[strongSwan] can not establish MSCHAPv2 tunnel using ipsec.conf/ipsec.secrets in strongswan 4.6.1 release on Android Gingerbread
Andreas Steffen
andreas.steffen at strongswan.org
Tue Nov 22 11:08:17 CET 2011
Hello Nitin,
if you define
left=%any
than by default
leftid=%any
which is not a valid initiator ID type. As a workaround just define
an explicit ID:
leftid=<my_id>
Regards
Andreas
On 11/22/2011 09:50 AM, Nitin Verma wrote:
> Yes Andreas, that worked straightaway. Thanks.
>
> However, I am further facing two problems. First, in my configuration, I
> get a dynamic IP for my android client and whereas in my ipsec.conf at
> android, I am giving a fix ip address in the "left" field. When I use
> "left=%defaultroute", I get the following error:
>
> # ipsec starter
> uname: not found
> uname: not found
> [: not found
> Starting strongSwan 4.6.1 IPsec [starter]...
> removing pidfile '/data/misc/vpn/charon.pid', process not running
> %defaultroute not supported, fallback to %any
> modprobe: not found
> modprobe: not found
> modprobe: not found
> modprobe: not found
> modprobe: not found
> removing pidfile '/data/misc/vpn/starter.pid', process not running
> #
> #
> #
> # ipsec stroke up android
> uname: not found
> uname: not found
> [: not found
> initiating IKE_SA android[1] to 192.168.1.154
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 192.168.1.5[500] to 192.168.1.154[500]
> received packet: from 192.168.1.154[500] to 192.168.1.5[500]
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(MULT_AUTH) ]
> sending cert request for "C=UK, CN=nits"
> establishing CHILD_SA android
> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(ADDR
> DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> sending packet: from 192.168.1.5[4500] to 192.168.1.154[4500]
> received packet: from 192.168.1.154[500] to 192.168.1.5[500]
> parsed IKE_AUTH response 1 [ N(INVAL_SYN) ]
> received INVALID_SYNTAX notify error
>
> LOGCAT::
> ======
> I/charon ( 466): 00[CFG] loading ca certificates from
> '/system/etc/ipsec.d/cacerts'
> I/charon ( 466): 00[CFG] loaded ca certificate "C=UK, CN=nits" from
> '/system/etc/ipsec.d/cacerts/strongswanCert.pem'
> I/charon ( 466): 00[CFG] loading aa certificates from
> '/system/etc/ipsec.d/aacerts'
> I/charon ( 466): 00[LIB] opening directory
> '/system/etc/ipsec.d/aacerts' failed: No such file or directory
> I/charon ( 466): 00[CFG] reading directory failed
> I/charon ( 466): 00[CFG] loading ocsp signer certificates from
> '/system/etc/ipsec.d/ocspcerts'
> I/charon ( 466): 00[LIB] opening directory
> '/system/etc/ipsec.d/ocspcerts' failed: No such file or directory
> I/charon ( 466): 00[CFG] reading directory failed
> I/charon ( 466): 00[CFG] loading attribute certificates from
> '/system/etc/ipsec.d/acerts'
> I/charon ( 466): 00[LIB] opening directory
> '/system/etc/ipsec.d/acerts' failed: No such file or directory
> I/charon ( 466): 00[CFG] reading directory failed
> I/charon ( 466): 00[CFG] loading crls from '/system/etc/ipsec.d/crls'
> I/charon ( 466): 00[LIB] opening directory '/system/etc/ipsec.d/crls'
> failed: No such file or directory
> I/charon ( 466): 00[CFG] reading directory failed
> I/charon ( 466): 00[CFG] loading secrets from '/system/etc/ipsec.secrets'
> I/charon ( 466): 00[CFG] loaded EAP secret for deepika
> I/charon ( 466): 00[DMN] loaded plugins: openssl fips-prf random
> pubkey pkcs1 pem xcbc hmac kernel-netlink socket-default android stroke
> eap-identity eap-mschapv2 eap-md5
> I/charon ( 466): 00[JOB] spawning 16 worker threads
> I/charon ( 466): 10[CFG] received stroke: add connection 'android'
> I/charon ( 466): 10[CFG] left nor right host is our side, assuming
> left=local
> I/charon ( 466): 10[CFG] added configuration 'android'
> I/charon ( 466): 03[CFG] received stroke: initiate 'android'
> I/charon ( 466): 13[IKE] initiating IKE_SA android[1] to 192.168.1.154
> I/charon ( 466): 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) ]
> I/charon ( 466): 13[NET] sending packet: from 192.168.1.5[500] to
> 192.168.1.154[500]
> I/charon ( 466): 14[NET] received packet: from 192.168.1.154[500] to
> 192.168.1.5[500]
> I/charon ( 466): 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> I/charon ( 466): 14[IKE] sending cert request for "C=UK, CN=nits"
> I/charon ( 466): 14[IKE] establishing CHILD_SA android
> I/charon ( 466): 14[ENC] generating IKE_AUTH request 1 [ IDi
> N(INIT_CONTACT) CERTREQ IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
> N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> I/charon ( 466): 14[NET] sending packet: from 192.168.1.5[4500] to
> 192.168.1.154[4500]
