Hi Paul, I don't think that's the problem. I see the following lines in the log:
"xauth-rsa"[1] {CLIENT IP} #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP/NAT=>0x0dcbfd24 <0x2ddf4c55 xfrm=AES_CBC_256-HMAC_SHA2_512_256 NATOA=none NATD={CLIENT IP}:31360 DPD=passive username=tan-ce} "xauth-rsa"[1] {CLIENT IP} #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x0dcbfd24 <0x2ddf4c55 xfrm=AES_CBC_256-HMAC_SHA2_512_256 NATOA=none NATD={CLIENT IP}:31360 DPD=passive username=tan-ce} Which seems to indicate that SHA2-512/256 was negotiated. I also have the "truncbug" option enabled. That also doesn't explain why a manual VPN connection _succeeds_. I only see this problem when I enable the "Always-on VPN" option of my device. Regards, Chee Eng On Wed, 25 Jul 2018 at 02:40, Paul Wouters <p...@nohats.ca> wrote: > > Most common android esp flow issue is using its bad sha2_256. Ensure your > esp= line does not include it ? > > Sent from my phone > > > On Jul 24, 2018, at 06:04, Tan Chee Eng <m...@tan-ce.com> wrote: > > > > Hi, > > > > I'm following this example to set up libreswan on my server: > > https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH_with_Certificates > > > > The configuration works when I manually connect to the VPN. However, > > when I enable "Always-on VPN", the connection doesn't seem to work at > > all. > > > > The logs (and wireshark) reveal that IKE succeeds, but after there, > > there are no ESP packets from my Android device to the server, except > > for NAT-keepalive. > > > > Has anyone encountered anything like this? > > > > Regards, > > Chee Eng > > _______________________________________________ > > Swan mailing list > > Swan@lists.libreswan.org > > https://lists.libreswan.org/mailman/listinfo/swan > _______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan