4. Mobile ipsec works WAN side but not LAN side?

Mobile ipsec works WAN side but not LAN side?

  • T

    Hello,

    I have Mobile IKev2 (strongSwan) working on my android mobile. It works fine when i am on the road, and i can connect through the WAN side. However, when i reach home and connect to pfSense LAN network, it fails to connect. I have enabled 'Host override' in DNS resolver (split DNS) so the VPN hostname resolves to the firewalls internal IP address (192.168.1.1). Is that the correct way to do it?

    The error i get is as follows:

    Mar  5 22:57:43 00[DMN] Starting IKE service (strongSwan 5.8.2dr1, Android 10 - QP1A.190711.020.N960FXXS4DTA5/2020-02-01, SM-N960F - samsung/crownltexx/samsung, Linux 4.9.118-17594460, aarch64)
Mar  5 22:57:43 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Mar  5 22:57:43 00[JOB] spawning 16 worker threads
Mar  5 22:57:43 07[IKE] initiating IKE_SA android[48] to 192.168.1.1
Mar  5 22:57:43 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar  5 22:57:43 07[NET] sending packet: from 192.168.1.21[50455] to 192.168.1.1[500] (716 bytes)
Mar  5 22:57:43 16[NET] received packet: from 192.168.1.1[500] to 192.168.1.21[50455] (297 bytes)
Mar  5 22:57:43 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Mar  5 22:57:43 16[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Mar  5 22:57:43 16[IKE] faking NAT situation to enforce UDP encapsulation
Mar  5 22:57:43 16[IKE] received 1 cert requests for an unknown ca
Mar  5 22:57:43 16[IKE] establishing CHILD_SA android{41}
Mar  5 22:57:43 16[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Mar  5 22:57:43 16[NET] sending packet: from 192.168.1.21[51257] to 192.168.1.1[4500] (448 bytes)
Mar  5 22:57:43 09[NET] received packet: from 192.168.1.1[4500] to 192.168.1.21[51257] (80 bytes)
Mar  5 22:57:43 09[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Mar  5 22:57:43 09[IKE] received AUTHENTICATION_FAILED notify error

    The whole reason I am doing this is that I dont have to enable/disable VPN when going out or coming back home.

    0
  • T

    I deleted the 'Host override' entry and strongSwan connects to the WAN ip even on the LAN side. Solved.

    0
  • T

    I have a 150mbps symmetric connection. Without vpn speedtest shows the line speed but when vpn is enabled the speed drops considerably. In both tests, I am connected at the LAN side.

    Without VPN
    Screenshot_20200306-090605_Speedtest.jpg

    With VPN
    Screenshot_20200306-090504_Speedtest.jpg

    Is there a way to improve IPSec speed? What encryption cipher should i use to get best speed on Android?

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy