[Swan] Android VPN not passing any traffic, OSX does work

Antonio Silva asilva at wirelessmundi.com
Wed Apr 12 08:12:43 UTC 2017 

Hi,

I'm facing the same issue with android version 7.0

It work when i set sha2-truncbug=yes, without this no traffic is sent 
from the android device.
If i set this option by default all non-android clients with ikev1 xauth 
will be broken.. is it possible to define a conn for a particular device 
model / client?




My conf:
version 2.0
config setup
         protostack=netkey
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10

conn tunnel2-aggr
         aggrmode=yes
         also=tunnel2

conn tunnel2
         pfs=no
         type=tunnel
         auto=add
         phase2=esp
         authby=secret
         keyingtries=3
         left=192.168.2.20
         leftsubnet=0.0.0.0/0
         leftnexthop=1.100.100.100
         leftid=@publicip
         leftupdown=ipsec_monitor.php
         right=%any
         rightid=%any
         rightaddresspool=192.168.168.87-192.168.168.90
         rightupdown=ipsec_monitor.php
         dpddelay=30
         dpdtimeout=60
         dpdaction=clear
         leftxauthserver=yes
         rightxauthclient=yes
         leftmodecfgserver=yes
         rightmodecfgclient=yes
         modecfgpull=yes
         ike-frag=yes
         xauthby=pam
         sha2-truncbug=yes


On 03/14/2017 05:09 PM, Viktor Keremedchiev wrote:
> I’m sorry if I’ve made this confusing.
>
> But simple answer is none of the stuff I’ve tried works for me when it comes to Android.
> Windows and OSX - do work fine.
>
>
>> On Mar 14, 2017, at 12:00 PM, Paul Wouters <paul at nohats.ca> wrote:
>>
>> On Tue, 14 Mar 2017, Viktor Keremedchiev wrote:
>>
>> And using AES_GCM does give traffic ?
>>
>> Sorry, I'm really trying to make sure there are no new issues, and I'm
>> still a little confused what works or does not work for you.
>>
>>
>> Paul
>>
>>> Date: Tue, 14 Mar 2017 11:51:22
>>> From: Viktor Keremedchiev <vkeremedchiev at adaptavist.com>
>>> To: swan at lists.libreswan.org
>>> Subject: Re: [Swan] Android VPN not passing any traffic, OSX does work
>>> Just tried
>>>
>>> 000 "roaming":   ESP algorithms wanted: AES_GCM_C(20)_000-NONE(0), AES(12)_256-SHA2_256(5)
>>> 000 "roaming":   ESP algorithms loaded: AES_GCM_C(20)_000-NONE(0), AES(12)_256-SHA2_256(5)
>>>
>>>
>>>
>>>
>>> Mar 14 15:48:22: "roaming"[2] 199.7.157.124 #1: transition from state STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1
>>> Mar 14 15:48:22: "roaming"[2] 199.7.157.124 #1: STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack
>>> Mar 14 15:48:24: "roaming"[2] 199.7.157.124 #1: the peer proposed: 0.0.0.0/0:0/0 -> 172.31.255.1/32:0/0
>>> Mar 14 15:48:24: "roaming"[2] 199.7.157.124 #2: responding to Quick Mode proposal {msgid:f15da5ee}
>>> Mar 14 15:48:24: "roaming"[2] 199.7.157.124 #2:     us: 0.0.0.0/0===172.31.255.216<172.31.255.216>[MS+XS+S=C]
>>> Mar 14 15:48:24: "roaming"[2] 199.7.157.124 #2:   them: 199.7.157.124[10.156.163.19,+MC+XC+S=C]===172.31.255.1/32
>>> Mar 14 15:48:24: "roaming"[2] 199.7.157.124 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
>>> Mar 14 15:48:24: "roaming"[2] 199.7.157.124 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP/NAT=>0x034dd8f5 <0xXXXXXXXX xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=199.7.157.124:53562 DPD=passive username=XXXX
>>> Mar 14 15:48:24: "roaming"[2] 199.7.157.124 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
>>> Mar 14 15:48:24: "roaming"[2] 199.7.157.124 #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x034dd8f5 <0xXXXXXXXX xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=199.7.157.124:53562 DPD=passive username=XXXX
>>>
>>>
>>> Connects, but no traffic
>>>
>>> IP 199.7.157.124.53562 > 172.31.255.216.ipsec-nat-t: UDP-encap: ESP(spi=0xXXXXXXXX,seq=0x185), length 116
>>> IP 199.7.157.124.53562 > 172.31.255.216.ipsec-nat-t: UDP-encap: ESP(spi=0xXXXXXXXX,seq=0x186), length 116
>>> IP 199.7.157.124.53562 > 172.31.255.216.ipsec-nat-t: UDP-encap: ESP(spi=0xXXXXXXXX,seq=0x187), length 116
>>> IP 199.7.157.124.53562 > 172.31.255.216.ipsec-nat-t: UDP-encap: ESP(spi=0xXXXXXXXX,seq=0x188), length 116
>>> IP 199.7.157.124.53562 > 172.31.255.216.ipsec-nat-t: UDP-encap: ESP(spi=0xXXXXXXXX,seq=0x18a), length 100
>>>
>>>> On Mar 14, 2017, at 11:15 AM, Paul Wouters <paul at nohats.ca> wrote:
>>>>
>>>> On Tue, 14 Mar 2017, Viktor Keremedchiev wrote:
>>>>
>>>>> I used this: phase2alg=aes_gcm-null
>>>> So Android does support AES-GCM now for phase2/esp ?
>>>>
>>>> And traffic flow works properly with this?
>>>>
>>>> Paul
>>> _______________________________________________
>>> Swan mailing list
>>> Swan at lists.libreswan.org
>>> https://lists.libreswan.org/mailman/listinfo/swan
>>>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

More information about the Swan mailing list