[Swan] Android VPN not passing any traffic, OSX does work

Wed Mar 8 12:44:58 UTC 2017

On Tue, 7 Mar 2017, Viktor Keremedchiev wrote:

> I’m running 2 separate instances on AWS one 3.19 and the other 3.20drq on CentOS. None of them works with Android, on Windows connection does stall at IKE pull.
>
> My configuration on both is as follows:
> conn roaming
>    authby=secret
>    type=transport
>    left=172.31.255.216
>    leftsubnet=0.0.0.0/0
>    right=%any
>    rightaddresspool=172.31.255.1-172.31.255.250

Transport mode cannot have subnet. You must use tunnel mode for that.

>    cisco-unity=yes
>    modecfgdns1=8.8.8.8
>    modecfgdns2=8.8.4.4
>    narrowing=yes
>    leftxauthserver=yes
>    rightxauthclient=yes
>    leftmodecfgserver=yes
>    rightmodecfgclient=yes
>    modecfgpull=yes
>    ike_frag=yes
>    ikev2=never
>    auto=add
>    pfs=no
>    rekey=no
>    mark=%unique

If you require marking, you must ensure that your packets are getting
marked, either by your own iptables rules or by routing it into VTI
devices with the proper mark.

> When I use OSX 10.12 all is well. I can authenticate and pass traffic. However when I connect using same credentials and PSK from Android phone it connects but it doesn’t pass any traffic:

Hmm possibly OSX uses tunnel mode anyway?

> Mar  7 17:08:08: "roaming"[1] 199.7.157.82 #1: responding to Main Mode from unknown peer 199.7.157.82
> Mar  7 17:08:08: "roaming"[1] 199.7.157.82 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Mar  7 17:08:08: "roaming"[1] 199.7.157.82 #1: STATE_MAIN_R1: sent MR1, expecting MI2
> Mar  7 17:08:08: "roaming"[1] 199.7.157.82 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Mar  7 17:08:08: "roaming"[1] 199.7.157.82 #1: STATE_MAIN_R2: sent MR2, expecting MI3
> Mar  7 17:08:08: "roaming"[1] 199.7.157.82 #1: Main mode peer ID is ID_IPV4_ADDR: '10.156.143.137'
> Mar  7 17:08:08: "roaming"[1] 199.7.157.82 #1: switched from "roaming"[1] 199.7.157.82 to "roaming"
> Mar  7 17:08:08: "roaming"[2] 199.7.157.82 #1: deleting connection "roaming"[1] 199.7.157.82 instance with peer 199.7.157.82 {isakmp=#0/ipsec=#0}
> Mar  7 17:08:08: "roaming"[2] 199.7.157.82 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Mar  7 17:08:08: "roaming"[2] 199.7.157.82 #1: new NAT mapping for #1, was 199.7.157.82:62456, now 199.7.157.82:40044
> Mar  7 17:08:08: "roaming"[2] 199.7.157.82 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha2_256 group=MODP1024}
> Mar  7 17:08:08: | event EVENT_v1_SEND_XAUTH #1 STATE_MAIN_R3
> Mar  7 17:08:08: "roaming"[2] 199.7.157.82 #1: XAUTH: Sending Username/Password request (XAUTH_R0)
> Mar  7 17:08:08: "roaming"[2] 199.7.157.82 #1: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
> Mar  7 17:08:08: | ISAKMP Notification Payload
> Mar  7 17:08:08: |   00 00 00 1c  00 00 00 01  01 10 60 02
> Mar  7 17:08:08: "roaming"[2] 199.7.157.82 #1: received and ignored informational message
> Mar  7 17:08:08: "roaming"[2] 199.7.157.82 #1: Ignoring NUL at end of XAUTH User Password (Android Issue 36879?)
> Mar  7 17:08:08: XAUTH: User viktork: Attempting to login
> Mar  7 17:08:08: XAUTH: pam authentication being called to authenticate user viktork
> Mar  7 17:08:09: XAUTH: User viktork: Authentication Successful
> Mar  7 17:08:09: "roaming"[2] 199.7.157.82 #1: XAUTH: xauth_inR1(STF_OK)
> Mar  7 17:08:09: "roaming"[2] 199.7.157.82 #1: transition from state STATE_XAUTH_R1 to state STATE_MAIN_R3
> Mar  7 17:08:09: "roaming"[2] 199.7.157.82 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
> Mar  7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long attribute MODECFG_BANNER received.
> Mar  7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long attribute MODECFG_DOMAIN received.
> Mar  7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long attribute CISCO_SPLIT_DNS received.
> Mar  7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long attribute CISCO_SPLIT_INC received.
> Mar  7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long attribute CISCO_SPLIT_EXCLUDE received.
> Mar  7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long attribute APPLICATION_VERSION received.
> Mar  7 17:08:09: | We are not sending a domain
> Mar  7 17:08:09: | We are not sending a banner
> Mar  7 17:08:09: | We are 0.0.0.0/0 so not sending CISCO_SPLIT_INC
> Mar  7 17:08:09: "roaming"[2] 199.7.157.82 #1: modecfg_inR0(STF_OK)
> Mar  7 17:08:09: "roaming"[2] 199.7.157.82 #1: transition from state STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1
> Mar  7 17:08:09: "roaming"[2] 199.7.157.82 #1: STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack
> Mar  7 17:08:10: "roaming"[2] 199.7.157.82 #1: the peer proposed: 0.0.0.0/0:0/0 -> 172.31.255.1/32:0/0
> Mar  7 17:08:10: "roaming"[2] 199.7.157.82 #2: responding to Quick Mode proposal {msgid:ee4a6abc}
> Mar  7 17:08:10: "roaming"[2] 199.7.157.82 #2:     us: 0.0.0.0/0===172.31.255.216<172.31.255.216>[MS+XS+S=C]
> Mar  7 17:08:10: "roaming"[2] 199.7.157.82 #2:   them: 199.7.157.82[10.156.143.137,+MC+XC+S=C]===172.31.255.1/32
> Mar  7 17:08:10: "roaming"[2] 199.7.157.82 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Mar  7 17:08:10: "roaming"[2] 199.7.157.82 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x0566b40b <0x2b8cfb21 xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=199.7.157.82:40044 DPD=passive username=viktork}
> Mar  7 17:08:10: "roaming"[2] 199.7.157.82 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Mar  7 17:08:10: "roaming"[2] 199.7.157.82 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x0566b40b <0x2b8cfb21 xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=199.7.157.82:40044 DPD=passive username=viktork}

this looks good. Perhaps try without marking?

Paul