[strongSwan] transport mode android problems

Lewis Robson robsonl at conscious.co.uk
Thu Jul 22 15:31:13 CEST 2021


Hi all,

I am having trouble connecting an android device to strongswan in 
transport mode.

android works with tunnel mode and certificates
android doesnt work with transport mode and certificates


here is my current config I am using for testing transport mode (working 
tunnel mode conf below)

conn host
         left=myexternalip
         leftcert=mycert
         leftsendcert=always
         leftauth=pubkey
         right=%any
         rightid=%any
         type=transport
         auto=add
         rightauth=pubkey
         authby=pubkey



error im seeing

from server end:

peer requested virtual IP %any
no virtual IP found, sending INTERNAL_ADDRESS_FAILURE
Jul 22 14:25:50 cerberus charon: 16[IKE] configuration payload 
negotiation failed, no CHILD_SA built
Jul 22 14:25:50 cerberus charon: 16[IKE] failed to establish CHILD_SA, 
keeping IKE_SA


from android end:

received internal address failure notify, no child sa built

closing ike sa due child sa setup failure

config that works with android device in tunnel mode and x509 
certificates thats working below

(removing left subnet, changing type and removing right source ip breaks 
the connection ad i cant get in)

conn phones-on
     auto=add
     compress=no
     type=tunnel
     keyexchange=ikev2
     fragmentation=yes
     forceencaps=yes
     dpdaction=clear
     dpddelay=300s
     rekey=no
     left=%any
     leftid=externalip
     leftcert=mycert
     leftsendcert=always
     leftsubnet=0.0.0.0/0
     right=%any
     rightid=%any
     rightsendcert=always
     rightauth=pubkey
     authby=pubkey
     #rightauth=eap-mschapv2
     rightsourceip=10.10.10.0/24
     rightdns=8.8.8.8,8.8.4.4
     rightsendcert=never
     eap_identity=%identity
ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!



any ideas?

thankyou :)

-- 
Lewis Robson
Systems Administrator



More information about the Users mailing list