[strongSwan] transport mode android problems

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Jul 22 20:46:23 CEST 2021 

Hello Lewis,

That is because the Android app can only reasonably support tunnel mode with virtual IPs.
See the wiki article[1] for it, please.

Kind regards
Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClient

Am 22.07.21 um 15:31 schrieb Lewis Robson:
> Hi all,
> 
> I am having trouble connecting an android device to strongswan in transport mode.
> 
> android works with tunnel mode and certificates
> android doesnt work with transport mode and certificates
> 
> 
> here is my current config I am using for testing transport mode (working tunnel mode conf below)
> 
> conn host
>          left=myexternalip
>          leftcert=mycert
>          leftsendcert=always
>          leftauth=pubkey
>          right=%any
>          rightid=%any
>          type=transport
>          auto=add
>          rightauth=pubkey
>          authby=pubkey
> 
> 
> 
> error im seeing
> 
> from server end:
> 
> peer requested virtual IP %any
> no virtual IP found, sending INTERNAL_ADDRESS_FAILURE
> Jul 22 14:25:50 cerberus charon: 16[IKE] configuration payload negotiation failed, no CHILD_SA built
> Jul 22 14:25:50 cerberus charon: 16[IKE] failed to establish CHILD_SA, keeping IKE_SA
> 
> 
> from android end:
> 
> received internal address failure notify, no child sa built
> 
> closing ike sa due child sa setup failure
> 
> config that works with android device in tunnel mode and x509 certificates thats working below
> 
> (removing left subnet, changing type and removing right source ip breaks the connection ad i cant get in)
> 
> conn phones-on
>      auto=add
>      compress=no
>      type=tunnel
>      keyexchange=ikev2
>      fragmentation=yes
>      forceencaps=yes
>      dpdaction=clear
>      dpddelay=300s
>      rekey=no
>      left=%any
>      leftid=externalip
>      leftcert=mycert
>      leftsendcert=always
>      leftsubnet=0.0.0.0/0
>      right=%any
>      rightid=%any
>      rightsendcert=always
>      rightauth=pubkey
>      authby=pubkey
>      #rightauth=eap-mschapv2
>      rightsourceip=10.10.10.0/24
>      rightdns=8.8.8.8,8.8.4.4
>      rightsendcert=never
>      eap_identity=%identity
> ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
> 
> 
> 
> any ideas?
> 
> thankyou :)
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210722/a01169bd/attachment.sig>

More information about the Users mailing list