[Swan] Android VPN not passing any traffic, OSX does work

Viktor Keremedchiev vkeremedchiev at adaptavist.com
Fri Mar 10 22:33:07 UTC 2017


Thank you Paul,


ipsec verify


Version check and ipsec on-path                   	[OK]
Libreswan 3.20dr1 (netkey) on 3.10.0-123.4.4.el7.x86_64
Checking for IPsec support in kernel              	[OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects              	[OK]
         ICMP default/accept_redirects            	[OK]
         XFRM larval drop                         	[OK]
Pluto ipsec.conf syntax                           	[OK]
Two or more interfaces found, checking IP forwarding	[OK]
Checking rp_filter                                	[OK]
Checking that pluto is running                    	[OK]
 Pluto listening for IKE on udp 500               	[OK]
 Pluto listening for IKE/NAT-T on udp 4500        	[OK]
 Pluto ipsec.secret syntax                        	[OK]
Checking 'ip' command                             	[OK]
Checking 'iptables' command                       	[OK]
Checking 'prelink' command does not interfere with FIPS	[OK]
Checking for obsolete ipsec.conf options          	[OK]


I have pretty stock routing, there is a simple SNAT and not much else.

This is the pattern I see, where the public IP is cell provider, server side is AWS

IP 199.119.233.253.36173 > 172.31.255.216.ipsec-nat-t: UDP-encap: ESP(spi=0xXXXXXXXXX,seq=0x5df), length 100
IP 199.119.233.253.36173 > 172.31.255.216.ipsec-nat-t: UDP-encap: ESP(spi=0xXXXXXXXXX,seq=0x5e0), length 100
IP 199.119.233.253.36173 > 172.31.255.216.ipsec-nat-t: UDP-encap: ESP(spi=0xXXXXXXXXX,seq=0x5e1), length 100
IP 199.119.233.253.36173 > 172.31.255.216.ipsec-nat-t: UDP-encap: ESP(spi=0xXXXXXXXXX,seq=0x5e2), length 100
IP 199.119.233.253.36173 > 172.31.255.216.ipsec-nat-t: UDP-encap: ESP(spi=0xXXXXXXXXX,seq=0x5e3), length 100
IP 199.119.233.253.36173 > 172.31.255.216.ipsec-nat-t: UDP-encap: ESP(spi=0xXXXXXXXXX,seq=0x5e4), length 100
IP 172.31.255.216.ipsec-nat-t > 199.119.233.253.36173: isakmp-nat-keep-alive
IP 172.31.255.216.ipsec-nat-t > 199.119.233.253.36173: isakmp-nat-keep-alive
IP 199.119.233.253.36173 > 172.31.255.216.ipsec-nat-t: UDP-encap: ESP(spi=0xXXXXXXXXX,seq=0x5e5), length 116
IP 199.119.233.253.36173 > 172.31.255.216.ipsec-nat-t: UDP-encap: ESP(spi=0xXXXXXXXXX,seq=0x5e6), length 100
IP 199.119.233.253.36173 > 172.31.255.216.ipsec-nat-t: UDP-encap: ESP(spi=0xXXXXXXXXX,seq=0x5e7), length 100
IP 199.119.233.253.36173 > 172.31.255.216.ipsec-nat-t: UDP-encap: ESP(spi=0xXXXXXXXXX,seq=0x5e8), length 116
IP 199.119.233.253.36173 > 172.31.255.216.ipsec-nat-t: UDP-encap: ESP(spi=0xXXXXXXXXX,seq=0x5e9), length 116
IP 199.119.233.253.36173 > 172.31.255.216.ipsec-nat-t: UDP-encap: ESP(spi=0xXXXXXXXXX,seq=0x5eb), length 100

Also, as per https://libreswan.org/wiki/FAQ#Using_SHA2_256_for_ESP_connection_establishes_but_no_traffic_passes_.28especially_Android_6.0.29
I experimented with leaving only esp=aes_gcm-null but nothing seems to change



> On Mar 10, 2017, at 5:09 PM, Paul Wouters <paul at nohats.ca> wrote:
> 
> On Wed, 8 Mar 2017, Viktor Keremedchiev wrote:
> 
>> I’ve adjusted the type to tunnel, although OSX clients work(ed) flawlessly.
>> 
>> I removed marking but there is still no traffic from my android device
>> 
>> Anything else I can try?
> 
> I don't know then. It should work fine. Perhaps "ipsec verify" logs a
> few warnings ? Could be rp_filter or redirects or anything?
> 
>> Also is there a way to push search domains, and NOT just domains (modecfgdomain=)
> 
> No. That would be a security issue. However for IKEv2 we are working to
> support https://tools.ietf.org/html/draft-pauly-ipsecme-split-dns which
> does allow at least to specify multiple domains to forward via the VPN.
> 
> Paul



More information about the Swan mailing list