GrapheneOS VPN problem with IPSec identifier

ohhWazzka

Good afternoon!

Can you tell me if anyone has had the same problem? I want to connect to an IKEv2 IPSec VPN that I set up on Mikrotik through the standard Android client, but I can't save the configuration unless I enter the IPSec Identifier.

To be honest, I don't know how to configure it in Mikrotik, and I don't need it, since absolutely all other Windows devices or other Samsung Android phones connect and work fine without entering the IPSec Identifier.

The IKEv2 IPSec VPN on Mikrotik itself is configured for the eap radius authentication method.

schweizer

I have the same problem. I use Surfshark as the VPN provider. The error message is "not successful". According to the setup guide for iOS the Identifier is the same as the server name. But I also tried a random number, same result.

I hope you have the certificate installed and selected under IPsec-CA-certificate?
In "IPSec Server certificate" I chose "received from server". But also a S/MIME certificate I have does not work.

The purpose is to keep the number of apps installed low and thus not to install the recommended VPN app.

BTW I do not think this is related to the Pixel 7 solely. I have the Pixel 6.

pboon

I'm using Surshark and it works for me when entering my username as IPSec identifier. Server cert is set to "received from server".

schweizer

Confirmed! Thank you @pboon

DeletedUser115

Anyone was able to successfully connect to ProtonVPN or IVPN using the built-in IPSec / IKEv2 client?

876fi

DeletedUser115

Yep, however with some issues, technically unusable in my case, hence I switched back to wg, please see the link below. Nevertheless, I do not know if that is really IVPN related, it would be interesting to hear from somebody using ProtonVPN. I was considering to spin up my own IPsec server and set up iptables with TCP MSS clamping enforced for testing.

https://discuss.grapheneos.org/d/12550-built-in-ipsec-tunnel-networking-quirks

DeletedUser115

876fi Very interesting, thanks for posting. I should try IVPN.

Was also thinking of running my own IKEv2 server with StrongSwan which would then route the traffic to Mullvad. Ideally would like to avoid that so I don't have to maintain another server.