Re: [Swan] Android VPN not passing any traffic, OSX does work

Wed, 12 Apr 2017 01:50:55 -0700 

Hi,

I'm facing the same issue with android version 7.0
It work when i set sha2-truncbug=yes, without this no traffic is sent from the android device. If i set this option by default all non-android clients with ikev1 xauth will be broken.. is it possible to define a conn for a particular device model / client? 




My conf:
version 2.0
config setup
        protostack=netkey
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10

conn tunnel2-aggr
        aggrmode=yes
        also=tunnel2

conn tunnel2
        pfs=no
        type=tunnel
        auto=add
        phase2=esp
        authby=secret
        keyingtries=3
        left=192.168.2.20
        leftsubnet=0.0.0.0/0
        leftnexthop=1.100.100.100
        leftid=@publicip
        leftupdown=ipsec_monitor.php
        right=%any
        rightid=%any
        rightaddresspool=192.168.168.87-192.168.168.90
        rightupdown=ipsec_monitor.php
        dpddelay=30
        dpdtimeout=60
        dpdaction=clear
        leftxauthserver=yes
        rightxauthclient=yes
        leftmodecfgserver=yes
        rightmodecfgclient=yes
        modecfgpull=yes
        ike-frag=yes
        xauthby=pam
        sha2-truncbug=yes


On 03/14/2017 05:09 PM, Viktor Keremedchiev wrote:

I’m sorry if I’ve made this confusing.

But simple answer is none of the stuff I’ve tried works for me when it comes to 
Android.
Windows and OSX - do work fine.



On Mar 14, 2017, at 12:00 PM, Paul Wouters <[email protected]> wrote:

On Tue, 14 Mar 2017, Viktor Keremedchiev wrote:

And using AES_GCM does give traffic ?

Sorry, I'm really trying to make sure there are no new issues, and I'm
still a little confused what works or does not work for you.


Paul


Date: Tue, 14 Mar 2017 11:51:22
From: Viktor Keremedchiev <[email protected]>
To: [email protected]
Subject: Re: [Swan] Android VPN not passing any traffic, OSX does work
Just tried

000 "roaming":   ESP algorithms wanted: AES_GCM_C(20)_000-NONE(0), 
AES(12)_256-SHA2_256(5)
000 "roaming":   ESP algorithms loaded: AES_GCM_C(20)_000-NONE(0), 
AES(12)_256-SHA2_256(5)




Mar 14 15:48:22: "roaming"[2] 199.7.157.124 #1: transition from state 
STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1
Mar 14 15:48:22: "roaming"[2] 199.7.157.124 #1: STATE_MODE_CFG_R1: ModeCfg Set 
sent, expecting Ack
Mar 14 15:48:24: "roaming"[2] 199.7.157.124 #1: the peer proposed: 0.0.0.0/0:0/0 
-> 172.31.255.1/32:0/0
Mar 14 15:48:24: "roaming"[2] 199.7.157.124 #2: responding to Quick Mode 
proposal {msgid:f15da5ee}
Mar 14 15:48:24: "roaming"[2] 199.7.157.124 #2:     us: 
0.0.0.0/0===172.31.255.216<172.31.255.216>[MS+XS+S=C]
Mar 14 15:48:24: "roaming"[2] 199.7.157.124 #2:   them: 
199.7.157.124[10.156.163.19,+MC+XC+S=C]===172.31.255.1/32
Mar 14 15:48:24: "roaming"[2] 199.7.157.124 #2: transition from state 
STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 14 15:48:24: "roaming"[2] 199.7.157.124 #2: STATE_QUICK_R1: sent QR1, inbound 
IPsec SA installed, expecting QI2 tunnel mode {ESP/NAT=>0x034dd8f5 <0xXXXXXXXX 
xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=199.7.157.124:53562 DPD=passive username=XXXX
Mar 14 15:48:24: "roaming"[2] 199.7.157.124 #2: transition from state 
STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 14 15:48:24: "roaming"[2] 199.7.157.124 #2: STATE_QUICK_R2: IPsec SA established 
tunnel mode {ESP/NAT=>0x034dd8f5 <0xXXXXXXXX xfrm=AES_256-HMAC_SHA2_256 NATOA=none 
NATD=199.7.157.124:53562 DPD=passive username=XXXX


Connects, but no traffic

IP 199.7.157.124.53562 > 172.31.255.216.ipsec-nat-t: UDP-encap: 
ESP(spi=0xXXXXXXXX,seq=0x185), length 116
IP 199.7.157.124.53562 > 172.31.255.216.ipsec-nat-t: UDP-encap: 
ESP(spi=0xXXXXXXXX,seq=0x186), length 116
IP 199.7.157.124.53562 > 172.31.255.216.ipsec-nat-t: UDP-encap: 
ESP(spi=0xXXXXXXXX,seq=0x187), length 116
IP 199.7.157.124.53562 > 172.31.255.216.ipsec-nat-t: UDP-encap: 
ESP(spi=0xXXXXXXXX,seq=0x188), length 116
IP 199.7.157.124.53562 > 172.31.255.216.ipsec-nat-t: UDP-encap: 
ESP(spi=0xXXXXXXXX,seq=0x18a), length 100


On Mar 14, 2017, at 11:15 AM, Paul Wouters <[email protected]> wrote:

On Tue, 14 Mar 2017, Viktor Keremedchiev wrote:


I used this: phase2alg=aes_gcm-null

So Android does support AES-GCM now for phase2/esp ?

And traffic flow works properly with this?

Paul

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan


_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan


_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to