How to setup VPN connection from android 13/14 native VPN client to mikrotik routerOS for testing mobile app with backend behind a private network?

Question

I want to test my mobile app on Android 13 with test backend located in private network. Therefore I need to access this network via VPN tunnel.

Since L2TP/PPTP VPN connections are not supported on Android 13 anymore, I am wondering how to setup secure VPN connection between Mikrotik router and Android 13 device using native client which has only these options:

1. IKEv2/IPSec MSCHAPv2
2. IKEv2/IPSec PSK
3. IKEv2/IPSec RSA

I was unable to find any solution for this problem so far...

Answer 1

Finally I've found a working solution, however not with L2TP or PPTP.

Here you'll find how to setup new IKEv2 VPN tunnels to your Mikrotik router.

This solution is not trivial, so you need to be ready to invest some time, and be ready to experiment, and to tweak some settings for your own Android 13 device to work.

First step is to follow and complete setup as provided here:

https://mikrotikon.pl/vpn-ikev2-na-routerze-mikrotik-dla-systemow-windows-i-android/

It is in Polish lang, but you can easily translate it to any other language with a help of google translate engine.

I can confirm this solution is working with some additional tweaks/notes:

1. In your Android 13 choose VPN client (IKEv2/IPSec RSA) and provide data especially including imported certificates. You cannot save configuration without providing IPSec Identifier - any string here will work, but you need to make changes as in point 2 also.
2. In your mikrotik router -> go to IPsec->Identities -> open created identity and set "Remote ID Type" to ignore
3. Deep understanding of your network infrastructure is needed, meaning you need to know what kind of "Dst. Address" you should put in recently created policy in IPsec->Policies
4. Remember that your firewall rules might be blocking these VPN requests, so be ready to fix them also.

Answer 2

I had the same problem till today, and I've got a pretty workaround for your problem.

I had to connect to a VPN, which uses PPTP protocol, on my android device (Android 13) to test an app.

The solution is that, you ain't connect with your phone to the VPN directly, rather then you enable hotspot from a laptop (in my case), which can establish (can use PPTP or other protocols you need) the VPN connection, and use that connection with your android device through Wi-Fi.

The link belove shows how to setup a hotspot which enables VPN share:

https://protonvpn.com/blog/share-vpn-connection

Answer 3

Here is a working configuration of ipsec ikev2 / psk vpn which works WITHOUT CERTIFICATES etc.:

notes:

1.this configuration is NOT touching the "default" profile, "default" identity etc. So it should work in parallel with other VPN types, for instance in paralell with L2TP/ipsec VPN which is creating dynamic identity/peer and cannot use anything else than default. So this configuration is glued together by a group named "ike2-group"

2. Android still claims this VPN as "insecure" however I did not dig deeper, I wanted to just "make it work" because L2TP was removed. And I could not really play with certificates etc. and it is supposed to work paralelly with existing VPN configurations.

3. You need to alter below scripts a bit, by filling in the [TEXT IN BRACKETS] with your names/passwords etc.

4. you need to create address pool for the VPN connections first, and give the pool's name as [ADDRESS_POOL] below

5. [FULL_DOMAIN_NAME_OF_ROUTER] is DNS name under which router will be available (like www.google.com)

6. [SECRET] is your pre-shared key.

7. IMPORTANT!!!! In Android you have to give such VPN settings:

"name" whatever you like.
"type" is "IKEv2/IPSec PSK"
"Server address" the same as in  [FULL_DOMAIN_NAME_OF_ROUTER] 
"IPsec identifier" the same as in  [FULL_DOMAIN_NAME_OF_ROUTER] 
"Pre shared key" the same as in [SECRET]

Especially please note the "IPSec identifier".

8. Maybe proposal could be simplified. I was adding everything till it started to work.

Here is the configuration code:

# 2024-06-16 21:14:19 by RouterOS 7.13.2
# model = RB3011UiAS
/ip ipsec policy group
add name=ike2-group
/ip ipsec mode-config
add address-pool=[ADDRESS_POOL] name=ike2-config
/ip ipsec profile
add dh-group=ecp256,ecp384,ecp521,modp8192,modp6144,modp4096,modp3072,modp2048 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha512 name=ike2-profile proposal-check=claim
/ip ipsec peer
add exchange-mode=ike2 name=ike2-peer passive=yes profile=ike2-profile secret=[SECRET]
/ip ipsec proposal
add auth-algorithms=sha512,sha256 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm name=ike2-proposal pfs-group=\
    modp4096
/ip ipsec identity
add comment="identity to be used in ikev2" generate-policy=port-strict mode-config=ike2-config my-id=fqdn:[FULL_DOMAIN_NAME_OF_ROUTER]\
  peer=ike2-peer policy-template-group=ike2-group
/ip ipsec policy
add comment="policy to be used in ike2-identity and ike2-policy" dst-address=0.0.0.0/0 group=ike2-group proposal=ike2-proposal src-address=0.0.0.0/0 template=yes