My config
set pki ca isrgrootx1 certificate 'certdata'
set pki ca lets-encrypt-r3 certificate 'certdata'
set pki certificate vpn2 acme domain-name 'vpn.somedomain.com'
set pki certificate vpn2 acme email 'pavel@somedomain.com'
set pki certificate vpn2 acme listen-address 'ip on eth0'
set vpn ipsec esp-group vpn lifetime '3600'
set vpn ipsec esp-group vpn pfs 'enable'
set vpn ipsec esp-group vpn proposal 10 encryption 'aes128gcm128'
set vpn ipsec esp-group vpn proposal 10 hash 'sha256'
set vpn ipsec ike-group vpn key-exchange 'ikev2'
set vpn ipsec ike-group vpn lifetime '7200'
set vpn ipsec ike-group vpn proposal 10 dh-group '14'
set vpn ipsec ike-group vpn proposal 10 encryption 'aes128gcm128'
set vpn ipsec ike-group vpn proposal 10 hash 'sha256'
set vpn ipsec interface 'eth0'
set vpn ipsec remote-access connection support authentication client-mode 'eap-mschapv2'
set vpn ipsec remote-access connection support authentication local-id 'vpn.somedomain.com'
set vpn ipsec remote-access connection support authentication local-users username stels password 'secret'
set vpn ipsec remote-access connection support authentication server-mode 'x509'
set vpn ipsec remote-access connection support authentication x509 ca-certificate 'isrgrootx1'
set vpn ipsec remote-access connection support authentication x509 ca-certificate 'lets-encrypt-r3'
set vpn ipsec remote-access connection support authentication x509 certificate 'vpn2'
set vpn ipsec remote-access connection support esp-group 'vpn'
set vpn ipsec remote-access connection support ike-group 'vpn'
set vpn ipsec remote-access connection support local-address 'ip on eth0'
set vpn ipsec remote-access connection support pool 'support'
set vpn ipsec remote-access pool support name-server '1.1.1.1'
set vpn ipsec remote-access pool support name-server '9.9.9.9'
set vpn ipsec remote-access pool support prefix '192.168.120.64/27'
On strongswan app work fine, but build-in vpn on android 14 not work. On try to connect 1 sec and fail.
Server log is ok.
vyos@vyos# run show log vpn | no-match systemd
May 27 18:43:00 charon[1998]: 07[NET] <5> received packet: from client_ip[18425] to ip_on_eth0[500] (1072 bytes)
May 27 18:43:00 charon[1998]: 07[ENC] <5> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
May 27 18:43:00 charon[1998]: 07[IKE] <5> client_ip is initiating an IKE_SA
May 27 18:43:00 charon[1998]: 07[CFG] <5> selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048
May 27 18:43:00 charon[1998]: 07[IKE] <5> remote host is behind NAT
May 27 18:43:00 charon[1998]: 07[IKE] <5> DH group MODP_4096 unacceptable, requesting MODP_2048
May 27 18:43:00 charon[1998]: 07[ENC] <5> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
May 27 18:43:00 charon[1998]: 07[NET] <5> sending packet: from ip_on_eth0[500] to client_ip[18425] (38 bytes)
May 27 18:43:00 charon[1998]: 03[NET] <6> received packet: from client_ip[18426] to ip_on_eth0[500] (816 bytes)
May 27 18:43:00 charon[1998]: 03[ENC] <6> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
May 27 18:43:00 charon[1998]: 03[IKE] <6> client_ip is initiating an IKE_SA
May 27 18:43:00 charon[1998]: 03[CFG] <6> selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048
May 27 18:43:00 charon[1998]: 03[IKE] <6> remote host is behind NAT
May 27 18:43:00 charon[1998]: 03[ENC] <6> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
May 27 18:43:00 charon[1998]: 03[NET] <6> sending packet: from ip_on_eth0[500] to client_ip[18426] (464 bytes)
May 27 18:43:00 charon[1998]: 16[NET] <6> received packet: from client_ip[18426] to ip_on_eth0[4500] (504 bytes)
May 27 18:43:00 charon[1998]: 16[ENC] <6> parsed IKE_AUTH request 1 [ IDi IDr N(MOBIKE_SUP) SA TSi TSr CPRQ(ADDR ADDR6 DNS DNS6 MASK VER) ]
May 27 18:43:00 charon[1998]: 16[CFG] <6> looking for peer configs matching ip_on_eth0[vpn.somedomain.com]...client_ip[vpn.somedomain.com]
May 27 18:43:00 charon[1998]: 16[CFG] <ra-support|6> selected peer config 'ra-support'
May 27 18:43:00 charon[1998]: 16[IKE] <ra-support|6> initiating EAP_IDENTITY method (id 0x00)
May 27 18:43:00 charon[1998]: 16[IKE] <ra-support|6> peer supports MOBIKE
May 27 18:43:00 charon[1998]: 16[IKE] <ra-support|6> authentication of 'vpn.somedomain.com' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
May 27 18:43:00 charon[1998]: 16[ENC] <ra-support|6> generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
May 27 18:43:00 charon[1998]: 16[NET] <ra-support|6> sending packet: from ip_on_eth0[4500] to client_ip[18426] (373 bytes)
May 27 18:43:30 charon[1998]: 15[JOB] <ra-support|6> deleting half open IKE_SA with client_ip after timeout