Issue #2935
swanctl.conf: Android client does not route through tunnel
Description
After being kindly reminded to switch from ipsec.conf to swanctl.conf in #2931 I finally began to migrate my configuration. First thing I tried was a road warrior configuration with an Android client. As a reference I attached my old ipsec.conf too.
The Child SA is established, but the client does not seem to route anything through the VPN tunnel although I think I configured a default route with connections.rw-ikev2.children.net.local_ts=0.0.0.0/0. When I use the browser on the client I see no traffic coming in at the server (with tcpdump). Using "swanctl --list-sas" I can see that the number of packets is not increasing.
When I use the browser on some IP checker site it still tells me that I am 80.187.100.172, which is the IP of my client from which it establishes the tunnel. Configuring local_ts=0.0.0.0/1,128.0.0.0/1 doesn't help either.
Interestingly enough I CAN reach systems in the servers local network 192.168.1.0/24.
History
#1 Updated by Tobias Brunner over 6 years ago
- Status changed from New to Feedback
Make sure you didn't exclude subnets/apps in the advanced settings in the client config and refer to ForwardingAndSplitTunneling. The config backend on the server has nothing to do with this (you can confirm that by comparing the logs).
#2 Updated by Robert Dahlem over 6 years ago
Well, apparently there ist something wrong with that "IP checker site" (https://www.wieistmeineip.de/): it seems to not react reliably to refreshes, at least with Chrome on Android. I checked with several other sites and they reliably display the IP of my client without an active tunnel and the IP of my server with an active tunnel.
Sorry for the noise. Please close this.
#3 Updated by Tobias Brunner over 6 years ago
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to No change required