I'm having some trouble with my VPN connection. First off, I'm on a Nokia 3.1 running Android 9 and using strongswan for a IKEv2/EAP connection. I've searched the strongswan site front and back and found nothing related to my issue. I've tried to set up an account to post an issue, but for a week now my account says, "waiting for approval by admins." I've searched and read every rfc I can on IKEv2 connections and related topics and learned a lot about it, but nothing specific to my situation. I've also searched my phones configuration files for any interoperability and found nothing. The strongswan app says some phones are not compatible, but they don't give any list as to which are or are not. So that may be an issue as well, but the connection is established so I'm thinking it's not that. I've spoken to my VPN and they have no idea what's going on. So here goes,
As I said, I'm using strongswan for an IKEv2/EAP connection (for some reason IPsec is not available). I use the servers IP, and my credentials to initiate the connection, the server cannot be certificate verified because the available certificate is not a json file. I'm currently trying to find a way to convert the file. But, it settles on a root certificate given to me by my VPN. I'm using aes256gcm16-prfsha384-ecp384 for the connection encryption. I have ca certificates not being sent to the server to reduce IKE AUTH package size. I haven't found any info on an issue there and authentication is completed on both ends. My log says I'm behind NAT, not sure if that makes a difference so I have NAT keep-alive set to 20 seconds. I block IPv4 and IPv6 not destined for the VPN connection. The CHILD SA connection is established with SPI's with support for MOBIKE. The log says
EAP_MSCHAPV2 succeeded MSK established/
Auth of EAP successful/
IKE SA established scheduling Rekeying/
Installing new virtual IP/
CHILD SA Android established with SPI and TS/
Setting up TUN device for CHILD SA Android/
Successfully created TUN device/
Peer supports MOBIKE/
The problem is it's not establishing the connection with the appropriate configurations and about half an hour later my log says:
Creating rekey CHILD SA Android reqid 83/
Create CHILD SA request/
Ignoring KE exchange settled on non PFS proposal/
Inbound CHILD SA established with SPIs/
Outbound CHILD SA established with SPIs and TS/
Sending delete for ESP with CHILD SA and SPI/
Received delete for Child SA/
CHILD SA closed
Traffic ceases after that and due to the kill switch, I lose connection without notification. This happens with every server after a few hours. The new server will work fine but three hours later this happens and continues to happen every half hour after reconnection. What's going on? What have I done wrong? I've tried to communicate all information but there's a lot, if I'm missing anything or you need something specific, please let me know. I've spent about the last three weeks trying to figure this out, having no knowledge of networking before hand. So please excuse me if I've done something wrong or misinterpreted something. I thank you for your time and potential assistance.
Edit 1
The available open config areas are as follows:
•Client Identity •DNS server •MTU of the VPN tunnel device •Server Port •NAT-T keep-alive (set to 20 or connection is lost) •IKEv2 algorithms •IPsec/ESP algorithms •Custom subnets •Excluded subnets
The available toggle on/off options are: •Send all Certificate requests (off to lower packet size) •Use OCSP to check Certificate (on) •Use CRLs to check Certificate (on) •Use strict revocation on checking (off) •Use RSA/PSS signature (on)
The available connection according to the Nord website is supposed to be an IKEv2/IPsec configuration but the only available options in the dropdown menu on strongswan are:
•IKEv2 EAP (Currently selected) •IKEv2 Certificate •IKEv2 Certificate +EAP •IKEv2 EAP-TLS •IKEv2 EAP-TNC
These are only client authorizations though. Is this where the IPsec algorithm configuration line comes into play? Is it not a default? The strongswan documentation for the app states that, "IPsec default proposal limited to AES encryption with SHA1/SHA2 data integrity or AES-GCM auth encryption. Using PFS with one of a number of proposed ECP/MODP DH groups. ChaCha20/Poly1305 also supported. Custom ESP proposal may also be configured."
I have all traffic being routed to the VPN. I have blocked all IPv4 and IPv6 not destined for the VPN. I even changed my APN and stopped all IPv6 traffic. It's been a heck of a ride.