I'm having some trouble with my VPN connection. First off, I'm on a Nokia 3.1 running Android 9 and using strongswan for a IKEv2/EAP connection. I've searched the strongswan site front and back and found nothing related to my issue. I've tried to set up an account to post an issue, but for a week now my account says, "waiting for approval by admins." I've searched and read every rfc I can on IKEv2 connections and related topics and learned a lot about it, but nothing specific to my situation. I've also searched my phones configuration files for any interoperability and found nothing. The strongswan app says some phones are not compatible, but they don't give any list as to which are or are not. So that may be an issue as well, but the connection is established so I'm thinking it's not that. I've spoken to my VPN and they have no idea what's going on. So here goes,
As I said, I'm using strongswan for an IKEv2/EAP connection (for some reason IPsec is not available). I use the servers IP, and my credentials to initiate the connection, the server cannot be certificate verified because the available certificate is not a json file. I'm currently trying to find a way to convert the file. But, it settles on a root certificate given to me by my VPN. I'm using aes256gcm16-prfsha384-ecp384 for the connection encryption. I have ca certificates not being sent to the server to reduce IKE AUTH package size. I haven't found any info on an issue there and authentication is completed on both ends. My log says I'm behind NAT, not sure if that makes a difference so I have NAT keep-alive set to 20 seconds. I block IPv4 and IPv6 not destined for the VPN connection. The CHILD SA connection is established with SPI's with support for MOBIKE. The log says
EAP_MSCHAPV2 succeeded MSK established/ Auth of EAP successful/ IKE SA established scheduling Rekeying/ Installing new virtual IP/ CHILD SA Android established with SPI and TS/ Setting up TUN device for CHILD SA Android/ Successfully created TUN device/ Peer supports MOBIKE/
The problem is it's not establishing the connection with the appropriate configurations and about half an hour later my log says:
Creating rekey CHILD SA Android reqid 83/ Create CHILD SA request/ Ignoring KE exchange settled on non PFS proposal/ Inbound CHILD SA established with SPIs/ Outbound CHILD SA established with SPIs and TS/ Sending delete for ESP with CHILD SA and SPI/ Received delete for Child SA/ CHILD SA closed
Traffic ceases after that and due to the kill switch, I lose connection without notification. This happens with every server after a few hours. The new server will work fine but three hours later this happens and continues to happen every half hour after reconnection. What's going on? What have I done wrong? I've tried to communicate all information but there's a lot, if I'm missing anything or you need something specific, please let me know. I've spent about the last three weeks trying to figure this out, having no knowledge of networking before hand. So please excuse me if I've done something wrong or misinterpreted something. I thank you for your time and potential assistance.