Re: [strongSwan] transport mode android problems

[Lewis Robson]

Thankyou kindly :)


On 22/07/2021 19:46, Noel Kuntze wrote:

Hello Lewis,

That is because the Android app can only reasonably support tunnel mode with virtual IPs.

See the wiki article[1] for it, please.

Kind regards
Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClient

Am 22.07.21 um 15:31 schrieb Lewis Robson:

Hi all,

I am having trouble connecting an android device to strongswan in transport mode.

android works with tunnel mode and certificates
android doesnt work with transport mode and certificates

here is my current config I am using for testing transport mode (working tunnel mode conf below)

conn host
         left=myexternalip
         leftcert=mycert
         leftsendcert=always
         leftauth=pubkey
         right=%any
         rightid=%any
         type=transport
         auto=add
         rightauth=pubkey
         authby=pubkey



error im seeing

from server end:

peer requested virtual IP %any
no virtual IP found, sending INTERNAL_ADDRESS_FAILURE

Jul 22 14:25:50 cerberus charon: 16[IKE] configuration payload negotiation failed, no CHILD_SA built Jul 22 14:25:50 cerberus charon: 16[IKE] failed to establish CHILD_SA, keeping IKE_SA

from android end:

received internal address failure notify, no child sa built

closing ike sa due child sa setup failure

config that works with android device in tunnel mode and x509 certificates thats working below

(removing left subnet, changing type and removing right source ip breaks the connection ad i cant get in)

conn phones-on
     auto=add
     compress=no
     type=tunnel
     keyexchange=ikev2
     fragmentation=yes
     forceencaps=yes
     dpdaction=clear
     dpddelay=300s
     rekey=no
     left=%any
     leftid=externalip
     leftcert=mycert
     leftsendcert=always
     leftsubnet=0.0.0.0/0
     right=%any
     rightid=%any
     rightsendcert=always
     rightauth=pubkey
     authby=pubkey
     #rightauth=eap-mschapv2
     rightsourceip=10.10.10.0/24
     rightdns=8.8.8.8,8.8.4.4
     rightsendcert=never
     eap_identity=%identity

ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!

any ideas?

thankyou :)

--
Lewis Robson
Systems Administrator
Conscious Solutions Limited

Tel: 0117 325 0200
Web: https://www.conscious.co.uk