[Swan] Android VPN not passing any traffic, OSX does work
Viktor Keremedchiev
vkeremedchiev at adaptavist.com
Wed Mar 8 14:31:30 UTC 2017
I’ve adjusted the type to tunnel, although OSX clients work(ed) flawlessly.
I removed marking but there is still no traffic from my android device
Anything else I can try?
Also is there a way to push search domains, and NOT just domains (modecfgdomain=)
Viktor
> On Mar 8, 2017, at 7:44 AM, Paul Wouters <paul at nohats.ca> wrote:
>
> On Tue, 7 Mar 2017, Viktor Keremedchiev wrote:
>
>> I’m running 2 separate instances on AWS one 3.19 and the other 3.20drq on CentOS. None of them works with Android, on Windows connection does stall at IKE pull.
>>
>> My configuration on both is as follows:
>> conn roaming
>> authby=secret
>> type=transport
>> left=172.31.255.216
>> leftsubnet=0.0.0.0/0
>> right=%any
>> rightaddresspool=172.31.255.1-172.31.255.250
>
> Transport mode cannot have subnet. You must use tunnel mode for that.
>
>> cisco-unity=yes
>> modecfgdns1=8.8.8.8
>> modecfgdns2=8.8.4.4
>> narrowing=yes
>> leftxauthserver=yes
>> rightxauthclient=yes
>> leftmodecfgserver=yes
>> rightmodecfgclient=yes
>> modecfgpull=yes
>> ike_frag=yes
>> ikev2=never
>> auto=add
>> pfs=no
>> rekey=no
>> mark=%unique
>
> If you require marking, you must ensure that your packets are getting
> marked, either by your own iptables rules or by routing it into VTI
> devices with the proper mark.
>
>> When I use OSX 10.12 all is well. I can authenticate and pass traffic. However when I connect using same credentials and PSK from Android phone it connects but it doesn’t pass any traffic:
>
> Hmm possibly OSX uses tunnel mode anyway?
>
>> Mar 7 17:08:08: "roaming"[1] 199.7.157.82 #1: responding to Main Mode from unknown peer 199.7.157.82
>> Mar 7 17:08:08: "roaming"[1] 199.7.157.82 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
>> Mar 7 17:08:08: "roaming"[1] 199.7.157.82 #1: STATE_MAIN_R1: sent MR1, expecting MI2
>> Mar 7 17:08:08: "roaming"[1] 199.7.157.82 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
>> Mar 7 17:08:08: "roaming"[1] 199.7.157.82 #1: STATE_MAIN_R2: sent MR2, expecting MI3
>> Mar 7 17:08:08: "roaming"[1] 199.7.157.82 #1: Main mode peer ID is ID_IPV4_ADDR: '10.156.143.137'
>> Mar 7 17:08:08: "roaming"[1] 199.7.157.82 #1: switched from "roaming"[1] 199.7.157.82 to "roaming"
>> Mar 7 17:08:08: "roaming"[2] 199.7.157.82 #1: deleting connection "roaming"[1] 199.7.157.82 instance with peer 199.7.157.82 {isakmp=#0/ipsec=#0}
>> Mar 7 17:08:08: "roaming"[2] 199.7.157.82 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
>> Mar 7 17:08:08: "roaming"[2] 199.7.157.82 #1: new NAT mapping for #1, was 199.7.157.82:62456, now 199.7.157.82:40044
>> Mar 7 17:08:08: "roaming"[2] 199.7.157.82 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha2_256 group=MODP1024}
>> Mar 7 17:08:08: | event EVENT_v1_SEND_XAUTH #1 STATE_MAIN_R3
>> Mar 7 17:08:08: "roaming"[2] 199.7.157.82 #1: XAUTH: Sending Username/Password request (XAUTH_R0)
>> Mar 7 17:08:08: "roaming"[2] 199.7.157.82 #1: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
>> Mar 7 17:08:08: | ISAKMP Notification Payload
>> Mar 7 17:08:08: | 00 00 00 1c 00 00 00 01 01 10 60 02
>> Mar 7 17:08:08: "roaming"[2] 199.7.157.82 #1: received and ignored informational message
>> Mar 7 17:08:08: "roaming"[2] 199.7.157.82 #1: Ignoring NUL at end of XAUTH User Password (Android Issue 36879?)
>> Mar 7 17:08:08: XAUTH: User viktork: Attempting to login
>> Mar 7 17:08:08: XAUTH: pam authentication being called to authenticate user viktork
>> Mar 7 17:08:09: XAUTH: User viktork: Authentication Successful
>> Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: XAUTH: xauth_inR1(STF_OK)
>> Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: transition from state STATE_XAUTH_R1 to state STATE_MAIN_R3
>> Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
>> Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long attribute MODECFG_BANNER received.
>> Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long attribute MODECFG_DOMAIN received.
>> Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long attribute CISCO_SPLIT_DNS received.
>> Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long attribute CISCO_SPLIT_INC received.
>> Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long attribute CISCO_SPLIT_EXCLUDE received.
>> Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long attribute APPLICATION_VERSION received.
>> Mar 7 17:08:09: | We are not sending a domain
>> Mar 7 17:08:09: | We are not sending a banner
>> Mar 7 17:08:09: | We are 0.0.0.0/0 so not sending CISCO_SPLIT_INC
>> Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: modecfg_inR0(STF_OK)
>> Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: transition from state STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1
>> Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack
>> Mar 7 17:08:10: "roaming"[2] 199.7.157.82 #1: the peer proposed: 0.0.0.0/0:0/0 -> 172.31.255.1/32:0/0
>> Mar 7 17:08:10: "roaming"[2] 199.7.157.82 #2: responding to Quick Mode proposal {msgid:ee4a6abc}
>> Mar 7 17:08:10: "roaming"[2] 199.7.157.82 #2: us: 0.0.0.0/0===172.31.255.216<172.31.255.216>[MS+XS+S=C]
>> Mar 7 17:08:10: "roaming"[2] 199.7.157.82 #2: them: 199.7.157.82[10.156.143.137,+MC+XC+S=C]===172.31.255.1/32
>> Mar 7 17:08:10: "roaming"[2] 199.7.157.82 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
>> Mar 7 17:08:10: "roaming"[2] 199.7.157.82 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x0566b40b <0x2b8cfb21 xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=199.7.157.82:40044 DPD=passive username=viktork}
>> Mar 7 17:08:10: "roaming"[2] 199.7.157.82 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
>> Mar 7 17:08:10: "roaming"[2] 199.7.157.82 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x0566b40b <0x2b8cfb21 xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=199.7.157.82:40044 DPD=passive username=viktork}
>
> this looks good. Perhaps try without marking?
>
> Paul
More information about the Swan
mailing list