> I/charon ( 466): 15[NET] received packet: from 192.168.1.154[500] to
> 192.168.1.5[500]
> I/charon ( 466): 15[ENC] parsed IKE_AUTH response 1 [ N(INVAL_SYN) ]
> I/charon ( 466): 15[IKE] received INVALID_SYNTAX notify error
>
> SYSLOG at server:
> ==============
>
> Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[MGR] checkout IKE_SA by
> message
>
> Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[MGR] created IKE_SA
> (unnamed)[4]
>
> Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[NET] received packet:
> from 192.168.1.5[500] to 192.168.1.154[500]
>
> Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[ENC] parsed IKE_SA_INIT
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>
> Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[CFG] looking for an ike
> config for 192.168.1.154...192.168.1.5
>
> Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[CFG] candidate:
> 192.168.1.154...%any, prio 5
>
> Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[CFG] found matching ike
> config: 192.168.1.154...%any with prio 5
>
> Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[IKE] 192.168.1.5 is
> initiating an IKE_SA
>
> Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[IKE] 192.168.1.5 is
> initiating an IKE_SA
>
> Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[IKE] IKE_SA
> (unnamed)[4] state change: CREATED => CONNECTING
>
> Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[CFG] selecting proposal:
>
> Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[CFG] proposal matches
>
> Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[CFG] received
> proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/AES_XCBC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
>
> Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[CFG] configured
> proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
> IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
> IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/AES_XCBC_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
>
> Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[CFG] selected proposal:
> IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>
> Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 10[ENC] generating
> IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
>
> Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 10[NET] sending packet:
> from 192.168.1.154[500] to 192.168.1.5[500]
>
> Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 10[MGR] checkin IKE_SA
> (unnamed)[4]
>
> Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 10[MGR] check-in of IKE_SA
> successful.
>
> Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[MGR] checkout IKE_SA by
> message
>
> Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[MGR] IKE_SA
> (unnamed)[4] successfully checked out
>
> Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[NET] received packet:
> from 192.168.1.5[4500] to 192.168.1.154[4500]
>
> Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[ENC] received ID with
> reserved type 0
>
> Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[ENC] ID_INITIATOR
> verification failed
>
> Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[ENC] could not decrypt
> payloads
>
> Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[IKE] message
> verification failed
>
> Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[ENC] generating
> IKE_AUTH response 1 [ N(INVAL_SYN) ]
>
> Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[NET] sending packet:
> from 192.168.1.154[500] to 192.168.1.5[500]
>
> Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[IKE] IKE_AUTH request
> with message ID 1 processing failed
>
> Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[MGR] checkin IKE_SA
> (unnamed)[4]
>
> Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[MGR] check-in of IKE_SA
> successful.
>
> Nov 22 13:32:38 ubuntu1-OptiPlex-160L charon: 04[MGR] checkout IKE_SA
>
> Nov 22 13:32:38 ubuntu1-OptiPlex-160L charon: 04[MGR] IKE_SA
> (unnamed)[4] successfully checked out
>
> Nov 22 13:32:38 ubuntu1-OptiPlex-160L charon: 04[JOB] deleting half open
> IKE_SA after timeout
>
> Nov 22 13:32:38 ubuntu1-OptiPlex-160L charon: 04[MGR] checkin and
> destroy IKE_SA (unnamed)[4]
>
> Nov 22 13:32:38 ubuntu1-OptiPlex-160L charon: 04[IKE] IKE_SA
> (unnamed)[4] state change: CONNECTING => DESTROYING
>
> Nov 22 13:32:38 ubuntu1-OptiPlex-160L charon: 04[MGR] check-in and
> destroy of IKE_SA successful
>
> Does that mean "defaultroute" does not work at Android? Everytime I get
> a different IP from gateway, do I have to modify the ipsec.conf?
