On Tue, 7 Mar 2017, Viktor Keremedchiev wrote:
I’m running 2 separate instances on AWS one 3.19 and the other 3.20drq on
CentOS. None of them works with Android, on Windows connection does stall at
IKE pull.
My configuration on both is as follows:
conn roaming
authby=secret
type=transport
left=172.31.255.216
leftsubnet=0.0.0.0/0
right=%any
rightaddresspool=172.31.255.1-172.31.255.250
Transport mode cannot have subnet. You must use tunnel mode for that.
cisco-unity=yes
modecfgdns1=8.8.8.8
modecfgdns2=8.8.4.4
narrowing=yes
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
ike_frag=yes
ikev2=never
auto=add
pfs=no
rekey=no
mark=%unique
If you require marking, you must ensure that your packets are getting
marked, either by your own iptables rules or by routing it into VTI
devices with the proper mark.
When I use OSX 10.12 all is well. I can authenticate and pass traffic. However
when I connect using same credentials and PSK from Android phone it connects
but it doesn’t pass any traffic:
Hmm possibly OSX uses tunnel mode anyway?
Mar 7 17:08:08: "roaming"[1] 199.7.157.82 #1: responding to Main Mode from
unknown peer 199.7.157.82
Mar 7 17:08:08: "roaming"[1] 199.7.157.82 #1: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 7 17:08:08: "roaming"[1] 199.7.157.82 #1: STATE_MAIN_R1: sent MR1,
expecting MI2
Mar 7 17:08:08: "roaming"[1] 199.7.157.82 #1: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 7 17:08:08: "roaming"[1] 199.7.157.82 #1: STATE_MAIN_R2: sent MR2,
expecting MI3
Mar 7 17:08:08: "roaming"[1] 199.7.157.82 #1: Main mode peer ID is
ID_IPV4_ADDR: '10.156.143.137'
Mar 7 17:08:08: "roaming"[1] 199.7.157.82 #1: switched from "roaming"[1] 199.7.157.82 to
"roaming"
Mar 7 17:08:08: "roaming"[2] 199.7.157.82 #1: deleting connection "roaming"[1]
199.7.157.82 instance with peer 199.7.157.82 {isakmp=#0/ipsec=#0}
Mar 7 17:08:08: "roaming"[2] 199.7.157.82 #1: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 7 17:08:08: "roaming"[2] 199.7.157.82 #1: new NAT mapping for #1, was
199.7.157.82:62456, now 199.7.157.82:40044
Mar 7 17:08:08: "roaming"[2] 199.7.157.82 #1: STATE_MAIN_R3: sent MR3, ISAKMP
SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha2_256 group=MODP1024}
Mar 7 17:08:08: | event EVENT_v1_SEND_XAUTH #1 STATE_MAIN_R3
Mar 7 17:08:08: "roaming"[2] 199.7.157.82 #1: XAUTH: Sending Username/Password
request (XAUTH_R0)
Mar 7 17:08:08: "roaming"[2] 199.7.157.82 #1: ignoring informational payload
IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
Mar 7 17:08:08: | ISAKMP Notification Payload
Mar 7 17:08:08: | 00 00 00 1c 00 00 00 01 01 10 60 02
Mar 7 17:08:08: "roaming"[2] 199.7.157.82 #1: received and ignored
informational message
Mar 7 17:08:08: "roaming"[2] 199.7.157.82 #1: Ignoring NUL at end of XAUTH
User Password (Android Issue 36879?)
Mar 7 17:08:08: XAUTH: User viktork: Attempting to login
Mar 7 17:08:08: XAUTH: pam authentication being called to authenticate user
viktork
Mar 7 17:08:09: XAUTH: User viktork: Authentication Successful
Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: XAUTH: xauth_inR1(STF_OK)
Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: transition from state
STATE_XAUTH_R1 to state STATE_MAIN_R3
Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: STATE_MAIN_R3: sent MR3, ISAKMP
SA established
Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long
attribute MODECFG_BANNER received.
Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long
attribute MODECFG_DOMAIN received.
Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long
attribute CISCO_SPLIT_DNS received.
Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long
attribute CISCO_SPLIT_INC received.
Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long
attribute CISCO_SPLIT_EXCLUDE received.
Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long
attribute APPLICATION_VERSION received.
Mar 7 17:08:09: | We are not sending a domain
Mar 7 17:08:09: | We are not sending a banner
Mar 7 17:08:09: | We are 0.0.0.0/0 so not sending CISCO_SPLIT_INC
Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: modecfg_inR0(STF_OK)
Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: transition from state
STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1
Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: STATE_MODE_CFG_R1: ModeCfg Set
sent, expecting Ack
Mar 7 17:08:10: "roaming"[2] 199.7.157.82 #1: the peer proposed: 0.0.0.0/0:0/0
-> 172.31.255.1/32:0/0
Mar 7 17:08:10: "roaming"[2] 199.7.157.82 #2: responding to Quick Mode
proposal {msgid:ee4a6abc}
Mar 7 17:08:10: "roaming"[2] 199.7.157.82 #2: us:
0.0.0.0/0===172.31.255.216<172.31.255.216>[MS+XS+S=C]
Mar 7 17:08:10: "roaming"[2] 199.7.157.82 #2: them:
199.7.157.82[10.156.143.137,+MC+XC+S=C]===172.31.255.1/32
Mar 7 17:08:10: "roaming"[2] 199.7.157.82 #2: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 7 17:08:10: "roaming"[2] 199.7.157.82 #2: STATE_QUICK_R1: sent QR1, inbound
IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x0566b40b <0x2b8cfb21
xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=199.7.157.82:40044 DPD=passive username=viktork}
Mar 7 17:08:10: "roaming"[2] 199.7.157.82 #2: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 7 17:08:10: "roaming"[2] 199.7.157.82 #2: STATE_QUICK_R2: IPsec SA established
transport mode {ESP/NAT=>0x0566b40b <0x2b8cfb21 xfrm=AES_256-HMAC_SHA2_256 NATOA=none
NATD=199.7.157.82:40044 DPD=passive username=viktork}
this looks good. Perhaps try without marking?
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
