[strongSwan] transport mode android problems

Lewis Robson robsonl at conscious.co.uk
Tue Jul 27 16:40:57 CEST 2021 

Thankyou kindly :)


On 22/07/2021 19:46, Noel Kuntze wrote:
> Hello Lewis,
>
> That is because the Android app can only reasonably support tunnel 
> mode with virtual IPs.
> See the wiki article[1] for it, please.
>
> Kind regards
> Noel
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClient
>
> Am 22.07.21 um 15:31 schrieb Lewis Robson:
>> Hi all,
>>
>> I am having trouble connecting an android device to strongswan in 
>> transport mode.
>>
>> android works with tunnel mode and certificates
>> android doesnt work with transport mode and certificates
>>
>>
>> here is my current config I am using for testing transport mode 
>> (working tunnel mode conf below)
>>
>> conn host
>>          left=myexternalip
>>          leftcert=mycert
>>          leftsendcert=always
>>          leftauth=pubkey
>>          right=%any
>>          rightid=%any
>>          type=transport
>>          auto=add
>>          rightauth=pubkey
>>          authby=pubkey
>>
>>
>>
>> error im seeing
>>
>> from server end:
>>
>> peer requested virtual IP %any
>> no virtual IP found, sending INTERNAL_ADDRESS_FAILURE
>> Jul 22 14:25:50 cerberus charon: 16[IKE] configuration payload 
>> negotiation failed, no CHILD_SA built
>> Jul 22 14:25:50 cerberus charon: 16[IKE] failed to establish 
>> CHILD_SA, keeping IKE_SA
>>
>>
>> from android end:
>>
>> received internal address failure notify, no child sa built
>>
>> closing ike sa due child sa setup failure
>>
>> config that works with android device in tunnel mode and x509 
>> certificates thats working below
>>
>> (removing left subnet, changing type and removing right source ip 
>> breaks the connection ad i cant get in)
>>
>> conn phones-on
>>      auto=add
>>      compress=no
>>      type=tunnel
>>      keyexchange=ikev2
>>      fragmentation=yes
>>      forceencaps=yes
>>      dpdaction=clear
>>      dpddelay=300s
>>      rekey=no
>>      left=%any
>>      leftid=externalip
>>      leftcert=mycert
>>      leftsendcert=always
>>      leftsubnet=0.0.0.0/0
>>      right=%any
>>      rightid=%any
>>      rightsendcert=always
>>      rightauth=pubkey
>>      authby=pubkey
>>      #rightauth=eap-mschapv2
>>      rightsourceip=10.10.10.0/24
>>      rightdns=8.8.8.8,8.8.4.4
>>      rightsendcert=never
>>      eap_identity=%identity
>> ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! 
>>
>>
>>
>>
>> any ideas?
>>
>> thankyou :)
>>
>
-- 
Lewis Robson
Systems Administrator
Conscious Solutions Limited

Tel: 0117 325 0200
Web: https://www.conscious.co.uk

More information about the Users mailing list