<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Paul,<br>
<br>
I've given up for the moment. I can connect with both
esp=aes256-sha2_512 on its own and esp=aes256-sha2_256 + trunck-bug
= yes. Randomly I can occasionally ping the remote server with or
without leftupdown specified, but I cannot get any traffic to pass
e.g. ssh to server.<br>
<br>
In an earlier thread,
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/pipermail/swan/2017/002036.html">https://lists.libreswan.org/pipermail/swan/2017/002036.html</a>, the
poster said only aes256-sha2_256 + trunck-bug = yes would allow
traffic to pass. I can't even get that far.<br>
<br>
As this was only a challenge because I have a working VPN solution,
I can't afford to give any more time to it.<br>
<br>
Regards,<br>
<br>
Nick<br>
<br>
<div class="moz-cite-prefix">On 09/05/2017 05:25, Paul Wouters
wrote:<br>
</div>
<blockquote
cite="mid:alpine.LRH.2.20.999.1705090022030.8357@bofh.nohats.ca"
type="cite">
<br>
On Mon, 8 May 2017, Nick Howitt wrote:
<br>
<br>
<blockquote type="cite">I got the following to connect:
<br>
</blockquote>
<br>
<blockquote type="cite"> left=82.19.158.192
<br>
leftsourceip=172.17.2.1
<br>
leftsubnet=172.17.2.0/24
<br>
leftid=@nick
<br>
right=%any
<br>
rightid=@samsung
<br>
</blockquote>
<br>
<blockquote type="cite"> rightaddresspool=172.17.4.16-172.17.4.31
<br>
</blockquote>
<br>
<blockquote type="cite"> esp=aes256-sha2_512,aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512
<br>
</blockquote>
<br>
<blockquote type="cite">I needed some or all of the lines after
the esp line. With this I had a connection but no traffic
passed.
<br>
<br>
In Android I then went into the advanced options and set the
remote network to 172.17.2.0/24 and I could access the server on
<br>
172.17.2.1 but I could not ping anything on the LAN. OpenVPN can
as can IPsec traffic from a remote router LAN-LAN VPN. Is
<br>
this an Android bug or is there another issue? I saw another
thread recently when someone also had problems routing traffic.
<br>
</blockquote>
<br>
The android bug is with esp= and sha2_256, which you wisely did
not add
<br>
to your esp= line.
<br>
<br>
I think you want:
<br>
<br>
leftupdown="ipsec _updown.netkey --route yes"
<br>
<br>
which enables proxyarp ?
<br>
<br>
Paul
<br>
</blockquote>
<br>
</body>
</html>