[Swan] android nat vs no-nat

Bob Miller bob at computerisms.ca
Fri Oct 10 18:43:54 EEST 2014


apologies; to the list this time...

Hi Paul,

As always I am very grateful for your response, thank you...

> > When I connect to wifi on my local network, the android connects to
the
> > vpn just fine and traffic passes as expected.  When I connect the
> > android to lte or wcdma, the connection gets stuck at STATE_MAIN_R2:
> > sent MR2, expecting MI3.
> Can you try setting ike-frag=force (or ike_frag=force ?)
> 
> It looks like you are hitting UDP fragmentation of IKE packets where
the 
> fragments are getting lost. The ike-frag option triggers fragmentation
> on the IKE level before the UDP fragmentation kicks in.
> 
> Alternatively, you could try to generate a certificate for this device
> with a smaller RSA key (eg 1024) and see if that would (temporarilly)
> work around it.

I tried each, and then both together, but in all three cases it gets
stuck at the same place.  I tried turning on plutodebug=all, in the
hopes I would find another error or clue, but if one exists I don't see
it there.  In my earlier troubleshooting I had dropped the mtu, but I
put it back to 1500 in case I was snipping some packets. 

One thing I find that seems interesting; when the android connects
through my LAN, it uses ports 500 and 1245, whereas when it connects
through lte, it uses random high number ports, like 59371 instead of
500, which the server responds too, and 48848 instead of 4500, which the
server does not respond to.  Not sure if this indicates a problem yet,
but not sure why it is different, it seems like it shouldn't be...

If you have any further thoughts I would love to hear them...

> 
> Paul
> 



More information about the Swan mailing list