[Swan] Android VPN not passing any traffic, OSX does work

Paul Wouters paul at nohats.ca
Wed Apr 12 17:29:46 UTC 2017 

On Wed, 12 Apr 2017, Antonio Silva wrote:

> I'm facing the same issue with android version 7.0
>
> It work when i set sha2-truncbug=yes, without this no traffic is sent 
> from the android device.
> If i set this option by default all non-android clients with ikev1 xauth 
> will be broken.. is it possible to define a conn for a particular device 
> model / client?

>         sha2-truncbug=yes

You best bet is to use an phase2alg= (aka esp=) line that will favour
an another algorithm:

 	phase2alg=aes_gcm256-null,aes256-sha2_512,aes256-sha2_256

Hopefully then most sane clients (like iOS) will pick aes_gcm and only
the android clients not supporting anything else will end up on
aes256-sha2_256, which your sha2-truncbug=yes will mangle.

For iOS when using .mobileconfig, be sure to not add sha2_256 as a
valid algorithm because then it will fail when it is mangled with
sha2-truncbug=yes

Paul


>
> On 03/14/2017 05:09 PM, Viktor Keremedchiev wrote:
>> I’m sorry if I’ve made this confusing.
>>
>> But simple answer is none of the stuff I’ve tried works for me when it 
> comes to Android.
>> Windows and OSX - do work fine.
>>
>>
>>> On Mar 14, 2017, at 12:00 PM, Paul Wouters <paul at nohats.ca> wrote:
>>>
>>> On Tue, 14 Mar 2017, Viktor Keremedchiev wrote:
>>>
>>> And using AES_GCM does give traffic ?
>>>
>>> Sorry, I'm really trying to make sure there are no new issues, and I'm
>>> still a little confused what works or does not work for you.
>>>
>>>
>>> Paul
>>>
>>>> Date: Tue, 14 Mar 2017 11:51:22
>>>> From: Viktor Keremedchiev <vkeremedchiev at adaptavist.com>
>>>> To: swan at lists.libreswan.org
>>>> Subject: Re: [Swan] Android VPN not passing any traffic, OSX does work
>>>> Just tried
>>>>
>>>> 000 "roaming":   ESP algorithms wanted: AES_GCM_C(20)_000-NONE(0), 
> AES(12)_256-SHA2_256(5)
>>>> 000 "roaming":   ESP algorithms loaded: AES_GCM_C(20)_000-NONE(0), 
> AES(12)_256-SHA2_256(5)
>>>>
>>>>
>>>>
>>>>
>>>> Mar 14 15:48:22: "roaming"[2] 199.7.157.124 #1: transition from state 
> STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1
>>>> Mar 14 15:48:22: "roaming"[2] 199.7.157.124 #1: STATE_MODE_CFG_R1: 
> ModeCfg Set sent, expecting Ack
>>>> Mar 14 15:48:24: "roaming"[2] 199.7.157.124 #1: the peer proposed: 
> 0.0.0.0/0:0/0 -> 172.31.255.1/32:0/0
>>>> Mar 14 15:48:24: "roaming"[2] 199.7.157.124 #2: responding to Quick Mode 
> proposal {msgid:f15da5ee}
>>>> Mar 14 15:48:24: "roaming"[2] 199.7.157.124 #2:     us: 
> 0.0.0.0/0===172.31.255.216<172.31.255.216>[MS+XS+S=C]
>>>> Mar 14 15:48:24: "roaming"[2] 199.7.157.124 #2:   them: 
> 199.7.157.124[10.156.163.19,+MC+XC+S=C]===172.31.255.1/32
>>>> Mar 14 15:48:24: "roaming"[2] 199.7.157.124 #2: transition from state 
> STATE_QUICK_R0 to state STATE_QUICK_R1
>>>> Mar 14 15:48:24: "roaming"[2] 199.7.157.124 #2: STATE_QUICK_R1: sent QR1, 
> inbound IPsec SA installed, expecting QI2 tunnel mode {ESP/NAT=>0x034dd8f5 
> <0xXXXXXXXX xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=199.7.157.124:53562 
> DPD=passive username=XXXX
>>>> Mar 14 15:48:24: "roaming"[2] 199.7.157.124 #2: transition from state 
> STATE_QUICK_R1 to state STATE_QUICK_R2
>>>> Mar 14 15:48:24: "roaming"[2] 199.7.157.124 #2: STATE_QUICK_R2: IPsec SA 
> established tunnel mode {ESP/NAT=>0x034dd8f5 <0xXXXXXXXX 
> xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=199.7.157.124:53562 DPD=passive 
> username=XXXX
>>>>
>>>>
>>>> Connects, but no traffic
>>>>
>>>> IP 199.7.157.124.53562 > 172.31.255.216.ipsec-nat-t: UDP-encap: 
> ESP(spi=0xXXXXXXXX,seq=0x185), length 116
>>>> IP 199.7.157.124.53562 > 172.31.255.216.ipsec-nat-t: UDP-encap: 
> ESP(spi=0xXXXXXXXX,seq=0x186), length 116
>>>> IP 199.7.157.124.53562 > 172.31.255.216.ipsec-nat-t: UDP-encap: 
> ESP(spi=0xXXXXXXXX,seq=0x187), length 116
>>>> IP 199.7.157.124.53562 > 172.31.255.216.ipsec-nat-t: UDP-encap: 
> ESP(spi=0xXXXXXXXX,seq=0x188), length 116
>>>> IP 199.7.157.124.53562 > 172.31.255.216.ipsec-nat-t: UDP-encap: 
> ESP(spi=0xXXXXXXXX,seq=0x18a), length 100
>>>>
>>>>> On Mar 14, 2017, at 11:15 AM, Paul Wouters <paul at nohats.ca> wrote:
>>>>>
>>>>> On Tue, 14 Mar 2017, Viktor Keremedchiev wrote:
>>>>>
>>>>>> I used this: phase2alg=aes_gcm-null
>>>>> So Android does support AES-GCM now for phase2/esp ?
>>>>>
>>>>> And traffic flow works properly with this?
>>>>>
>>>>> Paul
>>>> _______________________________________________
>>>> Swan mailing list
>>>> Swan at lists.libreswan.org
>>>> https://lists.libreswan.org/mailman/listinfo/swan
>>>>
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>

More information about the Swan mailing list