I’ve adjusted the type to tunnel, although OSX clients work(ed) flawlessly.
I removed marking but there is still no traffic from my android device Anything else I can try? Also is there a way to push search domains, and NOT just domains (modecfgdomain=) Viktor > On Mar 8, 2017, at 7:44 AM, Paul Wouters <[email protected]> wrote: > > On Tue, 7 Mar 2017, Viktor Keremedchiev wrote: > >> I’m running 2 separate instances on AWS one 3.19 and the other 3.20drq on >> CentOS. None of them works with Android, on Windows connection does stall at >> IKE pull. >> >> My configuration on both is as follows: >> conn roaming >> authby=secret >> type=transport >> left=172.31.255.216 >> leftsubnet=0.0.0.0/0 >> right=%any >> rightaddresspool=172.31.255.1-172.31.255.250 > > Transport mode cannot have subnet. You must use tunnel mode for that. > >> cisco-unity=yes >> modecfgdns1=8.8.8.8 >> modecfgdns2=8.8.4.4 >> narrowing=yes >> leftxauthserver=yes >> rightxauthclient=yes >> leftmodecfgserver=yes >> rightmodecfgclient=yes >> modecfgpull=yes >> ike_frag=yes >> ikev2=never >> auto=add >> pfs=no >> rekey=no >> mark=%unique > > If you require marking, you must ensure that your packets are getting > marked, either by your own iptables rules or by routing it into VTI > devices with the proper mark. > >> When I use OSX 10.12 all is well. I can authenticate and pass traffic. >> However when I connect using same credentials and PSK from Android phone it >> connects but it doesn’t pass any traffic: > > Hmm possibly OSX uses tunnel mode anyway? > >> Mar 7 17:08:08: "roaming"[1] 199.7.157.82 #1: responding to Main Mode from >> unknown peer 199.7.157.82 >> Mar 7 17:08:08: "roaming"[1] 199.7.157.82 #1: transition from state >> STATE_MAIN_R0 to state STATE_MAIN_R1 >> Mar 7 17:08:08: "roaming"[1] 199.7.157.82 #1: STATE_MAIN_R1: sent MR1, >> expecting MI2 >> Mar 7 17:08:08: "roaming"[1] 199.7.157.82 #1: transition from state >> STATE_MAIN_R1 to state STATE_MAIN_R2 >> Mar 7 17:08:08: "roaming"[1] 199.7.157.82 #1: STATE_MAIN_R2: sent MR2, >> expecting MI3 >> Mar 7 17:08:08: "roaming"[1] 199.7.157.82 #1: Main mode peer ID is >> ID_IPV4_ADDR: '10.156.143.137' >> Mar 7 17:08:08: "roaming"[1] 199.7.157.82 #1: switched from "roaming"[1] >> 199.7.157.82 to "roaming" >> Mar 7 17:08:08: "roaming"[2] 199.7.157.82 #1: deleting connection >> "roaming"[1] 199.7.157.82 instance with peer 199.7.157.82 >> {isakmp=#0/ipsec=#0} >> Mar 7 17:08:08: "roaming"[2] 199.7.157.82 #1: transition from state >> STATE_MAIN_R2 to state STATE_MAIN_R3 >> Mar 7 17:08:08: "roaming"[2] 199.7.157.82 #1: new NAT mapping for #1, was >> 199.7.157.82:62456, now 199.7.157.82:40044 >> Mar 7 17:08:08: "roaming"[2] 199.7.157.82 #1: STATE_MAIN_R3: sent MR3, >> ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha2_256 >> group=MODP1024} >> Mar 7 17:08:08: | event EVENT_v1_SEND_XAUTH #1 STATE_MAIN_R3 >> Mar 7 17:08:08: "roaming"[2] 199.7.157.82 #1: XAUTH: Sending >> Username/Password request (XAUTH_R0) >> Mar 7 17:08:08: "roaming"[2] 199.7.157.82 #1: ignoring informational >> payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28 >> Mar 7 17:08:08: | ISAKMP Notification Payload >> Mar 7 17:08:08: | 00 00 00 1c 00 00 00 01 01 10 60 02 >> Mar 7 17:08:08: "roaming"[2] 199.7.157.82 #1: received and ignored >> informational message >> Mar 7 17:08:08: "roaming"[2] 199.7.157.82 #1: Ignoring NUL at end of XAUTH >> User Password (Android Issue 36879?) >> Mar 7 17:08:08: XAUTH: User viktork: Attempting to login >> Mar 7 17:08:08: XAUTH: pam authentication being called to authenticate user >> viktork >> Mar 7 17:08:09: XAUTH: User viktork: Authentication Successful >> Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: XAUTH: xauth_inR1(STF_OK) >> Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: transition from state >> STATE_XAUTH_R1 to state STATE_MAIN_R3 >> Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: STATE_MAIN_R3: sent MR3, >> ISAKMP SA established >> Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long >> attribute MODECFG_BANNER received. >> Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long >> attribute MODECFG_DOMAIN received. >> Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long >> attribute CISCO_SPLIT_DNS received. >> Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long >> attribute CISCO_SPLIT_INC received. >> Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long >> attribute CISCO_SPLIT_EXCLUDE received. >> Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: Unsupported modecfg long >> attribute APPLICATION_VERSION received. >> Mar 7 17:08:09: | We are not sending a domain >> Mar 7 17:08:09: | We are not sending a banner >> Mar 7 17:08:09: | We are 0.0.0.0/0 so not sending CISCO_SPLIT_INC >> Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: modecfg_inR0(STF_OK) >> Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: transition from state >> STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1 >> Mar 7 17:08:09: "roaming"[2] 199.7.157.82 #1: STATE_MODE_CFG_R1: ModeCfg >> Set sent, expecting Ack >> Mar 7 17:08:10: "roaming"[2] 199.7.157.82 #1: the peer proposed: >> 0.0.0.0/0:0/0 -> 172.31.255.1/32:0/0 >> Mar 7 17:08:10: "roaming"[2] 199.7.157.82 #2: responding to Quick Mode >> proposal {msgid:ee4a6abc} >> Mar 7 17:08:10: "roaming"[2] 199.7.157.82 #2: us: >> 0.0.0.0/0===172.31.255.216<172.31.255.216>[MS+XS+S=C] >> Mar 7 17:08:10: "roaming"[2] 199.7.157.82 #2: them: >> 199.7.157.82[10.156.143.137,+MC+XC+S=C]===172.31.255.1/32 >> Mar 7 17:08:10: "roaming"[2] 199.7.157.82 #2: transition from state >> STATE_QUICK_R0 to state STATE_QUICK_R1 >> Mar 7 17:08:10: "roaming"[2] 199.7.157.82 #2: STATE_QUICK_R1: sent QR1, >> inbound IPsec SA installed, expecting QI2 transport mode >> {ESP/NAT=>0x0566b40b <0x2b8cfb21 xfrm=AES_256-HMAC_SHA2_256 NATOA=none >> NATD=199.7.157.82:40044 DPD=passive username=viktork} >> Mar 7 17:08:10: "roaming"[2] 199.7.157.82 #2: transition from state >> STATE_QUICK_R1 to state STATE_QUICK_R2 >> Mar 7 17:08:10: "roaming"[2] 199.7.157.82 #2: STATE_QUICK_R2: IPsec SA >> established transport mode {ESP/NAT=>0x0566b40b <0x2b8cfb21 >> xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=199.7.157.82:40044 DPD=passive >> username=viktork} > > this looks good. Perhaps try without marking? > > Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
