[strongSwan] Strongswan Android Client: IKE SA established but TCP data not going through tunnel

pankaj razdan pankajrazdan at yahoo.com
Thu Sep 10 20:13:26 CEST 2020 

Hello,
I am facing issue with strongswan on Android (version 8/10). 
Strongswan is able to connect and establish first CHILD SA successfully. App also shows it is connected.12[IKE] CHILD_SA android{1} established with SPIs a84e5850_i cd5ddffe_o and TS 172.5.0.16/32 === 192.168.124.0/24

Route corresponding to this tunnelip route show table 0
172.5.0.16 dev tun1 table 1181 proto static scope link
192.168.124.0/24 dev tun1 table 1181 proto static scope link
default via 10.117.198.1 dev rmnet0 table 1003 proto static
ifconfig tuntun1      Link encap:UNSPEC
          inet addr:172.5.0.16  P-t-P:172.5.0.16  Mask:255.255.255.255
          UP POINTOPOINT RUNNING  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:0 TX bytes:0

If I do ping to 192.168.124.100, it works well. Wireshark capture shows ESP request/response packets.
However, if I open TCP connection for remote address as 192.168.124.100 port 6000, TCP packets are not going over tunnel interface, rather they go over wifi interface and I can see destination of SYN packet as 192.168.124.100 and source as wifi interface address.netstatProto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program Name
tcp        0      0 0.0.0.0:1467                            0.0.0.0:*               LISTEN      -
tcp        0      0 100.83.59.59:40979              216.239.36.135:443      ESTABLISHED -
tcp        0      1 100.83.59.59:40642              192.168.124.100:6000    SYN_SENT    -No SYN ACK since packets are going directly on wifi interface.
I also tried to bind TCP socket to my TUN interface IP but still same issue - SYN packet going directly out on the wifi interface.netstat showstcp6       0      1 ::ffff:172.5.0.16:6002  ::ffff:192.168.124:6000 SYN_SENT    -

Configuration selected on Android appIKEv2 EAP (Username/Password)Andriod version 10 and tried on 8. Tried with emulator and Samsung Galaxy 10.
Please let me know what could be the possible issue.
Thanks,Pankaj
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200910/494c55e5/attachment.html>

More information about the Users mailing list