DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Vigor 2862 Android 14 VPN connects and immediately disconnects

pcbbc
Topic Author
Offline
Junior Member

08 Jan 2025 11:59 #104420 by pcbbc

Vigor 2862 Android 14 VPN connects and immediately disconnects was created by pcbbc

Set up IKEv2 VPN according to this guide...
https://www.draytek.com/support/knowledge-base/11300

From the syslog it appears as though the connection is made, but then immediately disconnects again...

Code:

 2025-01-08 11:34:17     IKE_RELEASE VPN : Remote Dial-in User, Profile index = 2, Name = XXXXXXX, ifno=10
 2025-01-08 11:34:17     IKE_RELEASE VPN : Remote Dial-in User, Profile index = 2, Name = XXXXXXX, ifno=10
 2025-01-08 11:34:17     Delete exist flowstate of VPN ifno: 10 ....
 2025-01-08 11:34:17     [H2L][DOWN][IPsec][@2:XXXXXXX from 82.132.220.52](total time connected : 0 hours 0 minutes 0 seconds)
 2025-01-08 11:34:17     [DHCP] Vigor DHCP server has recycled an IP [MAC: 00-00-00-00-00-0a, IP: 192.168.2.101]
 2025-01-08 11:34:17     ## IKEv2 DBG : Release IP address 192.168.2.101
 2025-01-08 11:34:17     ## IKEv2 DBG : IKE SA #5:STATE_IKESA_R is going to be deleted, delete its CHILD SA #6:STATE_CHILDSA_R
 2025-01-08 11:34:17     ## IKEv2 DBG : INFORMATIONAL : Receive IKEv2 Delete IKE SA request from 82.132.220.52, deleting #5
 2025-01-08 11:34:17     ## IKEv2 DBG : Process Packet : #6 CHILD SA Established, CHILD SA is Responder, EXPIRE after 3600 seconds
 2025-01-08 11:34:17     ## IKEv2 DBG : Process Packet : #5 IKE SA Established, IKE SA is Responder, EXPIRE after 28800 seconds
 2025-01-08 11:34:17     [H2L][UP][IPsec][@2:XXXXXXX from 82.132.220.52]
 2025-01-08 11:34:17     ## IKEv2 DBG : Parse IKEv2_NP_v2CP payload : Out CP attr IKEv2_INTERNAL_IP4_DNS Secondary DNS 192.168.2.1
 2025-01-08 11:34:17     ## IKEv2 DBG : Parse IKEv2_NP_v2CP payload : Out CP attr IKEv2_INTERNAL_IP4_DNS Primary DNS 192.168.2.1
 2025-01-08 11:34:17     ## IKEv2 DBG : Assign IP address 192.168.2.101
 2025-01-08 11:34:17     [DHCP] Vigor DHCP server has given out an IP [MAC: 00-00-00-00-00-0a, IP: 192.168.2.101]
 2025-01-08 11:34:17     ## IKEv2 DBG : Parse IKEv2_NP_v2CP payload : ifno 10 Match profile 2, assign IP address form LAN
 2025-01-08 11:34:17     ## IKEv2 DBG : IKESA inI2_outR2 : Receive Configuration Payload
 2025-01-08 11:34:17     ## IKEv2 DBG : IKESA inI2_outR2 : Create Child SA #6, IKE SA is #5
 2025-01-08 11:34:17     ## IKEv2 DBG : H2L PSK for Peer ID [XXXXXXX] ... Found
 2025-01-08 11:34:17     ## IKEv2 DBG : L2L PSK for Peer ID [XXXXXXX] ... Not found
 2025-01-08 11:34:17     ## IKEv2 DBG : IKESA inI2_outR2 : Receive IKEv2 Notify IKEv2_MOBIKE_SUPPORTED[16396]
 2025-01-08 11:34:17     ## IKEv2 DBG : H2L PSK for Peer ID [XXXXXXX] ... Found
 2025-01-08 11:34:17     ## IKEv2 DBG : L2L PSK for Peer ID [XXXXXXX] ... Not found
 2025-01-08 11:34:17     ## IKEv2 DBG : Received IKEv2 Notify IKEv2_MOBIKE_SUPPORTED[16396]
 2025-01-08 11:34:17     ## IKEv2 DBG : Recv IKEv2_AUTH[35] Request msgid 1 from 82.132.220.52, Peer is IKEv2 Initiator
 2025-01-08 11:34:17     ## IKEv2 DBG : IKESA inI1_outR1 : Responding IKE SA to 82.132.220.52
 2025-01-08 11:34:17     ## IKEv2 DBG : frag_v2n : enable IKEv2_EXT_FRAGMENTATION[16430]
 2025-01-08 11:34:17     ## IKEv2 DBG : NAT_T Lookup : Peer is behind NAT
 2025-01-08 11:34:17     ## IKEv2 DBG : IKESA inI1_outR1 : Create IKE SA #5
 2025-01-08 11:34:17     ## IKEv2 DBG : Received IKEv2 Notify (null)[16431]
 2025-01-08 11:34:17     ## IKEv2 DBG : Received IKEv2 Notify IKEv2N_FRAGMENTATION_SUPPORTED[16430]
 2025-01-08 11:34:17     ## IKEv2 DBG : Received IKEv2 Notify IKEv2_NAT_DETECTION_DESTINATION_IP[16389]
 2025-01-08 11:34:17     ## IKEv2 DBG : Received IKEv2 Notify IKEv2_NAT_DETECTION_SOURCE_IP[16388]
 2025-01-08 11:34:17     ## IKEv2 DBG : Recv IKEv2_SA_INIT[34] Request msgid 0 from 82.132.220.52, Peer is IKEv2 Initiator
 2025-01-08 11:34:17     ## IKEv2 DBG : IKE SA Process IKEv2_SA_INIT : Failed
 2025-01-08 11:34:17     ## IKEv2 DBG : IKESA inI1_outR1 : Send Group 14
 2025-01-08 11:34:17     ## IKEv2 DBG : IKESA IKESA Notify KE : Group 14
 2025-01-08 11:34:17     ## IKEv2 DBG : Invalid KE payload in proposal
 2025-01-08 11:34:17     ## IKEv2 DBG : IKESA inI1_outR1 : Responding IKE SA to 82.132.220.52
 2025-01-08 11:34:17     ## IKEv2 DBG : frag_v2n : enable IKEv2_EXT_FRAGMENTATION[16430]
 2025-01-08 11:34:17     ## IKEv2 DBG : NAT_T Lookup : Peer is behind NAT
 2025-01-08 11:34:17     ## IKEv2 DBG : IKESA inI1_outR1 : Can't find Group 16
 2025-01-08 11:34:17     ## IKEv2 DBG : IKESA inI1_outR1 : Create IKE SA #4
 2025-01-08 11:34:17     ## IKEv2 DBG : Received IKEv2 Notify (null)[16431]
 2025-01-08 11:34:17     ## IKEv2 DBG : Received IKEv2 Notify IKEv2N_FRAGMENTATION_SUPPORTED[16430]
 2025-01-08 11:34:17     ## IKEv2 DBG : Received IKEv2 Notify IKEv2_NAT_DETECTION_DESTINATION_IP[16389]
 2025-01-08 11:34:17     ## IKEv2 DBG : Received IKEv2 Notify IKEv2_NAT_DETECTION_SOURCE_IP[16388]
 2025-01-08 11:34:17     ## IKEv2 DBG : Recv IKEv2_SA_INIT[34] Request msgid 0 from 82.132.220.52, Peer is IKEv2 Initiator

