Android can connect to IKEv2/IPSec RSA but no Internet access

mrbluecoat commented 11 months ago

I'd like to install IKEv2 on an Oracle Cloud instance, connect via an Android client, then browse the Internet through the Oracle Cloud node. I was able to install IKEv2 and connect with my Android 13 device via the native VPN capability but I can't access the Internet (tried both google.com and 1.1.1.1)

Here were my steps:

Set up Alma Linux 9 instance on Oracle Cloud and configure ingress rules:

# head -n 4 /etc/os-release
NAME="AlmaLinux"
VERSION="9.3 (Shamrock Pampas Cat)"
ID="almalinux"
ID_LIKE="rhel centos fedora"

sudo dnf update
sudo dnf upgrade -y
sudo dnf install -y wget

# install
wget https://get.vpnsetup.net -O vpn.sh && sudo sh vpn.sh

# configure for only IKEv2
wget https://get.vpnsetup.net/ikev2only -O ikev2only.sh && sudo bash ikev2only.sh

# disable client-to-client communication
sudo tee -a /etc/rc.local > /dev/null <<EOT

iptables -I FORWARD 2 -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j DROP
iptables -I FORWARD 3 -s 192.168.43.0/24 -d 192.168.43.0/24 -j DROP
iptables -I FORWARD 4 -i ppp+ -d 192.168.43.0/24 -j DROP
iptables -I FORWARD 5 -s 192.168.43.0/24 -o ppp+ -j DROP

EOT

sudo reboot

# cat /proc/sys/net/ipv4/ip_forward
1

# systemctl status firewalld
○ firewalld.service
     Loaded: masked (Reason: Unit firewalld.service is masked.)
     Active: inactive (dead)

Here's the contents of /etc/sysconfig/nftables.conf

# Modified by hwdsl2 VPN script
flush ruleset
table inet firewalld {
    chain mangle_PREROUTING {
        type filter hook prerouting priority mangle + 10; policy accept;
        jump mangle_PREROUTING_ZONES
    }

    chain mangle_PREROUTING_POLICIES_pre {
        jump mangle_PRE_policy_allow-host-ipv6
    }

    chain mangle_PREROUTING_ZONES {
        iifname "eth0" goto mangle_PRE_public
        goto mangle_PRE_public
    }

    chain mangle_PREROUTING_POLICIES_post {
    }

    chain nat_PREROUTING {
        type nat hook prerouting priority dstnat + 10; policy accept;
        jump nat_PREROUTING_ZONES
    }

    chain nat_PREROUTING_POLICIES_pre {
        jump nat_PRE_policy_allow-host-ipv6
    }

    chain nat_PREROUTING_ZONES {
        iifname "eth0" goto nat_PRE_public
        goto nat_PRE_public
    }

    chain nat_PREROUTING_POLICIES_post {
    }

    chain nat_POSTROUTING {
        type nat hook postrouting priority srcnat + 10; policy accept;
        jump nat_POSTROUTING_ZONES
    }

    chain nat_POSTROUTING_POLICIES_pre {
    }

    chain nat_POSTROUTING_ZONES {
        oifname "eth0" goto nat_POST_public
        goto nat_POST_public
    }

    chain nat_POSTROUTING_POLICIES_post {
    }

    chain nat_OUTPUT {
        type nat hook output priority -90; policy accept;
        jump nat_OUTPUT_POLICIES_pre
        jump nat_OUTPUT_POLICIES_post
    }

    chain nat_OUTPUT_POLICIES_pre {
    }

    chain nat_OUTPUT_POLICIES_post {
    }

    chain filter_PREROUTING {
        type filter hook prerouting priority filter + 10; policy accept;
        icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
        meta nfproto ipv6 fib saddr . mark . iif oif missing drop
    }

    chain filter_INPUT {
        type filter hook input priority filter + 10; policy accept;
        udp dport 1701 accept
        udp dport 4500 accept
        udp dport 500 accept
        ct state { established, related } accept
        ct status dnat accept
        ct state invalid drop
        iifname "lo" accept
        jump filter_INPUT_ZONES
        reject with icmpx admin-prohibited
    }

    chain filter_FORWARD {
        type filter hook forward priority filter + 10; policy accept;
        ip daddr 192.168.43.0/24 accept
        ip saddr 192.168.43.0/24 accept
        ip daddr 192.168.42.0/24 accept
        ip saddr 192.168.42.0/24 accept
        ct state { established, related } accept
        ct status dnat accept
        ct state invalid drop
        iifname "lo" accept
        ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
        jump filter_FORWARD_ZONES
        reject with icmpx admin-prohibited
    }

    chain filter_OUTPUT {
        type filter hook output priority filter + 10; policy accept;
        ct state { established, related } accept
        oifname "lo" accept
        ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
        jump filter_OUTPUT_POLICIES_pre
        jump filter_OUTPUT_POLICIES_post
    }

    chain filter_INPUT_POLICIES_pre {
        jump filter_IN_policy_allow-host-ipv6
    }

    chain filter_INPUT_ZONES {
        iifname "eth0" goto filter_IN_public
        goto filter_IN_public
    }

