[Swan] IPSec/XAuth, Android 8.1, and "always-on VPN"

Tan Chee Eng me at tan-ce.com
Wed Jul 25 03:15:57 UTC 2018


Hi Paul,

I don't think that's the problem. I see the following lines in the log:

"xauth-rsa"[1] {CLIENT IP} #2: STATE_QUICK_R1: sent QR1, inbound IPsec
SA installed, expecting QI2 tunnel mode {ESP/NAT=>0x0dcbfd24
<0x2ddf4c55 xfrm=AES_CBC_256-HMAC_SHA2_512_256 NATOA=none NATD={CLIENT
IP}:31360 DPD=passive username=tan-ce}
"xauth-rsa"[1] {CLIENT IP} #2: STATE_QUICK_R2: IPsec SA established
tunnel mode {ESP/NAT=>0x0dcbfd24 <0x2ddf4c55
xfrm=AES_CBC_256-HMAC_SHA2_512_256 NATOA=none NATD={CLIENT IP}:31360
DPD=passive username=tan-ce}

Which seems to indicate that SHA2-512/256 was negotiated. I also have
the "truncbug" option enabled. That also doesn't explain why a manual
VPN connection _succeeds_. I only see this problem when I enable the
"Always-on VPN" option of my device.


Regards,
Chee Eng

On Wed, 25 Jul 2018 at 02:40, Paul Wouters <paul at nohats.ca> wrote:
>
> Most common android esp flow issue is using its bad sha2_256. Ensure your esp= line does not include it ?
>
> Sent from my phone
>
> > On Jul 24, 2018, at 06:04, Tan Chee Eng <me at tan-ce.com> wrote:
> >
> > Hi,
> >
> > I'm following this example to set up libreswan on my server:
> > https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_Certificates
> >
> > The configuration works when I manually connect to the VPN. However,
> > when I enable "Always-on VPN", the connection doesn't seem to work at
> > all.
> >
> > The logs (and wireshark) reveal that IKE succeeds, but after there,
> > there are no ESP packets from my Android device to the server, except
> > for NAT-keepalive.
> >
> > Has anyone encountered anything like this?
> >
> > Regards,
> > Chee Eng
> > _______________________________________________
> > Swan mailing list
> > Swan at lists.libreswan.org
> > https://lists.libreswan.org/mailman/listinfo/swan
>


More information about the Swan mailing list