Built-in IPSec tunnel networking quirks

8876fi · May 7, 2024

Hello, a new member here.

I configured a GOS phone to use the native android IPSec client with a few different IVPN gateways (they use MSCHAPv2). It connects succesfully, I can browse the internet, banking apps work too, hovever, Signal app is showing as offline, then Play Store app installations go into "pending" state. When using the strongSwan implementation, I have none of these issues. I also tried to use Mullvad's external DNS servers without AD blocking. No difference. I was wondering if you have any ideas/recommendations on that, potentially experienced something similar on your own, where to start with troubleshooting? Maybe the default MTU needs adjusting, I could not find where to change that unfortunately.

DDeletedUser115 · May 29, 2024

876fi Can you please post what settings you used with the native VPN client screen, e.g. IPSec identifier? Thank you 🌷

8876fi · May 29, 2024

DeletedUser115 The IPsec identifier is the same as the username IVPN provides (format i-XXXX-XXXX-XX), type "MSCHAPv2", server for instance "gb2.gw.ivpn.net", username "i-XXXX-XXXX-XXXX", password "ivpn". Apologies I have no place where to share a screenshot, on the other hand that is actually all you need in this post. Good luck!

DDeletedUser115 · May 29, 2024

876fi That's very helpful, thank you! Did you import a certificate?

8876fi · May 29, 2024

DeletedUser115 Nope, I left the default options for certificates. In fact, the drop-down menus each show only one possible (default) option.

DDeletedUser115 · May 29, 2024

876fi Thank you, I will give it a try.

OObject_11 · Oct 18, 2024

I faced with the some problem. With surfshark, ivpn and my own server. With certificate, with psk or username and pass. No matter.
I was notice that problem appears in apps that can work with networking by the right way : check network type (mobile, WiFi, undefined) and change itself behavior.
I think the problem is in "type of carrier" when you activate built-in client, in my opinion set to "something like undefined" instead of defined status of carrier.

OObject_11 · Oct 20, 2024

I found the source of the problem. This is really a NetworkType. When we using the built-in android vpn client (ipsec ikev2), type of network changes from WIFI to VPN (see attached logs). In the case of using a VPN through an application, the NetworkType does not change and remains the original one, for example WIFI. This is the problem for applications that uses the current type of network in their work. Even the built-in DataSaver does not work normally with this.
10-20 04:19:53.713 10161 3288 3801 I BugleRcsEngine: Connected state: [2], networkType: [WIFI] [CONTEXT thread_id=26 ] 10-20 04:19:53.744 10161 3288 3801 I BugleRcsEngine: Connected state: [2], networkType: [null] [CONTEXT thread_id=26 ] 10-20 04:19:55.069 10161 3288 3801 I BugleRcsEngine: Connected state: [2], networkType: [VPN] [CONTEXT thread_id=26 ] 10-20 04:19:55.071 10161 3288 3801 I BugleRcsEngine: Connected state: [2], networkType: [VPN] [CONTEXT thread_id=26 ]

OObject_11 · Oct 20, 2024

So, solution is uncheck "Always-on VPN" checkbox. After that, network type will be "original", without changing to " VPN".
Not the best solution, but better that nothing.

8876fi · Oct 20, 2024

Hi there, thank you for sharing with your findings on the topic.

I actually gave up with IPSec and rather started using a Wireguard tunnel, I suppose especially now the former setup is less desirable to me since a VPN leak prevention mechanism was added to GoS (https://discuss.grapheneos.org/d/16161-grapheneos-fixing-the-standard-vpn-leak-blocking-is-nearing-completion) ;)