Mobile devices that run Android version 4.x and higher include a VPN client. You can use the Android VPN client to make an L2TP VPN connection to a Firebox. The Firebox must be configured to use Phase 1 and Phase 2 transforms that are supported by the Android device.
Authentication and Encryption Settings
Android devices have a list of several supported transforms for VPN connections. Unless the hardware manufacturer of your device modified the native Android VPN client, you cannot view this list or specify different default transforms. Recent Android OS versions have these default transforms:
Phase 1 — SHA2(256)–AES(256)–DH2
Phase 2 — SHA2(256)–AES(256)
Some older versions of Android OS use these default transforms:
Phase 1 — SHA1–AES(256)–DH2
Phase 2 — SHA1–AES(256)
In some cases, the hardware manufacturer of your Android device might specify different default transforms for the native Android VPN client.
To initiate a VPN connection to the Firebox, the Android device sends its default transforms to the Firebox. You must configure the Firebox with transforms supported by Android for the VPN connection to establish. WatchGuard recommends that you specify the default Android transforms in your Mobile VPN with IPSec settings on the Firebox. You can specify more than one transform.
If you specify Firebox transforms different from the default Android transforms, the Android device sends the next set of transforms on its list. This process repeats until the Android device finds transforms on its list that match the Firebox settings, or until the Android device reaches a retry limit or has no additional transforms to test.
To troubleshoot connection issues, see Troubleshoot Mobile VPN with L2TP.
Configure the L2TP Network Settings
To configure L2TP network settings, on the Android device:
- On the Settings page, in the Wireless & Networks section, select More > VPN.
- Click + to add a VPN network.
The Edit VPN profile page appears.
- In the Name text box, type a name for this VPN connection, such as "L2TP Firebox".
- If Mobile VPN with L2TP on the Firebox is configured to use a pre-shared key as the IPSec credential method:
- In the Type drop-down list, select L2TP/IPSec PSK.
- In the IPSec pre-shared key text box, type the pre-shared key for this tunnel. The pre-shared key must match the pre-shared key configured on the Firebox Mobile VPN with L2TP IPSec settings.
- If Mobile VPN with L2TP on the Firebox is configured to use a certificate as the IPSec credential method:
- In the Type drop-down list, select L2TP/IPSec RSA.
- Make sure the certificate is imported to your Android device.
- In the Server Address text box, type the external IP address of the Firebox to connect to.
- Save the connection.
Start the L2TP Connection
To start the VPN connection:
- Select the L2TP VPN connection you configured.
- Type the Username and Password.
- Click Connect.