[Swan] android nat vs no-nat
Bob Miller
bob at computerisms.ca
Fri Oct 10 03:56:47 EEST 2014
Hi,
I have an android tablet in front of me and am connecting to a
cert-based libreswan implementation. There exists a number of windows
clients and there is no current will to move to xauth, but I don't think
that would solve the problem anyway. I can see in the logs that several
devices are connected, and there have been no reports of any problems
since I changed this box over to libreswan.
When I connect to wifi on my local network, the android connects to the
vpn just fine and traffic passes as expected. When I connect the
android to lte or wcdma, the connection gets stuck at STATE_MAIN_R2:
sent MR2, expecting MI3.
I tried things like enabling forceencaps, changing 17/%any to 17/0, and
a few other suggestions I found on google, but none of that has changed
the situation. I read a few suggestions that the problem could be ipv6
related, but libreswan logs report a connection from an ipv4 address.
In the logs I found that libreswan thinks the device is still behind
nat, and digging deeper, I found that when connected to the lte/wcdma
network, the android actually has a 10.x.x.x address, so I guess it is
true, and I guess that means this is not an ipv6 problem. But this
didn't enlighten me any, as the virtual_private line has the 10/8
network in it, so this should work equally well whether behind my nat
device or behind the lte nat device.
so I got to thinking then the cell network must be blocking something,
so I dusted off the old windows machine and configured the android
device as a hotspot. The windows machine connects just fine to the vpn
using the android as a wifi hotspot, so I take that to mean the cell
network is not blocking the traffic.
Given that people are using the vpn I don't want to mess around too much
with the ipsec config, and the android has a limited number of
applicable options, all of which I have messed with endlessly, or at
least so it seems. I am not sure what the next step is to figuring out
why this doesn't work, wondering if anyone has any suggestions?
--
Computerisms
Bob Miller
867-334-7117 / 867-633-3760
http://computerisms.ca
More information about the Swan
mailing list