Technical Tip: Dail_up Native VPN (L2TP) is no longer supported in Android 13 and above android version (2024)

As a workaround to establish a VPN between an Android device and the FortiGate firewall, it is possible to configure a custom dail-up VPN with IKev2.

This solution is feasible where end users do not want to connect to VPN via the Forticlient application installed in their Android device.

To configure a VPN connection with the Ikev2-PSK method in the FortiGate firewall, follow the steps below:

Go toVPN -> IPsec Tunnels -> Create New -> IPsec Tunnel -> Select Template type as 'Custom', give a name to the VPN connection,and select Next.

1. 

   See Also

   L2TP Setup Guide for Android | PrivateVPN Help CenterL2TP over IPsecAndroid 13 deleted L2TP VPN standard, sending me to the hellConfigure and Use L2TP on Windows 10

1

2

3

4

Create a policy and route accordingly to allow traffic from the Andriod-VPN tunnel interface to the LAN interface.

1

CLI configuration.

Dail-UP ikev2 Cli config:

config vpn ipsec phase1-interface
edit "Android-VPN"
set type dynamic
set interface "wan1"
set ike-version 2
set local-gw 1.1.1.1
set peertype any
set net-device disable
set mode-cfg enable
set ipv4-dns-server1 8.8.8.8
set proposal aes128-sha256 aes192-sha384 aes256-sha512 aes128gcm-prfsha256 aes256gcm-prfsha512
set dhgrp 16 15 14
set ipv4-start-ip 192.168.140.1
set ipv4-end-ip 192.168.140.254
set ipv4-netmask 255.255.254.0
set ipv4-split-include "Test_local_subnet_1"
set psksecret ENC

FuEutStPeywrTFqw/8qo1XBl2fpJ9B8Ww5E+AibYu5i7k5mNZgM2jZwiwXNbL+DPJ1O/4UvNHIrwkRabgmad5gSuxo/KQIGU5ABGuhdo74A==
set dpd-retryinterval 60
next
end

config vpn ipsec phase2-interface
edit "Android-VPN"
set phase1name "Android-VPN"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set pfs disable
next
end

config firewall policy
edit 13
set name "Android -VPN"
set uuid de0f1e18-2148-51ee-f79f-5a640f7b4b50
set srcintf "Android-VPN"
set dstintf "port3"
set action accept
set srcaddr "all"
set dstaddr "Test_local_subnet_1"
set schedule "always"
set service "ALL"
set nat enable
next
end

Android Configuration:

1

2

Note:

1. If any peer-id in the ikev2 config (FortiGate firewall) is specified, then use the same id in the 'IPsec Identifier' Field.
2. If no peer id is configured on the FortiGate firewall, then type any dummy value or name. without any valuein the 'IPsec Identifier' Field, it is not possible to save the VPN config in an Android phone.