viq <[email protected]> writes: > On 17-07-18 23:20:26, Tim Stewart wrote: >> viq <[email protected]> writes: >> >> > On 17-06-25 21:44:24, Tim Stewart wrote: >> >> Hi, >> >> >> >> In this message I've tried to encode everything I've done to allow >> >> strongSwan on Android to connect with iked, including the latest patch. >> >> I have also verified that it breaks neither initial negotiation nor >> >> Child SA rekeying for OpenBSD, Windows, and strongSwan (on Android) >> >> clients. >> > >> > This patch gets my android phone much closer to being able to negotiate >> > a connection, but there are still issues. Paraphrasing analysis mikeb >> > performed on IRC: >> > android sends incorrect (for us) group, and with this patch we now send >> > a failure message and android retries. But, we don't increment msgid >> > "because we did sa_free and restarted, so we can assume that android >> > thinks that negotiation continues, that's why it re-sends the >> > IKE_SA_INIT" >> >> I'm glad it seems to help, though it's too bad that the patch doesn't >> work completely for you. >> >> I haven't really considered msgids--I'll do some more reading to see >> what I might be missing there. I do know that resending an IKE_SA_INIT >> message with a different DH group is correct, however, and this does >> work on my phone. For your reference, the first line of my strongSwan >> log tells me that I'm using strongSwan 5.5.3 and Android 7.1.1. >> >> I see that you forwarded the iked logs in a reply to this email. Is >> this the full log after a fresh iked startup with no existing SAs? > > This is after a fresh startup, there exists an SA but for a separete > site-to-site config I have in place. If completely fresh logs are > needed I could comment that out.
Well, my thinking here was that incorrect policy matching could be confusing the issue. I often find it helpful to comment out other policies to eliminate policy matching as a failure point during testing. >> Also, would it be possible to forward an anonymized config and the >> strongSwan logs so that I can compare to mine? (I can also post my >> logs, but I'll have to do it in the next day or two as I'm out of time >> for today.) > > First, sorry for the delay with replying to this. Second, I'm not sure > how to get to the logs, seeing as I'm using the built-in VPN client that > came with Samsung S8. Oh, for some reason I assumed you were using strongSwan! My mistake. Can you provide a link to some more info about the Samsung S8's built-in client? I haven't had any time since my last post, but I still plan to look into the msgids. -TimS -- Tim Stewart ----------- Mail: [email protected] Matrix: @tim:stoo.org