Clues anyone?

Please Log in or Create an account to join the conversation.

pcbbc
Topic Author
Offline
Junior Member

08 Jan 2025 12:30 - 08 Jan 2025 12:54 #104421 by pcbbc

Replied by pcbbc on topic Vigor 2862 Android 14 VPN connects and immediately disconnects

Interestingly, setting the phone as a hotspot and then creating a VPN connection using a connected iPad, the VPN works.

Code:

 2025-01-08 12:12:45     WAN1 PPPoE ==> Protocol:LCP(c021) EchoRep Identifier:0x15 Magic Number: 0x0 00 00 ##
 2025-01-08 12:12:45     WAN1 PPPoE <== Protocol:LCP(c021) EchoReq Identifier:0x15 Magic Number: 0x245f fc 85 ##
 2025-01-08 12:12:45     Local User (MAC=11-00-17-D6-00-00): 192.168.2.101:58568 -> 17.57.146.11:5223 (TCP)
 2025-01-08 12:12:45     Local User (MAC=11-00-17-D6-00-00): 192.168.2.101:50427 -> 17.250.83.195:443 (UDP)
 2025-01-08 12:12:44     Local User (MAC=11-00-17-D6-00-00): 192.168.2.101 DNS -> 212.159.6.9 inquire 41-courier.push.apple.com
 2025-01-08 12:12:44     Local User (MAC=11-00-17-D6-00-00): 192.168.2.101 DNS -> 192.168.2.1 inquire 41-courier.push.apple.com
 2025-01-08 12:12:44     Local User (MAC=11-00-17-D6-00-00): 192.168.2.101 DNS -> 212.159.6.9 inquire mask.icloud.com
 2025-01-08 12:12:44     Local User (MAC=11-00-17-D6-00-00): 192.168.2.101 DNS -> 192.168.2.1 inquire mask.icloud.com
 2025-01-08 12:12:44     #14 IPsec SA established. H2L[2] dial-in from 82.132.222.161
 2025-01-08 12:12:44     IPsec SA #14 will be replaced after 2963 seconds
 2025-01-08 12:12:44     [H2L][UP][IPsec][@2:XXXXXXX from 82.132.222.161]
 2025-01-08 12:12:44     IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x741036f3
 2025-01-08 12:12:44     IKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x741036f3
 2025-01-08 12:12:44     Responding to Quick Mode from 82.132.222.161
 2025-01-08 12:12:44     Accept ESP proposal ENCR ESP_AES, HASH AUTH_ALGORITHM_HMAC_SHA1
 2025-01-08 12:12:44     Find ESP proposal: SHA2_256
 2025-01-08 12:12:44     [IPSEC/IKE][Local][2:XXXXXXX][@82.132.222.161] quick_inI1_outR1: match network
 2025-01-08 12:12:44     Receive client L2L remote network setting is 0.0.0.0/0
 2025-01-08 12:12:44     #14 Sync ISAKMP SA #13 connection
 2025-01-08 12:12:44     IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x741036f3
 2025-01-08 12:12:44     #13 sent MR3, ISAKMP SA established. H2L[2] dial-in from 82.132.222.161
 2025-01-08 12:12:44     ## XAuth DBG : XAuth done, change state to STATE_MAIN_R3
 2025-01-08 12:12:44     ## XAuth DBG : Secondary DNS 192.168.2.1
 2025-01-08 12:12:44     ## XAuth DBG : Primary DNS 192.168.2.1
 2025-01-08 12:12:44     ## XAuth DBG : Assign IP address 192.168.2.101
 2025-01-08 12:12:44     [DHCP] Vigor DHCP server has given out an IP [MAC: 00-00-00-00-00-0a, IP: 192.168.2.101]
 2025-01-08 12:12:44     ## XAuth DBG : Parse Modecfg_inI1_outR1 payload : ifno 10 Match profile 2, assign IP address form LAN
 2025-01-08 12:12:44     IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x6, Message ID = 0x12716aae
 2025-01-08 12:12:44     ## XAuth DBG : Recv ISAKMP_XCHG_MODE_CFG
 2025-01-08 12:12:44     #13 sent MR3, ISAKMP SA established. H2L[2] dial-in from 82.132.222.161
 2025-01-08 12:12:44     ## XAuth DBG : XAuth done, change state to STATE_MAIN_R3
