Hello Lewis, That is because the Android app can only reasonably support tunnel mode with virtual IPs. See the wiki article[1] for it, please.
Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClient Am 22.07.21 um 15:31 schrieb Lewis Robson:
Hi all, I am having trouble connecting an android device to strongswan in transport mode. android works with tunnel mode and certificates android doesnt work with transport mode and certificates here is my current config I am using for testing transport mode (working tunnel mode conf below) conn host left=myexternalip leftcert=mycert leftsendcert=always leftauth=pubkey right=%any rightid=%any type=transport auto=add rightauth=pubkey authby=pubkey error im seeing from server end: peer requested virtual IP %any no virtual IP found, sending INTERNAL_ADDRESS_FAILURE Jul 22 14:25:50 cerberus charon: 16[IKE] configuration payload negotiation failed, no CHILD_SA built Jul 22 14:25:50 cerberus charon: 16[IKE] failed to establish CHILD_SA, keeping IKE_SA from android end: received internal address failure notify, no child sa built closing ike sa due child sa setup failure config that works with android device in tunnel mode and x509 certificates thats working below (removing left subnet, changing type and removing right source ip breaks the connection ad i cant get in) conn phones-on auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=externalip leftcert=mycert leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightsendcert=always rightauth=pubkey authby=pubkey #rightauth=eap-mschapv2 rightsourceip=10.10.10.0/24 rightdns=8.8.8.8,8.8.4.4 rightsendcert=never eap_identity=%identity ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! any ideas? thankyou :)
OpenPGP_signature
Description: OpenPGP digital signature