Hi,
Android 11 seems to support IKEv2/IPsec now, so I'm attempting to build a
roadwarrior swanctl.conf for it. So far I'm getting as far as having an
SA established, but then immediately deleted. Any advice?
The Android VPN profile has:
- Type: IKEv2/IPsec PSK
- Server: moon.isuldor.com
- IPsec Identifier: strongs...@isuldor.com
- IPsec PSK: hunter2
My vpn gateway has:
$ swanctl --version
strongSwan swanctl 5.9.0
$ cat /etc/swanctl/conf.d/android11.conf
connections {
rw-isuldor {
local_addrs = moon.isuldor.com
pools = android11_pool
send_cert = always
local {
auth = pubkey
certs = moon.pem
id = moon.isuldor.com
}
remote {
auth = psk
id = strongs...@isuldor.com
}
children {
moon {
local_ts = 0.0.0.0/0
}
}
}
}
secrets {
ike-isuldor {
id_isuldor = strongs...@isuldor.com
secret = hunter2
}
}
pools {
android11_pool {
addrs = 192.168.2.0/24
}
}
Relevant Logs from charon-systemd:
X.X.X.X is initiating an IKE_SA
IKE_SA (unnamed)[11] state change: CREATED => CONNECTING
selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/MODP_3072
remote host is behind NAT
...
looking for peer configs matching
X.X.X.X[moon.isuldor.com]...X.X.X.X[strongs...@isuldor.com]
selected peer config 'rw-isuldor'
authentication of 'strongs...@isuldor.com' with pre-shared key successful
...
CHILD_SA moon{4} established with SPIs cba17603_i 0f8dcc81_o and TS 0.0.0.0/0
=== 192.168.2.1/32
CHILD_SA moon{4} state change: INSTALLING => INSTALLED
generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS DNS) SA TSi TSr ]
splitting IKE message (2416 bytes) into 3 fragments
generating IKE_AUTH response 1 [ EF(1/3) ]
generating IKE_AUTH response 1 [ EF(2/3) ]
generating IKE_AUTH response 1 [ EF(3/3) ]
sending packet: from Y.Y.Y.Y[4500] to X.X.X.X[38733] (1236 bytes)
sending packet: from Y.Y.Y.Y[4500] to X.X.X.X[38733] (1236 bytes)
sending packet: from Y.Y.Y.Y[4500] to X.X.X.X[38733]
sending packet: from Y.Y.Y.Y[4500] to X.X.X.X[38733] (84 bytes)
sending packet: from Y.Y.Y.Y[4500] to X.X.X.X[38733]
checkin IKE_SA rw-isuldor[7]
sending packet: from Y.Y.Y.Y[4500] to X.X.X.X[38733]
checkin of IKE_SA successful
received packet: from X.X.X.X[38733] to Y.Y.Y.Y[4500]
waiting for data on sockets
checkout IKEv2 SA by message with SPIs ce7fea937528e3ca_i 115e7e1303dd7bc4_r
IKE_SA rw-isuldor[7] successfully checked out
received packet: from X.X.X.X[38733] to Y.Y.Y.Y[4500] (80 bytes)
parsed INFORMATIONAL request 2 [ D ]
received DELETE for IKE_SA rw-isuldor[7]
deleting IKE_SA rw-isuldor[7] between
Y.Y.Y.Y[moon.isuldor.com]...X.X.X.X[strongs...@isuldor.com]
IKE_SA rw-isuldor[7] state change: ESTABLISHED => DELETING
IKE_SA deleted
generating INFORMATIONAL response 2 [ ]
sending packet: from Y.Y.Y.Y[4500] to X.X.X.X[38733] (80 bytes)
checkin and destroy IKE_SA rw-isuldor[7]
sending packet: from Y.Y.Y.Y[4500] to X.X.X.X[38733]
IKE_SA rw-isuldor[7] state change: DELETING => DESTROYING
CHILD_SA moon{4} state change: INSTALLED => DESTROYING
deleting policy 0.0.0.0/0 === 192.168.2.1/32 out
deleting policy 192.168.2.1/32 === 0.0.0.0/0 in
deleting policy 192.168.2.1/32 === 0.0.0.0/0 fwd
deleting SAD entry with SPI cba17603
deleted SAD entry with SPI cba17603
deleting SAD entry with SPI 0f8dcc81
deleted SAD entry with SPI 0f8dcc81
lease 192.168.2.1 by 'strongs...@isuldor.com' went offline
checkin and destroy of IKE_SA successful
