dial-in VPN from Android
I have a working IKEv2 solution that establishes with this conection type "IKEv2 IPsec Tunnel AES-SHA256 Auth".

I think the Let's Encrypt certificate is SSL only, so that was not working for me.

SO I essentially followed this KB:
https://www.draytek.com/support/knowledge-base/5272

The essence of the steps is to create a CA cert, then a local cert and sign it.

The use the downloaded CA cert on the Android device. This has to be installed via Settings.

However I dont think Android (v12 at time of writing) supports this type of IKEv2 connection. So I used strongSwan VPN Client (which is free) and created a "IKEv2 EAP (Username/Password)" connection. I unticked Select Automatically for the CA and chose from imported Root CA from under the "User" section (remember you have to have already imported via Android settings).

I hope this helps someone else.

Please Log in or Create an account to join the conversation.

More
04 Jun 2022 17:24 #3 by gsb1
Replied by gsb1 on topic Re: IKEv2 Dial-in VPN from Android
I caught up with a router firmware update and then later wondered why my IKEv2 dial-in VPN was not working. It seems the firmware update had caused the "Certificate for dial-in" under IKE Authentication Method settings to revert to a different (wrong) cert. I changed this back and all good.

Just noting for the record.

Please Log in or Create an account to join the conversation.