 2025-01-08 12:12:44     IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x6, Message ID = 0x9ef141ff
 2025-01-08 12:12:44     ## XAuth DBG : Recv ISAKMP_XCHG_MODE_CFG
 2025-01-08 12:12:44     ## XAuth DBG : Authentication Successful
 2025-01-08 12:12:44     ## XAuth DBG : Verify Username/Password : XXXXXXX/****** ifno = 10 index = 2
 2025-01-08 12:12:44     IKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x6, Message ID = 0xd3ccacdc
 2025-01-08 12:12:44     ## XAuth DBG : Recv ISAKMP_XCHG_MODE_CFG
 2025-01-08 12:12:44     ## XAuth DBG : #13 INITIAL_CONTACT, send ISAKMP_CFG_REQUEST Username/Password
 2025-01-08 12:12:44     #13 sent MR3, ISAKMP SA established. Dynamic client dial-in from 82.132.222.161
 2025-01-08 12:12:44     IKE ==>, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
 2025-01-08 12:12:44     IKE <==, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
 2025-01-08 12:12:44     IKE ==>, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
 2025-01-08 12:12:44     Matching General Setup key for dynamic ip client...
 2025-01-08 12:12:44     NAT-Traversal: Using RFC 3947, peer is NATed
 2025-01-08 12:12:44     IKE <==, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
 2025-01-08 12:12:44     IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
 2025-01-08 12:12:44     Accept Phase1 proposals : ENCR OAKLEY_AES_CBC, HASH OAKLEY_SHA
 2025-01-08 12:12:44     Matching General Setup key for dynamic ip client...
 2025-01-08 12:12:44     Find Phase1 proposal: SHA2_256
 2025-01-08 12:12:44     Matching General Setup key for dynamic ip client...
 2025-01-08 12:12:44     Responding to Main Mode from 82.132.222.161
 2025-01-08 12:12:44     IKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0

iPad seems to be using IKE and not IKEv2 though? Unfortunately no option to use IKE over IKEv2 on Android.

So either...
Something wrong with my IKEv2 setup on the Vigor
IKEv2 somehow broken on Android and/or Vigor

Edit: Latest firmware 3.9.9.8_BT

Last edit: 08 Jan 2025 12:54 by pcbbc. Reason: Added firmware version

Please Log in or Create an account to join the conversation.

HodgesanDY
Away
Member

08 Jan 2025 19:07 #104424 by HodgesanDY

Replied by HodgesanDY on topic Vigor 2862 Android 14 VPN connects and immediately disconnects

Hi pcbbc ,

I had a similar problem recently with a 2962, which was down to the ‘Idle timeout’ being set too high, like 6 digits too high! This had been caused by a configuration migration and for some reason every ‘Remote Dial-in’ user’s profile had this same 6 digit timeout period set. Changing the setting back to 0 or -1 solved it.

Worth a quick check…

Please Log in or Create an account to join the conversation.

pcbbc
Topic Author
Offline
Junior Member

08 Jan 2025 19:41 #104426 by pcbbc

Replied by pcbbc on topic Vigor 2862 Android 14 VPN connects and immediately disconnects

Thanks.
Checked, and idle timeout for the Remote Dial In User is 300 seconds (5 minutes).
Plus same user connecting to VPN from iPad doesn’t have an issue of immediately getting booted off.
But I will certainly have a play and see if it helps.

Please Log in or Create an account to join the conversation.

Moderators: Chris