[Swan] IPSec/XAuth, Android 8.1, and "always-on VPN"
Tan Chee Eng
me at tan-ce.com
Sun Aug 12 02:53:30 UTC 2018
I did not... Ended up going with strongswan and the android app. (ie. I
abandoned the native IPSec client.)
- Chee Eng
On Fri, 10 Aug 2018, 11:49 AM Paul Wouters, <paul at nohats.ca> wrote:
> On Wed, 25 Jul 2018, Tan Chee Eng wrote:
>
> > I don't think that's the problem. I see the following lines in the log:
> >
> > "xauth-rsa"[1] {CLIENT IP} #2: STATE_QUICK_R1: sent QR1, inbound IPsec
> > SA installed, expecting QI2 tunnel mode {ESP/NAT=>0x0dcbfd24
> > <0x2ddf4c55 xfrm=AES_CBC_256-HMAC_SHA2_512_256 NATOA=none NATD={CLIENT
> > IP}:31360 DPD=passive username=tan-ce}
> > "xauth-rsa"[1] {CLIENT IP} #2: STATE_QUICK_R2: IPsec SA established
> > tunnel mode {ESP/NAT=>0x0dcbfd24 <0x2ddf4c55
> > xfrm=AES_CBC_256-HMAC_SHA2_512_256 NATOA=none NATD={CLIENT IP}:31360
> > DPD=passive username=tan-ce}
> >
> > Which seems to indicate that SHA2-512/256 was negotiated. I also have
> > the "truncbug" option enabled. That also doesn't explain why a manual
> > VPN connection _succeeds_. I only see this problem when I enable the
> > "Always-on VPN" option of my device.
>
> Did you ever find out what the issue was?
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180811/42b92153/attachment.html>
More information about the Swan
mailing list