Hello All,
Which Key Exchange Method Transform ID (formerly known as DH (Diffie-Hellman) group) is your server configured to accept? By default, a Windows VPN server expects the "1024-bit MODP Group" (Group 2) but Android only offers the following:
- 2048-bit MODP Group with 256-bit Prime Order Subgroup (Group24)
- 384-bit random ECP group (ECP384)
- 256-bit random ECP group (ECP256)
- 2048-bit MODP Group (Group14)
- 1536-bit MODP Group (Group5)
Unless the VPN server has been configured to expect one of the above, the connection will fail.
The Microsoft article https://video2.skills-academy.com/en-us/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections explains how to change the setting and Richard Hicks' article https://directaccess.richardhicks.com/2018/12/10/always-on-vpn-ikev2-security-configuration/ also discusses the topic.
Both of the articles use PowerShell cmdlets to change the settings; unfortunately, there is not a simple PowerShell command to show the current settings. Richard Hicks suggests using the command Get-NetIPsecMainModeSA, but this only works when Main Mode security associations are present (i.e. when VPN clients are connected). In the quiescent state (no active Main Mode security associations) it may be necessary to examine the stored settings in the registry (see section 2.2.3.4.2.8 IKEv2 Custom Policy Configuration of [MS-RRASM]) or the active Windows Filtering Platform state on the VPN server (use "netsh wfp show state" to obtain the state and then search that for the IkeV2MmPolicy elements).
Gary