Windows clients have been connecting in our environment for years and continued when we upgraded to the MX100 3 months ago. I now have the need to connect mobile clients. iPhone and iPads connect with no problem. I have now tried 3 Androids and have yet to connect. Client config couldn't be more basic. You just need Hostname and shared-key.
Mar 22 16:33:05
Non-Meraki / Client VPN negotiation
msg: IPsec-SA expired: ESP/Transport "removed IP on client side"->1"removed IP on server side" spi=149273251(0x8e5baa3)
I think I might have found the issue and it isn't pretty.
Client VPN uses the L2TP/IP protocol, with 3DES and SHA1 respectively as the encryption and hashing algorithms. As a best practice, the shared secret should not contain any special characters at the beginning or end.
My Shared Secret has a special character as described and was chosen by a Cisco certified partner 4 years ago. I will test this after hours soon . If this is the issue this means we have to touch every device with a VPN client unless someone knows another way.