Have just spent the last 90 minutes fighting with a Google Pixel 3 being unable to create a VPN connection back to a MX. Anyway after many "it must be my fault" assumptions I checked the wider world and found this is a widespread issue.
Although the issue was discovered on my personal phone we have client who wishes to roll out switch from Samsung handsets to Pixel 3a devices, hence playing with VPN again.
So far the options are to use PPTP (not a real option even if the Meraki gave the option) or go for the Android 10 beta (not an option for the client)
Anybody found a workaround for the issue?
I wonder if any Android VPN client is able connect to to an MX.
Workarounds
For the customer an additional device is not an option as it's direct access to their own systems when their Wi-Fi is not available (it's a public transport system so lack of Wi-Fi is pretty often)
I have the Android 10 Beta 5 downloading to my own phone to see if the issue is resolved, as it is not wise to rely upon what is published online 😉
If they stick to their usual release schedule then android 10 will be the production release by the time the handsets are purchased.
Seems the lack of connectivity has been with the Pixel 3 for at least 6 months so it's a long running issue.
The Android VPN client implementation I use (8.0.0) only handles numeric VPN server addresses.
Iv'e used both the dynamic DNS lookup and actual IP address (I know there is a configuration that you must use the endpoint address itself, but can;t remember why)
MX67
Pixel 3 XL
T-Mobile
Build: PQ3A.190705.003
Client VPN is working for me with Meraki authentication.
Follow these instructions, use the IP address in the server address
https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration
Update: Issue seems to be resolved
Immediate VPN connection with the Android 10 r5 and the current android 9 release when using the phones existing VPN settings (i.e. I changed nothing apart from installing the Beta version)
Looks like something has changes between releases as I no longer get the following errors logged:
msg: packet shorter than isakmp header size (0, 64, 28)
&
msg: phase1 negotiation failed due to time up.