GlobalProtect Using Pre-Shared Secret Authentication and Android OS

Issue

The GlobalProtect Gateway is configured to use Pre-Shared Secret Authentication, as defined on page 8 of GlobalProtect Configuration for the IPSec Client on Android Devices, however devices running Android version 4.1.2 and earlier are not able to connect.

The Group Name in the GlobalProtect Gateway configuration is in a FQDN format.

Symptoms

Devices running Apple's iOS can connect to the VPN. When connecting with an Android device it will hang and eventually the connection will be unsuccessful.

Logs in ikemgr.lg looks like the ones below:

2013-01-22 18:49:02 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.41.24[500], ID fqdn:salvo.ssl.com.

2013-01-22 18:49:05 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.41.24[500], ID fqdn:salvo.ssl.com.

2013-01-22 18:49:08 [PROTO_ERR]: Couldn't find configuration for IKE phase-1 request for peer IP 192.168.41.24[500], ID fqdn:salvo.ssl.com.

Root Cause

When the Group Name (This corresponds to the Ipsec Identifier field in Android VPN configuration page) is configured in a FQDN like format, Android OS will set the tunnel endpoint ID type to ID_FQDN.

GP-Gateway expects the Tunnel Endpoint ID Type to be ID_KEY_ID. IOS will always used type ID_KEY_ID.

Details from pcap of a failing connection using Android

Details from PCAP of a successful connection using iOS. Same GLobalProtect Gateway configuration as above:

Details from a successful connection using Android.. The Group name has been changed to be no FQDN like. Android will use the type ID GlobalProtect Gateways expects.

Resolution

Change the Group Name to something not FQDN like. i.e. MYSSLVPN.

owner: sberti