Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
129
Views
0
Helpful
0
Replies

Android IOT device VPN assistance

kossuth78
Level 1
Level 1

‎06-18-2025 07:10 AM - edited ‎06-18-2025 07:11 AM

I have a number of Android IOT devices (50ish) that we want to configure the BUILT IN VPN client on the Android OS to VPN back into our infrastructure to pull what these devices need to pull.  The device they would VPN through into in our infrastructure is a 4k ISR router.  This router is currently in a lab and I've bounced it back and forth from the 17.9.x train to the 17.12.x train without any luck.  Unfortunately the OS on the Android device is older only supports IPSec via ISAKMP/IKEv1 vs IKEv2.  The VPN won't be over the internet, but through a partner enterprise network.  So I'm not terribly worried about the security part of this from that perspective.  My struggle is purely functional at this point.

I've been working with TAC and others within Cisco for assistance with this and we've been coming up alittle short.  Even though it's no longer officially supported the Cisco Team suggested looking at EzVPN.  I've been playing with it for several weeks now and just haven't had any luck.  It finds the preshared key during the the ISAKMP negotiation but during the further processing of the session something is falling apart.  I don't want to give up on this but I'm wondering if anybody has a working configuration example I can go by and take a look at?  

The IOT device vendor won't be any help.  They have configuration examples for both Juniper and Fortigate firewalls, but they detest Cisco.  I know they won't even entertain supporting me on this, so I'm kinda on my own here.  The device is LOCKED down from the manufacturer and you can't install 3rd party apps on it.  So we have to use the built in client.  

Here is some of the debug outputs for reference

ISAKMP: (0):found peer pre-shared key matching X.X.X.X
ISAKMP: (1003):received payload type 20
ISAKMP: (1003):His hash no match - this node outside NAT
ISAKMP: (1003):received payload type 20
ISAKMP: (1003):No NAT Found for self or peer
ISAKMP: (1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP: (1003):Old State = IKE_R_MM3 New State = IKE_R_MM3
ISAKMP-PAK: (1003):sending packet to X.X.X.X my_port 500 peer_port 500 (R) MM_KEY_EXCH
ISAKMP: (1003):Sending an IKE IPv4 Packet.
ISAKMP: (1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP: (1003):Old State = IKE_R_MM3 New State = IKE_R_MM4
ISAKMP-PAK: (1003):received packet from X.X.X.X dport 500 sport 500 VRF (R) MM_KEY_EXCH
ISAKMP-PAK-ERROR: (1003):reserved not zero on ID payload!
%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from X.X.X.X failed its sanity check or is malformed
ISAKMP: (1003):: incrementing error counter on sa, attempt 1 of 5: reset_retransmission
ISAKMP: (1003):retransmitting phase 1 MM_KEY_EXCH...
ISAKMP: (1003):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

I'm reaching out here hoping I can get some additional help from some folks that have successfully used the built in client Android client, because I have to be doing something wrong.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents