IPSEC vs Android

Hi all!

First i get one question out of the way, i want to use ipsec because openvpn chews up the battery pretty fast. Now then this is the output of logcat | grep racoon on the phone (android 11, and dont even ask, idk why they give it this name):

05-08 19:49:36.743     0     0 I init    : starting service 'racoon'...
05-08 19:49:36.744     0     0 I init    : Created socket '/dev/socket/racoon', mode 600, user 1000, group 1000
05-08 19:49:36.747     0     0 I init    : Control message: Processed ctl.start for 'racoon' from pid: 800 (system_server)
05-08 19:49:42.872 18166 18166 D racoon  : Waiting for control socket
05-08 19:49:43.036 18166 18166 D racoon  : Received 9 arguments
05-08 19:49:43.036 18166 18166 I racoon  : ipsec-tools 0.7.3 (http://ipsec-tools.sf.net)
05-08 19:49:43.039 18166 18166 I racoon  : <client_ip>[500] used as isakmp port (fd=6)
05-08 19:49:43.039 18166 18166 I racoon  : <client_ip>[500] used for NAT-T
05-08 19:49:43.040 18166 18166 I racoon  : <client_ip>[4500] used as isakmp port (fd=7)
05-08 19:49:43.040 18166 18166 I racoon  : <client_ip>[4500] used for NAT-T
05-08 19:49:43.041 18166 18166 I racoon  : initiate new phase 1 negotiation: <client_ip>[500]<=><server_ip>[500]
05-08 19:49:43.041 18166 18166 I racoon  : begin Identity Protection mode.
05-08 19:49:43.421 18166 18166 I racoon  : received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
05-08 19:49:43.422 18166 18166 I racoon  : received Vendor ID: DPD
05-08 19:49:43.422 18166 18166 I racoon  : received broken Microsoft ID: FRAGMENTATION
05-08 19:49:43.422 18166 18166 I racoon  : received Vendor ID: RFC 3947
05-08 19:49:43.422 18166 18166 I racoon  : Selected NAT-T version: RFC 3947
05-08 19:49:43.446 18166 18166 I racoon  : Hashing <server_ip>[500] with algo #5 
05-08 19:49:43.447 18166 18166 I racoon  : Hashing <client_ip>[500] with algo #5 
05-08 19:49:43.447 18166 18166 I racoon  : Adding remote and local NAT-D payloads.
05-08 19:49:43.501 18166 18166 I racoon  : Hashing <client_ip>[500] with algo #5 
05-08 19:49:43.501 18166 18166 I racoon  : NAT-D payload #0 doesn't match
05-08 19:49:43.501 18166 18166 I racoon  : Hashing <server_ip>[500] with algo #5 
05-08 19:49:43.501 18166 18166 I racoon  : NAT-D payload #1 verified
05-08 19:49:43.503 18166 18166 I racoon  : NAT detected: ME 
05-08 19:49:43.503 18166 18166 I racoon  : KA list add: <client_ip>[4500]-><server_ip>[4500]
05-08 19:49:43.554 18166 18166 I racoon  : ISAKMP-SA established <client_ip>[4500]-<server_ip>[4500] spi:43dc774af9e7fca0:4e57d2ce11b5cc54
05-08 19:49:43.834 18166 18166 W racoon  : Ignored attribute UNITY_SAVE_PASSWD
05-08 19:49:43.850   371   371 W auditd  : type=1415 audit(0.0:624): op=SPD-delete auid=4294967295 ses=4294967295 subj=u:r:racoon:s0 res=1 src=0.0.0.0 src_prefixlen=0 dst=10.125.209.1

Router log (custom pfsense box, 2.5.1:

May  8 19:49:43 fvs336g charon[45696]: 13[NET] <11> received packet: from <client_ext_ip>[6516] to <server_ip>[500] (756 bytes)
May  8 19:49:43 fvs336g charon[45696]: 13[ENC] <11> parsed ID_PROT request 0 [ SA V V V V V V V V ]
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <11> received NAT-T (RFC 3947) vendor ID
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <11> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <11> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <11> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <11> received XAuth vendor ID
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <11> received Cisco Unity vendor ID
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <11> received FRAGMENTATION vendor ID
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <11> received DPD vendor ID
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <11> <client_ext_ip> is initiating a Main Mode IKE_SA
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <11> IKE_SA (unnamed)[11] state change: CREATED => CONNECTING
May  8 19:49:43 fvs336g charon[45696]: 13[CFG] <11> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <11> sending XAuth vendor ID
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <11> sending DPD vendor ID
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <11> sending FRAGMENTATION vendor ID
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <11> sending NAT-T (RFC 3947) vendor ID
May  8 19:49:43 fvs336g charon[45696]: 13[ENC] <11> generating ID_PROT response 0 [ SA V V V V ]
May  8 19:49:43 fvs336g charon[45696]: 13[NET] <11> sending packet: from <server_ip>[500] to <client_ext_ip>[6516] (160 bytes)
May  8 19:49:43 fvs336g charon[45696]: 13[NET] <11> received packet: from <client_ext_ip>[6516] to <server_ip>[500] (284 bytes)
May  8 19:49:43 fvs336g charon[45696]: 13[ENC] <11> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <11> remote host is behind NAT
May  8 19:49:43 fvs336g charon[45696]: 13[ENC] <11> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
May  8 19:49:43 fvs336g charon[45696]: 13[NET] <11> sending packet: from <server_ip>[500] to <client_ext_ip>[6516] (300 bytes)
May  8 19:49:43 fvs336g charon[45696]: 13[NET] <11> received packet: from <client_ext_ip>[6420] to <server_ip>[4500] (124 bytes)
May  8 19:49:43 fvs336g charon[45696]: 13[ENC] <11> parsed ID_PROT request 0 [ ID HASH ]
May  8 19:49:43 fvs336g charon[45696]: 13[CFG] <11> looking for XAuthInitPSK peer configs matching <server_ip>...<client_ext_ip>[100.102.244.56]
May  8 19:49:43 fvs336g charon[45696]: 13[CFG] <11> selected peer config "con-mobile"
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <con-mobile|11> queueing XAUTH task
May  8 19:49:43 fvs336g charon[45696]: 13[ENC] <con-mobile|11> generating ID_PROT response 0 [ ID HASH ]
May  8 19:49:43 fvs336g charon[45696]: 13[NET] <con-mobile|11> sending packet: from <server_ip>[4500] to <client_ext_ip>[6420] (108 bytes)
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <con-mobile|11> activating new tasks
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <con-mobile|11>   activating XAUTH task
May  8 19:49:43 fvs336g charon[45696]: 13[ENC] <con-mobile|11> generating TRANSACTION request 2276075918 [ HASH CPRQ(X_USER X_PWD) ]
May  8 19:49:43 fvs336g charon[45696]: 13[NET] <con-mobile|11> sending packet: from <server_ip>[4500] to <client_ext_ip>[6420] (108 bytes)
May  8 19:49:43 fvs336g charon[45696]: 13[NET] <con-mobile|11> received packet: from <client_ext_ip>[6420] to <server_ip>[4500] (140 bytes)
May  8 19:49:43 fvs336g charon[45696]: 13[ENC] <con-mobile|11> parsed INFORMATIONAL_V1 request 2973757452 [ HASH N(INITIAL_CONTACT) ]
May  8 19:49:43 fvs336g charon[45696]: 07[NET] <con-mobile|11> received packet: from <client_ext_ip>[6420] to <server_ip>[4500] (140 bytes)
May  8 19:49:43 fvs336g charon[45696]: 07[ENC] <con-mobile|11> parsed TRANSACTION response 2276075918 [ HASH CPRP(X_USER X_PWD) ]
May  8 19:49:43 fvs336g charon[29228]: user 'phone' authenticated
May  8 19:49:43 fvs336g charon[45696]: 07[IKE] <con-mobile|11> XAuth-SCRIPT succeeded for user 'phone'.
May  8 19:49:43 fvs336g charon[45696]: 07[IKE] <con-mobile|11> XAuth authentication of 'phone' successful
May  8 19:49:43 fvs336g charon[45696]: 07[IKE] <con-mobile|11> reinitiating already active tasks
May  8 19:49:43 fvs336g charon[45696]: 07[IKE] <con-mobile|11>   XAUTH task
May  8 19:49:43 fvs336g charon[45696]: 07[ENC] <con-mobile|11> generating TRANSACTION request 23630671 [ HASH CPS(X_STATUS) ]
May  8 19:49:43 fvs336g charon[45696]: 07[NET] <con-mobile|11> sending packet: from <server_ip>[4500] to <client_ext_ip>[6420] (108 bytes)
May  8 19:49:43 fvs336g charon[45696]: 07[NET] <con-mobile|11> received packet: from <client_ext_ip>[6420] to <server_ip>[4500] (124 bytes)
May  8 19:49:43 fvs336g charon[45696]: 07[ENC] <con-mobile|11> parsed TRANSACTION response 23630671 [ HASH CPA(X_STATUS) ]
May  8 19:49:43 fvs336g charon[45696]: 07[IKE] <con-mobile|11> IKE_SA con-mobile[11] established between <server_ip>[<server_ip>]...<client_ext_ip>[100.102.244.56]
May  8 19:49:43 fvs336g charon[45696]: 07[IKE] <con-mobile|11> IKE_SA con-mobile[11] state change: CONNECTING => ESTABLISHED
May  8 19:49:43 fvs336g charon[45696]: 07[IKE] <con-mobile|11> scheduling rekeying in 23331s
May  8 19:49:43 fvs336g charon[45696]: 07[IKE] <con-mobile|11> maximum IKE_SA lifetime 26211s
May  8 19:49:43 fvs336g charon[45696]: 07[IKE] <con-mobile|11> activating new tasks
May  8 19:49:43 fvs336g charon[45696]: 07[IKE] <con-mobile|11> nothing to initiate
May  8 19:49:43 fvs336g charon[45696]: 13[NET] <con-mobile|11> received packet: from <client_ext_ip>[6420] to <server_ip>[4500] (156 bytes)
May  8 19:49:43 fvs336g charon[45696]: 13[ENC] <con-mobile|11> parsed TRANSACTION request 3119694497 [ HASH CPRQ(ADDR MASK DNS NBNS U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN VER) ]
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <con-mobile|11> processing INTERNAL_IP4_ADDRESS attribute
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <con-mobile|11> processing INTERNAL_IP4_NETMASK attribute
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <con-mobile|11> processing INTERNAL_IP4_DNS attribute
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <con-mobile|11> processing INTERNAL_IP4_NBNS attribute
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <con-mobile|11> processing UNITY_BANNER attribute
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <con-mobile|11> processing UNITY_DEF_DOMAIN attribute
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <con-mobile|11> processing UNITY_SPLITDNS_NAME attribute
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <con-mobile|11> processing UNITY_SPLIT_INCLUDE attribute
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <con-mobile|11> processing UNITY_LOCAL_LAN attribute
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <con-mobile|11> processing APPLICATION_VERSION attribute