    chain filter_INPUT_POLICIES_post {
    }

    chain filter_FORWARD_POLICIES_pre {
    }

    chain filter_FORWARD_ZONES {
        iifname "eth0" goto filter_FWD_public
        goto filter_FWD_public
    }

    chain filter_FORWARD_POLICIES_post {
    }

    chain filter_OUTPUT_POLICIES_pre {
    }

    chain filter_OUTPUT_POLICIES_post {
    }

    chain filter_IN_public {
        jump filter_INPUT_POLICIES_pre
        jump filter_IN_public_pre
        jump filter_IN_public_log
        jump filter_IN_public_deny
        jump filter_IN_public_allow
        jump filter_IN_public_post
        jump filter_INPUT_POLICIES_post
        meta l4proto { icmp, ipv6-icmp } accept
        reject with icmpx admin-prohibited
    }

    chain filter_IN_public_pre {
    }

    chain filter_IN_public_log {
    }

    chain filter_IN_public_deny {
    }

    chain filter_IN_public_allow {
        tcp dport 22 ct state { new, untracked } accept
    }

    chain filter_IN_public_post {
    }

    chain nat_POST_public {
        jump nat_POSTROUTING_POLICIES_pre
        jump nat_POST_public_pre
        jump nat_POST_public_log
        jump nat_POST_public_deny
        jump nat_POST_public_allow
        jump nat_POST_public_post
        jump nat_POSTROUTING_POLICIES_post
    }

    chain nat_POST_public_pre {
    }

    chain nat_POST_public_log {
    }

    chain nat_POST_public_deny {
    }

    chain nat_POST_public_allow {
    }

    chain nat_POST_public_post {
    }

    chain filter_FWD_public {
        jump filter_FORWARD_POLICIES_pre
        jump filter_FWD_public_pre
        jump filter_FWD_public_log
        jump filter_FWD_public_deny
        jump filter_FWD_public_allow
        jump filter_FWD_public_post
        jump filter_FORWARD_POLICIES_post
        reject with icmpx admin-prohibited
    }

    chain filter_FWD_public_pre {
    }

    chain filter_FWD_public_log {
    }

    chain filter_FWD_public_deny {
    }

    chain filter_FWD_public_allow {
        oifname "eth0" accept
    }

    chain filter_FWD_public_post {
    }

    chain nat_PRE_public {
        jump nat_PREROUTING_POLICIES_pre
        jump nat_PRE_public_pre
        jump nat_PRE_public_log
        jump nat_PRE_public_deny
        jump nat_PRE_public_allow
        jump nat_PRE_public_post
        jump nat_PREROUTING_POLICIES_post
    }

    chain nat_PRE_public_pre {
    }

    chain nat_PRE_public_log {
    }

    chain nat_PRE_public_deny {
    }

    chain nat_PRE_public_allow {
    }

    chain nat_PRE_public_post {
    }

    chain mangle_PRE_public {
        jump mangle_PREROUTING_POLICIES_pre
        jump mangle_PRE_public_pre
        jump mangle_PRE_public_log
        jump mangle_PRE_public_deny
        jump mangle_PRE_public_allow
        jump mangle_PRE_public_post
        jump mangle_PREROUTING_POLICIES_post
    }

    chain mangle_PRE_public_pre {
    }

    chain mangle_PRE_public_log {
    }

    chain mangle_PRE_public_deny {
    }

    chain mangle_PRE_public_allow {
    }

    chain mangle_PRE_public_post {
    }

    chain filter_IN_policy_allow-host-ipv6 {
        jump filter_IN_policy_allow-host-ipv6_pre
        jump filter_IN_policy_allow-host-ipv6_log
        jump filter_IN_policy_allow-host-ipv6_deny
        jump filter_IN_policy_allow-host-ipv6_allow
        jump filter_IN_policy_allow-host-ipv6_post
    }

    chain filter_IN_policy_allow-host-ipv6_pre {
    }

    chain filter_IN_policy_allow-host-ipv6_log {
    }

    chain filter_IN_policy_allow-host-ipv6_deny {
    }

    chain filter_IN_policy_allow-host-ipv6_allow {
        icmpv6 type nd-neighbor-advert accept
        icmpv6 type nd-neighbor-solicit accept
        icmpv6 type nd-router-advert accept
        icmpv6 type nd-redirect accept
    }

    chain filter_IN_policy_allow-host-ipv6_post {
    }

    chain nat_PRE_policy_allow-host-ipv6 {
        jump nat_PRE_policy_allow-host-ipv6_pre
        jump nat_PRE_policy_allow-host-ipv6_log
        jump nat_PRE_policy_allow-host-ipv6_deny
        jump nat_PRE_policy_allow-host-ipv6_allow
        jump nat_PRE_policy_allow-host-ipv6_post
    }

    chain nat_PRE_policy_allow-host-ipv6_pre {
    }

    chain nat_PRE_policy_allow-host-ipv6_log {
    }

    chain nat_PRE_policy_allow-host-ipv6_deny {
    }

    chain nat_PRE_policy_allow-host-ipv6_allow {
    }

    chain nat_PRE_policy_allow-host-ipv6_post {
    }

    chain mangle_PRE_policy_allow-host-ipv6 {
        jump mangle_PRE_policy_allow-host-ipv6_pre
        jump mangle_PRE_policy_allow-host-ipv6_log
        jump mangle_PRE_policy_allow-host-ipv6_deny
        jump mangle_PRE_policy_allow-host-ipv6_allow
        jump mangle_PRE_policy_allow-host-ipv6_post
    }

    chain mangle_PRE_policy_allow-host-ipv6_pre {
    }

    chain mangle_PRE_policy_allow-host-ipv6_log {
    }

    chain mangle_PRE_policy_allow-host-ipv6_deny {
    }

    chain mangle_PRE_policy_allow-host-ipv6_allow {
    }

    chain mangle_PRE_policy_allow-host-ipv6_post {
    }
}
table ip filter {
    chain INPUT {
        type filter hook input priority filter; policy accept;
        udp dport 1701 meta secpath missing counter packets 0 bytes 0 drop
        ct state invalid counter packets 0 bytes 0 drop
        ct state related,established counter packets 0 bytes 0 accept
        meta l4proto udp udp dport { 500,4500} counter packets 0 bytes 0 accept
        udp dport 1701 meta secpath exists counter packets 0 bytes 0 accept
        udp dport 1701 counter packets 0 bytes 0 drop
    }

    chain FORWARD {
        type filter hook forward priority filter; policy accept;
        ct state invalid counter packets 0 bytes 0 drop
        iifname "eth0" oifname "ppp*" ct state related,established counter packets 0 bytes 0 accept
        iifname "ppp*" oifname "eth0" counter packets 0 bytes 0 accept
        iifname "ppp*" oifname "ppp*" counter packets 0 bytes 0 accept
        iifname "eth0" ip daddr 192.168.43.0/24 ct state related,established counter packets 0 bytes 0 accept
        oifname "eth0" ip saddr 192.168.43.0/24 counter packets 0 bytes 0 accept
        oifname "ppp*" ip saddr 192.168.43.0/24 counter packets 0 bytes 0 accept
    }
}
table ip nat {
    chain POSTROUTING {
        type nat hook postrouting priority srcnat; policy accept;
        oifname "eth0" ip saddr 192.168.42.0/24 counter packets 0 bytes 0 masquerade 
        oifname "eth0" ip saddr 192.168.43.0/24  counter packets 0 bytes 0 masquerade 
    }
}

I transferred vpnclient.p12 to Android phone and followed https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/ikev2-howto.md#android for the native IKEv2 client.

VPN says connected.

# ipsec trafficstatus
006 #9: "ikev2-cp"[6] 7x.21x.17x.19x, type=ESP, add_time=1700843859, inBytes=0, outBytes=0, maxBytes=2^63B, id='CN=vpnclient, O=IKEv2 VPN', lease=192.168.43.10/32

Opened a web browser and tried google.com (ERR_NAME_NOT_RESOLVED) and 1.1.1.1 (ERR_ADDRESS_UNREACHABLE).

I searched the Issue backlog (#155 #896 #944 #1430) but couldn't find a resolution. Any suggestions?

hwdsl2 commented 11 months ago

@mrbluecoat Hello! I can try to reproduce this issue. A few things to try: 1. Try the strongSwan VPN client. 2. Temporarily allow client-to-client traffic to see if that fixes the issue. 3. In your firewall, UDP port 1701 and the AH and ESP protocols are not required.

mrbluecoat commented 11 months ago

Thanks for the quick response! Here's what I've found so far:

Android 13 LineageOS 20 native: no Internet
Android 13 LineageOS 20 StrongSwan app: works fine (including "Always-on VPN" and "Block connections without VPN")
Android 10 Samsung Knox native: works fine (including "Always-on VPN" and "Block connections without VPN", after manually setting a DNS server)
Android 12 Google Pixel native: works fine (after manually adding a random "IPSec identifier") but doesn't support "Always-on VPN" or "Block connections without VPN"

mrbluecoat commented 11 months ago

Some older Android versions, especially Samsung's Android versions, have a buggy VPN implementation, which results in Android refusing to start the VPN service in certain circumstances, like when there is no internet connectivity yet (when starting up your device) or when incorrectly requiring manual approval of the VPN service again (when starting up your device). NetGuard will try to workaround this and remove the error message when it succeeds, else you are out of luck.

Some LineageOS versions have a broken Android VPN implementation, causing all traffic to be blocked, please see this FAQ for more information.

On GrapheneOS, the Android Always-On VPN function and the sub option 'Block connections without VPN' are enabled by default. However, this sub option will result in blocking all traffic, please see this FAQ.

https://github.com/M66B/NetGuard/tree/master

mrbluecoat commented 11 months ago

I'll close this out since it's clearly an OS issue. Thanks @hwdsl2

hwdsl2 / setup-ipsec-vpn

Android can connect to IKEv2/IPSec RSA but no Internet access #1495