Hello Lewis,
That is because the Android app can only reasonably support tunnel mode with
virtual IPs.
See the wiki article[1] for it, please.
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClient
Am 22.07.21 um 15:31 schrieb Lewis Robson:
Hi all,
I am having trouble connecting an android device to strongswan in transport
mode.
android works with tunnel mode and certificates
android doesnt work with transport mode and certificates
here is my current config I am using for testing transport mode (working tunnel
mode conf below)
conn host
left=myexternalip
leftcert=mycert
leftsendcert=always
leftauth=pubkey
right=%any
rightid=%any
type=transport
auto=add
rightauth=pubkey
authby=pubkey
error im seeing
from server end:
peer requested virtual IP %any
no virtual IP found, sending INTERNAL_ADDRESS_FAILURE
Jul 22 14:25:50 cerberus charon: 16[IKE] configuration payload negotiation
failed, no CHILD_SA built
Jul 22 14:25:50 cerberus charon: 16[IKE] failed to establish CHILD_SA, keeping
IKE_SA
from android end:
received internal address failure notify, no child sa built
closing ike sa due child sa setup failure
config that works with android device in tunnel mode and x509 certificates
thats working below
(removing left subnet, changing type and removing right source ip breaks the
connection ad i cant get in)
conn phones-on
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=externalip
leftcert=mycert
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightsendcert=always
rightauth=pubkey
authby=pubkey
#rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
any ideas?
thankyou :)
OpenPGP_signature
Description: OpenPGP digital signature
