Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Mobile ipsec works WAN side but not LAN side?

    Scheduled Pinned Locked Moved IPsec
    3 Posts 1 Posters 439 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      trumee
      last edited by trumee

      Hello,

      I have Mobile IKev2 (strongSwan) working on my android mobile. It works fine when i am on the road, and i can connect through the WAN side. However, when i reach home and connect to pfSense LAN network, it fails to connect. I have enabled 'Host override' in DNS resolver (split DNS) so the VPN hostname resolves to the firewalls internal IP address (192.168.1.1). Is that the correct way to do it?

      The error i get is as follows:

      Mar  5 22:57:43 00[DMN] Starting IKE service (strongSwan 5.8.2dr1, Android 10 - QP1A.190711.020.N960FXXS4DTA5/2020-02-01, SM-N960F - samsung/crownltexx/samsung, Linux 4.9.118-17594460, aarch64)
Mar  5 22:57:43 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Mar  5 22:57:43 00[JOB] spawning 16 worker threads
Mar  5 22:57:43 07[IKE] initiating IKE_SA android[48] to 192.168.1.1
Mar  5 22:57:43 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar  5 22:57:43 07[NET] sending packet: from 192.168.1.21[50455] to 192.168.1.1[500] (716 bytes)
Mar  5 22:57:43 16[NET] received packet: from 192.168.1.1[500] to 192.168.1.21[50455] (297 bytes)
Mar  5 22:57:43 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Mar  5 22:57:43 16[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Mar  5 22:57:43 16[IKE] faking NAT situation to enforce UDP encapsulation
Mar  5 22:57:43 16[IKE] received 1 cert requests for an unknown ca
Mar  5 22:57:43 16[IKE] establishing CHILD_SA android{41}
Mar  5 22:57:43 16[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Mar  5 22:57:43 16[NET] sending packet: from 192.168.1.21[51257] to 192.168.1.1[4500] (448 bytes)
Mar  5 22:57:43 09[NET] received packet: from 192.168.1.1[4500] to 192.168.1.21[51257] (80 bytes)
Mar  5 22:57:43 09[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Mar  5 22:57:43 09[IKE] received AUTHENTICATION_FAILED notify error

      The whole reason I am doing this is that I dont have to enable/disable VPN when going out or coming back home.

      1 Reply Last reply Reply Quote 0
      • T
        trumee
        last edited by trumee

        I deleted the 'Host override' entry and strongSwan connects to the WAN ip even on the LAN side. Solved.

        1 Reply Last reply Reply Quote 0
        • T
          trumee
          last edited by trumee

          I have a 150mbps symmetric connection. Without vpn speedtest shows the line speed but when vpn is enabled the speed drops considerably. In both tests, I am connected at the LAN side.

          Without VPN
          Screenshot_20200306-090605_Speedtest.jpg

          With VPN
          Screenshot_20200306-090504_Speedtest.jpg

          Is there a way to improve IPSec speed? What encryption cipher should i use to get best speed on Android?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.