Mobile ipsec works WAN side but not LAN side?



  • Hello,

    I have Mobile IKev2 (strongSwan) working on my android mobile. It works fine when i am on the road, and i can connect through the WAN side. However, when i reach home and connect to pfSense LAN network, it fails to connect. I have enabled 'Host override' in DNS resolver (split DNS) so the VPN hostname resolves to the firewalls internal IP address (192.168.1.1). Is that the correct way to do it?

    The error i get is as follows:

    Mar  5 22:57:43 00[DMN] Starting IKE service (strongSwan 5.8.2dr1, Android 10 - QP1A.190711.020.N960FXXS4DTA5/2020-02-01, SM-N960F - samsung/crownltexx/samsung, Linux 4.9.118-17594460, aarch64)
    Mar  5 22:57:43 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
    Mar  5 22:57:43 00[JOB] spawning 16 worker threads
    Mar  5 22:57:43 07[IKE] initiating IKE_SA android[48] to 192.168.1.1
    Mar  5 22:57:43 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    Mar  5 22:57:43 07[NET] sending packet: from 192.168.1.21[50455] to 192.168.1.1[500] (716 bytes)
    Mar  5 22:57:43 16[NET] received packet: from 192.168.1.1[500] to 192.168.1.21[50455] (297 bytes)
    Mar  5 22:57:43 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
    Mar  5 22:57:43 16[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
    Mar  5 22:57:43 16[IKE] faking NAT situation to enforce UDP encapsulation
    Mar  5 22:57:43 16[IKE] received 1 cert requests for an unknown ca
    Mar  5 22:57:43 16[IKE] establishing CHILD_SA android{41}
    Mar  5 22:57:43 16[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
    Mar  5 22:57:43 16[NET] sending packet: from 192.168.1.21[51257] to 192.168.1.1[4500] (448 bytes)
    Mar  5 22:57:43 09[NET] received packet: from 192.168.1.1[4500] to 192.168.1.21[51257] (80 bytes)
    Mar  5 22:57:43 09[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Mar  5 22:57:43 09[IKE] received AUTHENTICATION_FAILED notify error
    

    The whole reason I am doing this is that I dont have to enable/disable VPN when going out or coming back home.



  • I deleted the 'Host override' entry and strongSwan connects to the WAN ip even on the LAN side. Solved.



  • I have a 150mbps symmetric connection. Without vpn speedtest shows the line speed but when vpn is enabled the speed drops considerably. In both tests, I am connected at the LAN side.

    Without VPN
    Screenshot_20200306-090605_Speedtest.jpg

    With VPN
    Screenshot_20200306-090504_Speedtest.jpg

    Is there a way to improve IPSec speed? What encryption cipher should i use to get best speed on Android?


Log in to reply