[strongSwan] cannot connect with android 11 standard client (but android strongswan works)
Rajiv Kulkarni
rajivkulkarni69 at gmail.com
Mon Jan 17 13:23:43 CET 2022
Hi
Try configuring your vpn-server as below:
For Split-Tunnel:
---------------------
conn WindowsAndroidOtherClients_wEAP
left=<your-public-internet-ipaddr-here>
right=%any
leftsubnet=192.168.0.0/22,192.168.12.0/22,192.168.21.0/24
rightsourceip=10.254.236.2/22
rightdns=192.168.0.2,192.168.12.2,192.168.21.2
ikelifetime=86400s
lifetime=43200s
rekey=no
reauth=no
dpddelay=40
dpdtimeout=120
dpdaction=clear
modeconfig=pull
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
keyexchange=ikev2
leftauth=pubkey
rightauth=eap-radius
eap_identity=%any
leftsendcert=always
rightsendcert=never
leftid=vpn.domain.org
rightid=%any
leftcert=vpnserverCert.pem
auto=add
Or for FULL-Tunnel
-------------------
conn WindowsAndroidOtherClients_wEAP
left=<your-public-internet-ipaddr-here>
right=%any
leftsubnet=0.0.0.0/0
rightsourceip=10.254.236.2/22
rightdns=192.168.0.2,192.168.12.2,192.168.21.2
ikelifetime=86400s
lifetime=43200s
rekey=no
reauth=no
dpddelay=40
dpdtimeout=120
dpdaction=clear
modeconfig=pull
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
keyexchange=ikev2
leftauth=pubkey
rightauth=eap-radius
eap_identity=%any
leftsendcert=always
rightsendcert=never
leftid=vpn.domain.org
rightid=%any
leftcert=vpnserverCert.pem
auto=add
The above is a working config that i use for both windows-native-ikev2 and
android clients
thanks & regards
Rajiv
On Mon, Dec 20, 2021 at 4:42 PM Gregory Edigarov <edigarov at qarea.com> wrote:
> Hello Everybody.
>
> here's my strongswan setup:
> conn vpn-default
> auto=add
> compress=no
> type=tunnel
> keyexchange=ikev2
> ike=aes256-sha1-modp1024
> esp=aes256-sha1
> fragmentation=yes
> forceencaps=yes
> dpdaction=clear
> dpddelay=300s
> rekey=no
> left=%any
> leftid=@vpn.domain.org
> leftauth=pubkey
> leftcert=certificate.pem
> leftsendcert=always
> #leftsubnet=0.0.0.0/0
> leftsubnet=192.168.0.0/22,192.168.12.0/22,192.168.21.0/24
> leftfirewall=yes
> leftsourceip=%config
> right=%any
> rightid=%any
> rightauth=eap-radius
> rightsourceip=10.254.236.2/22
> rightdns=192.168.0.2,192.168.12.2,192.168.21.2
> rightsendcert=never
> eap_identity=%identity
>
> the server uses letsencrypt certificates, stored as:
>
> 270517 4 -rw-r--r-- 1 root root 3750 Nov 18 18:54
> /etc/ipsec.d/cacerts/ca.pem 270515 4 -rw-r--r-- 1 root
> root 1838 Nov 18 18:54 /etc/ipsec.d/certs/certificate.pem
> 270520 4 -rw-r--r-- 1 root root 1704 Nov 18 18:55
> /etc/ipsec.d/private/key.pem
>
> which is valid:
> Issuer: C = US, O = Let's Encrypt, CN = R3
> Validity
> Not Before: Nov 18 14:19:34 2021 GMT
> Not After : Feb 16 14:19:33 2022 GMT
> Subject: CN = vpn.domain.org
>
> with this config I can connect from Windows 10, from ubuntu
> via strongswan-starter (ipsec.conf) but not from Network Manager,
> from iphone (seems to be ok), but not from android standard vpn client.
> i.e.:
> Windows 10 - ok
> ubuntu (strongswan-starter) - ok
> android (strongswan for android) - ok
> ubuntu (network manager) - don't work
> android (standard client) - don't work (even though I've imported CA
> certificate)
>
> what am I missing for systems that don't work?
>
> --
> With best regards,
> Gregory Edigarov
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220117/a67593db/attachment.html>
More information about the Users
mailing list