Oh, and one other issue, if anyone gets bitten by this: Don't use the 'any' keyword after the 'from'/'to' attributes. Even though iked.conf(5) says you can, I got an "unsupported address family 0" error from iked. 0.0.0.0/0 works instead.
-- Lévai, Dániel ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Monday, 1 July 2019 21:19, Lévai, Dániel <l...@ecentrum.hu> wrote: > Wow, thanks for this... For some reason I always thought that anything VPN > related would require a rooted Android phone to mess with interfaces and > routing, but clearly it doesn't. > It took about 10 minutes to read https://www.openbsd.org/faq/faq17.html and > configure a successful IKEv2 connection from strongSwan on the phone to the > router. > > One more thing, how do I know what IP address my client has gotten? > `ipsecctl(8) -vsa` doesn't show that, and iked(8) output in /var/log/daemon > doesn't either. Right now I'm pinging my router from my phone and tcpdump-ing > the enc0 interface for icmp packets :) > > Dani > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Monday, 1 July 2019 19:34, Stuart Henderson s...@spacehopper.org wrote: > > > On 2019-06-30, Lévai Dániel l...@ecentrum.hu wrote: > > > > > I know (saw) this has come up numerous times, and someone has been > > > successful, others weren't. I thought I'd try this out myself, and not > > > surprisingly it wasn't successful :) > > > I've been using these howtos [1] -- I know these can be outdated and/or > > > simply wrong, I just wanted to get the general idea on how to tackle this. > > > I've made it through a couple of hurdles but now I'm stuck and thought > > > I'd ask some questions here. > > > > L2TP+IPsec can be made to work, but to be perfectly honest, unless you > > have a special reason (e.g. need to run this on a box which is also > > doing other tunnels which have to be IKEv1), then I would switch to > > IKEv2/iked and strongswan on Android (or the built-in client on Windows > > or iOS), it is fast to connect and generally much more pleasant to use... > > (I still use IKEv1/isakmpd for lan-to-lan tunnels but now try to avoid > > it for standard "roaming client" type connections).
publickey - leva@ecentrum.hu - 0x66E1F716.asc
Description: application/pgp-keys