Native VPN client on android phone

cancel
Showing results for 
Search instead for 
Did you mean: 

Native VPN client on android phone

L4 Transporter

I recently upgraded my PA 5050 to 7.1.9. Before that users could connect to the VPN could connect via their native VPN client on their android phones and today I got a call saying one user no longer could and it was failing on the encryption. Any ideas?

28 REPLIES 28

@jdprovine

I'm really interessted in the OS, just because with windows 10 I was not able to configure it. And the reason after a little troubleshooting was that paloalto does not support strong enough ciphers for windows 10.

@vsys_remo

so far I have tried it only on windows 8, I know you cannot configure the native client on windows 10 to work with the PA VPN, I am also going to test on a mac. I was also able to connect with the cisco vpn client and no longer can

would the tls version have anything to do with it

I don't think so because the native iOS / Android VPN clients do not connect with an SSL VPN tunnel. They use a plain ipsec vpn connection

so could it be a encryption issue something with isakmp

Could be ... Do you may be have something in the system logs when the clients tried to connect? Of if you don't know the connectiontimes: are there other messages which weren't there when a client tried to connect before the upgrade?

I do not have anything for the cisco client pre upgrade but I do for the global protect. the big difference seem to be  protocol GP uses tls and tcp where the cisco uses iksakmp. the GP looks like it is using a web browser type connection and the cisco as you said a straight ipsec tunnel

other issue is that even before the upgrade the mac version of global protect has never worked that is why people are using the native client

Same here. Not able to connect with the native iPhone vpn client connect to the GP-Gateway.  I am not passing the P1. P1 is ok but failing on the P2. Doing debug of the connection but still no joy:

 

2017-06-16 10:48:53.299 +0100 [PNTF]: {1000007: }: ====> PHASE-1 NEGOTIATION STARTED AS RESPONDER, AGGRESSIVE MODE <====
====> Initiated SA: 55.55.55.55[500]-10.10.10.10.DD[30199] cookie:7b1db97bc6b8fd1d:9cdf9cc1159f2d0f <====
2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: received Vendor ID: FRAGMENTATION
2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: received Vendor ID: RFC 3947
2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: received Vendor ID: CISCO-UNITY
2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: received Vendor ID: DPD
2017-06-16 10:48:53.300 +0100 [INFO]: {1000007: }: Selected NAT-T version: RFC 3947
2017-06-16 10:48:53.303 +0100 [INFO]: {1000007: }: Adding remote and local NAT-D payloads.
2017-06-16 10:48:53.303 +0100 [INFO]: {1000007: }: Hashing 10.10.10.10.DD[30199] with algo #4
2017-06-16 10:48:53.303 +0100 [INFO]: {1000007: }: Hashing 55.55.55.55[500] with algo #4
2017-06-16 10:48:53.303 +0100 [INFO]: {1000007: }: 2 fragments sent, total len 600.
2017-06-16 10:48:53.401 +0100 [INFO]: {1000007: }: Hashing 55.55.55.55[4500] with algo #4
2017-06-16 10:48:53.401 +0100 [INFO]: {1000007: }: NAT-D payload #0 verified
2017-06-16 10:48:53.401 +0100 [INFO]: {1000007: }: Hashing 10.10.10.10.DD[46937] with algo #4
2017-06-16 10:48:53.401 +0100 [INFO]: {1000007: }: NAT-D payload #1 doesn't match
2017-06-16 10:48:53.401 +0100 [INFO]: {1000007: }: NAT detected: PEER
2017-06-16 10:48:53.401 +0100 [INFO]: {1000007: }: reveived INITIAL-CONTACT notification.
2017-06-16 10:48:55.000 +0100 [INFO]: {1000007: }: Sending Xauth request
2017-06-16 10:48:55.000 +0100 [PNTF]: {1000007: }: ====> PHASE-1 NEGOTIATION SUCCEEDED AS RESPONDER, AGGRESSIVE MODE <====
====> Established SA: 55.55.55.55[4500]-10.10.10.10.DD[46937] cookie:7b1db97bc6b8fd1d:9cdf9cc1159f2d0f lifetime 3600 Sec <====
2017-06-16 10:48:55.171 +0100 [INFO]: {1000007: }: GP gateway GP-GW-N domain user () from 10.10.10.10.DD login rtn 2 lifetime 3600
2017-06-16 10:48:55.171 +0100 [PWRN]: {1000007: }: Ignored attribute INTERNAL_ADDRESS_EXPIRY
2017-06-16 10:48:55.172 +0100 [PWRN]: {1000007: }: Ignored attribute UNITY_BROWSER_PROXY
2017-06-16 10:49:11.483 +0100 [INFO]: {1000007: }: IKE ISAKMP KEY_DELETE recvd: cookie:7b1db97bc6b8fd1d:9cdf9cc1159f2d0f.
2017-06-16 10:49:11.505 +0100 [PNTF]: {1000007: }: ====> PHASE-1 NEGOTIATION STARTED AS RESPONDER, AGGRESSIVE MODE <====
====> Initiated SA: 55.55.55.55[500]-10.10.10.10.DD[30199] cookie:8de69a6a3cddc13f:0b788adbb7e9061e <====
2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: received Vendor ID: FRAGMENTATION
2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: received Vendor ID: RFC 3947
2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: received Vendor ID: CISCO-UNITY
2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: received Vendor ID: DPD
2017-06-16 10:49:11.505 +0100 [INFO]: {1000007: }: Selected NAT-T version: RFC 3947
2017-06-16 10:49:11.506 +0100 [INFO]: {1000007: }: Adding remote and local NAT-D payloads.
2017-06-16 10:49:11.506 +0100 [INFO]: {1000007: }: Hashing 10.10.10.10.DD[30199] with algo #2
2017-06-16 10:49:11.506 +0100 [INFO]: {1000007: }: Hashing 55.55.55.55[500] with algo #2
2017-06-16 10:49:11.566 +0100 [INFO]: {1000007: }: Hashing 55.55.55.55[4500] with algo #2
2017-06-16 10:49:11.566 +0100 [INFO]: {1000007: }: NAT-D payload #0 verified
2017-06-16 10:49:11.566 +0100 [INFO]: {1000007: }: Hashing 10.10.10.10.DD[46937] with algo #2
2017-06-16 10:49:11.566 +0100 [INFO]: {1000007: }: NAT-D payload #1 doesn't match
2017-06-16 10:49:11.566 +0100 [INFO]: {1000007: }: NAT detected: PEER
2017-06-16 10:49:12.000 +0100 [INFO]: {1000007: }: ====> PHASE-1 SA LIFETIME EXPIRED <====
====> Expired SA: 55.55.55.55[4500]-10.10.10.10.DD[46937] cookie:7b1db97bc6b8fd1d:9cdf9cc1159f2d0f <====
2017-06-16 10:49:12.000 +0100 [INFO]: {1000007: }: ====> PHASE-1 SA DELETED <====
====> Deleted SA: 55.55.55.55[4500]-10.10.10.10.DD[46937] cookie:7b1db97bc6b8fd1d:9cdf9cc1159f2d0f <====

@TranceforLife

Yes exactly what I am seeing that it is failing before phase 2, not sure what changed in the upgrade to 7.1.9 that would make this happen. What os version are you on? The GP client for mac is not working either does your's?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!