[Swan] Android VPN not passing any traffic, OSX does work

Wed Mar 8 14:31:30 UTC 2017

I’ve adjusted the type to tunnel, although OSX clients work(ed) flawlessly.

I removed marking but there is still no traffic from my android device

Anything else I can try?

Also is there a way to push search domains, and NOT just domains (modecfgdomain=)

Viktor

> On Mar 8, 2017, at 7:44 AM, Paul Wouters <paul at nohats.ca> wrote:
> 
> On Tue, 7 Mar 2017, Viktor Keremedchiev wrote:
> 
>> I’m running 2 separate instances on AWS one 3.19 and the other 3.20drq on CentOS. None of them works with Android, on Windows connection does stall at IKE pull.
>> 
>> My configuration on both is as follows:
>> conn roaming
>>   authby=secret
>>   type=transport
>>   left=172.31.255.216
>>   leftsubnet=0.0.0.0/0
>>   right=%any
>>   rightaddresspool=172.31.255.1-172.31.255.250
> 
> Transport mode cannot have subnet. You must use tunnel mode for that.
> 
>>   cisco-unity=yes
>>   modecfgdns1=8.8.8.8
>>   modecfgdns2=8.8.4.4
>>   narrowing=yes
>>   leftxauthserver=yes
>>   rightxauthclient=yes
>>   leftmodecfgserver=yes
>>   rightmodecfgclient=yes
>>   modecfgpull=yes
>>   ike_frag=yes
>>   ikev2=never
>>   auto=add
>>   pfs=no
>>   rekey=no
>>   mark=%unique
> 
> If you require marking, you must ensure that your packets are getting
> marked, either by your own iptables rules or by routing it into VTI
> devices with the proper mark.
> 
>> When I use OSX 10.12 all is well. I can authenticate and pass traffic. However when I connect using same credentials and PSK from Android phone it connects but it doesn’t pass any traffic:
> 
> Hmm possibly OSX uses tunnel mode anyway?
> 
>> Mar  7 17:08:08: "roaming"[1] 199.7.157.82 #1: responding to Main Mode from unknown peer 199.7.157.82
>> Mar  7 17:08:08: "roaming"[1] 199.7.157.82 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
>> Mar  7 17:08:08: "roaming"[1] 199.7.157.82 #1: STATE_MAIN_R1: sent MR1, expecting MI2
>> Mar  7 17:08:08: "roaming"[1] 199.7.157.82 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
>> Mar  7 17:08:08: "roaming"[1] 199.7.157.82 #1: STATE_MAIN_R2: sent MR2, expecting MI3
>> Mar  7 17:08:08: "roaming"[1] 199.7.157.82 #1: Main mode peer ID is ID_IPV4_ADDR: '10.156.143.137'
>> Mar  7 17:08:08: "roaming"[1] 199.7.157.82 #1: switched from "roaming"[1] 199.7.157.82 to "roaming"
>> Mar  7 17:08:08: "roaming"[2] 199.7.157.82 #1: deleting connection "roaming"[1] 199.7.157.82 instance with peer 199.7.157.82 {isakmp=#0/ipsec=#0}
>> Mar  7 17:08:08: "roaming"[2] 199.7.157.82 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
>> Mar  7 17:08:08: "roaming"[2] 199.7.157.82 #1: new NAT mapping for #1, was 199.7.157.82:62456, now 199.7.157.82:40044
>> Mar  7 17:08:08: "roaming"[2] 199.7.157.82 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha2_256 group=MODP1024}
>> Mar  7 17:08:08: | event EVENT_v1_SEND_XAUTH #1 STATE_MAIN_R3
>> Mar  7 17:08:08: "roaming"[2] 199.7.157.82 #1: XAUTH: Sending Username/Password request (XAUTH_R0)
>> Mar  7 17:08:08: "roaming"[2] 199.7.157.82 #1: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
>> Mar  7 17:08:08: | ISAKMP Notification Payload
>> Mar  7 17:08:08: |   00 00 00 1c  00 00 00 01  01 10 60 02
>> Mar  7 17:08:08: "roaming"[2] 199.7.157.82 #1: received and ignored informational message
>> Mar  7 17:08:08: "roaming"[2] 199.7.157.82 #1: Ignoring NUL at end of XAUTH User Password (Android Issue 36879?)
>> Mar  7 17:08:08: XAUTH: User viktork: Attempting to login
>> Mar  7 17:08:08: XAUTH: pam authentication being called to authenticate user viktork
>> Mar  7 17:08:09: XAUTH: User viktork: Authentication Successful
>> Mar  7 17:08:09: "roaming"[2] 199.7.157.82 #1: XAUTH: xauth_inR1(STF_OK)
>> Mar  7 17:08:09: "roaming"[2] 199.7.157.82 #1: transition from state STATE_XAUTH_R1 to state STATE_MAIN_R3
>> Mar  7 17:08:09: "roaming"[2] 199.7.157.82 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
>> Mar  7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long attribute MODECFG_BANNER received.
>> Mar  7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long attribute MODECFG_DOMAIN received.
>> Mar  7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long attribute CISCO_SPLIT_DNS received.
>> Mar  7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long attribute CISCO_SPLIT_INC received.
>> Mar  7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long attribute CISCO_SPLIT_EXCLUDE received.
>> Mar  7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long attribute APPLICATION_VERSION received.
>> Mar  7 17:08:09: | We are not sending a domain
>> Mar  7 17:08:09: | We are not sending a banner
>> Mar  7 17:08:09: | We are 0.0.0.0/0 so not sending CISCO_SPLIT_INC
>> Mar  7 17:08:09: "roaming"[2] 199.7.157.82 #1: modecfg_inR0(STF_OK)
>> Mar  7 17:08:09: "roaming"[2] 199.7.157.82 #1: transition from state STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1
>> Mar  7 17:08:09: "roaming"[2] 199.7.157.82 #1: STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack
>> Mar  7 17:08:10: "roaming"[2] 199.7.157.82 #1: the peer proposed: 0.0.0.0/0:0/0 -> 172.31.255.1/32:0/0
>> Mar  7 17:08:10: "roaming"[2] 199.7.157.82 #2: responding to Quick Mode proposal {msgid:ee4a6abc}
>> Mar  7 17:08:10: "roaming"[2] 199.7.157.82 #2:     us: 0.0.0.0/0===172.31.255.216<172.31.255.216>[MS+XS+S=C]
>> Mar  7 17:08:10: "roaming"[2] 199.7.157.82 #2:   them: 199.7.157.82[10.156.143.137,+MC+XC+S=C]===172.31.255.1/32
>> Mar  7 17:08:10: "roaming"[2] 199.7.157.82 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
>> Mar  7 17:08:10: "roaming"[2] 199.7.157.82 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x0566b40b <0x2b8cfb21 xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=199.7.157.82:40044 DPD=passive username=viktork}
>> Mar  7 17:08:10: "roaming"[2] 199.7.157.82 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
>> Mar  7 17:08:10: "roaming"[2] 199.7.157.82 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x0566b40b <0x2b8cfb21 xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=199.7.157.82:40044 DPD=passive username=viktork}
> 
> this looks good. Perhaps try without marking?
> 
> Paul