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <con-mobile|11> peer requested virtual IP %any
May  8 19:49:43 fvs336g charon[45696]: 13[CFG] <con-mobile|11> reassigning offline lease to 'phone'
May  8 19:49:43 fvs336g charon[45696]: 13[IKE] <con-mobile|11> assigning virtual IP 10.125.209.1 to peer 'phone'
May  8 19:49:43 fvs336g charon[45696]: 13[ENC] <con-mobile|11> generating TRANSACTION response 3119694497 [ HASH CPRP(ADDR DNS U_SAVEPWD) ]
May  8 19:49:43 fvs336g charon[45696]: 13[NET] <con-mobile|11> sending packet: from <server_ip>[4500] to <client_ext_ip>[6420] (124 bytes)
May  8 19:49:53 fvs336g charon[45696]: 10[IKE] <con-mobile|11> sending DPD request
May  8 19:49:53 fvs336g charon[45696]: 10[IKE] <con-mobile|11> queueing ISAKMP_DPD task
May  8 19:49:53 fvs336g charon[45696]: 10[IKE] <con-mobile|11> activating new tasks
May  8 19:49:53 fvs336g charon[45696]: 10[IKE] <con-mobile|11>   activating ISAKMP_DPD task
May  8 19:49:53 fvs336g charon[45696]: 10[ENC] <con-mobile|11> generating INFORMATIONAL_V1 request 3537234717 [ HASH N(DPD) ]
May  8 19:49:53 fvs336g charon[45696]: 10[NET] <con-mobile|11> sending packet: from <server_ip>[4500] to <client_ext_ip>[6420] (124 bytes)
May  8 19:49:53 fvs336g charon[45696]: 10[IKE] <con-mobile|11> activating new tasks
May  8 19:49:53 fvs336g charon[45696]: 10[IKE] <con-mobile|11> nothing to initiate
May  8 19:49:53 fvs336g charon[45696]: 10[NET] <con-mobile|11> received packet: from <client_ext_ip>[6420] to <server_ip>[4500] (140 bytes)
May  8 19:49:53 fvs336g charon[45696]: 10[ENC] <con-mobile|11> parsed INFORMATIONAL_V1 request 4237118571 [ HASH N(DPD_ACK) ]
May  8 19:49:53 fvs336g charon[45696]: 10[IKE] <con-mobile|11> activating new tasks
May  8 19:49:53 fvs336g charon[45696]: 10[IKE] <con-mobile|11> nothing to initiate
May  8 19:50:03 fvs336g charon[45696]: 10[IKE] <con-mobile|11> sending DPD request
May  8 19:50:03 fvs336g charon[45696]: 10[IKE] <con-mobile|11> queueing ISAKMP_DPD task
May  8 19:50:03 fvs336g charon[45696]: 10[IKE] <con-mobile|11> activating new tasks
May  8 19:50:03 fvs336g charon[45696]: 10[IKE] <con-mobile|11>   activating ISAKMP_DPD task
May  8 19:50:03 fvs336g charon[45696]: 10[ENC] <con-mobile|11> generating INFORMATIONAL_V1 request 4142009309 [ HASH N(DPD) ]
May  8 19:50:03 fvs336g charon[45696]: 10[NET] <con-mobile|11> sending packet: from <server_ip>[4500] to <client_ext_ip>[6420] (124 bytes)
May  8 19:50:03 fvs336g charon[45696]: 10[IKE] <con-mobile|11> activating new tasks
May  8 19:50:03 fvs336g charon[45696]: 10[IKE] <con-mobile|11> nothing to initiate

The built in client says connected, the tun0 device has ip, but cant ping anything. Im trying to solve this since yesterday and tried several solutions i found on google but nothing fixed it.

Im pretty much open to any ideas.

Thanks in advance!

Are there IPSEC firewall rules to allow it to talk to your LAN on your pfsense firewall?
Is the firewall of the device you’re trying to ping blocking the comms?

For now the ipsec interface has a wide open rule until i figure this out. As for the devices im pinging none of them has firewall. But the firewall right now is not the concern, started a packet capture on the ipsec interface but it captured nothing…

Does the IP address of the phone conflict with the range of the remote network?

No. Phone carrier uses 100.x.x.x range, my lan is in the 10.x.x.x

Maybe it’s your phone carrier blocking it…?

Dont think so, then it would fail right away at phase1… Openvpn connects fine but it is a battery hog.