>
> My second problem is that since ipsec stop command does not work
> directly, I have to restart the phone everytime I make changes in
> ipsec.conf. Is there any way to avoid the restart in Android?
>
> My appologies for bothering you with so many questions.
>
> Regards,
> Nitin
>
>
>
>
> On Mon, Nov 21, 2011 at 5:51 PM, Andreas Steffen
> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> wrote:
>
> Hi Nitin,
>
> on the Androis side add
>
> leftsourceip=%config
>
> to the connection definition in ipsec.conf.
>
> Regards
>
> Andreas
>
> On 21.11.2011 12:38, Nitin Verma wrote:
> > Hi Andreas,
> > Thanks for the quick reply. It solve the problem.
> > Now at the Android:
> >
> > # ipsec stroke status
> > uname: not found
> > uname: not found
> > [: not found
> > Security Associations (1 up, 0 connecting):
> > android[2]: ESTABLISHED 6 minutes ago,
> > 192.168.1.2[192.168.1.2]...192.168.1.154[192.168.1.154]
> > android{1}: INSTALLED, TUNNEL, ESP SPIs: c5974d0b_i c8a59239_o
> > android{1}: 192.168.1.2/32 <http://192.168.1.2/32>
> <http://192.168.1.2/32> ===
> > 192.168.1.154/32 <http://192.168.1.154/32> <http://192.168.1.154/32>
> > #
> >
> > # ipsec stroke up android
> > uname: not found
> > uname: not found
> > [: not found
> > initiating IKE_SA android[2] to 192.168.1.154
> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) ]
> > sending packet: from 192.168.1.2[500] to 192.168.1.154[500]
> > received packet: from 192.168.1.154[500] to 192.168.1.2[500]
> > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> > N(MULT_AUTH) ]
> > sending cert request for "C=UK, CN=nits"
> > establishing CHILD_SA android
> > generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr
> CP(DNS)
> > SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> > sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]
> > received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]
> > parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> > received end entity cert "C=UK, CN=nits"
> > using certificate "C=UK, CN=nits"
> > using trusted ca certificate "C=UK, CN=nits"
> > reached self-signed root ca with a path length of 0
> > authentication of '192.168.1.154' with RSA signature successful
> > server requested EAP_IDENTITY (id 0x00), sending 'deepika'
> > generating IKE_AUTH request 2 [ EAP/RES/ID ]
> > sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]
> > received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]
> > parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
> > server requested EAP_MSCHAPV2 authentication (id 0x79)
> > generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
> > sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]
> > received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]
> > parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
> > EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
> > generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
> > sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]
> > received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]
> > parsed IKE_AUTH response 4 [ EAP/SUCC ]
> > EAP method EAP_MSCHAPV2 succeeded, MSK established
> > authentication of '192.168.1.2' (myself) with EAP
> > generating IKE_AUTH request 5 [ AUTH ]
> > sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]
> > received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]
> > parsed IKE_AUTH response 5 [ AUTH SA TSi TSr N(AUTH_LFT)
> N(MOBIKE_SUP)
> > N(NO_ADD_ADDR) ]
> > authentication of '192.168.1.154' with EAP successful
> > IKE_SA android[2] established between
> > 192.168.1.2[192.168.1.2]...192.168.1.154[192.168.1.154]
> > scheduling reauthentication in 3362s
> > maximum IKE_SA lifetime 3542s
> >
> > I noticed that it doesn't request for virtual ip as it asked when
> I used
> > the front-end related changes. Is that possible to request for the
> > virtual ip also?
> >
> > Thanks again.
> > Regards,
> > Nitin
> >
> >
> > On Mon, Nov 21, 2011 at 4:19 PM, Andreas Steffen
> > <andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>
> <mailto:andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>>>
> > wrote:
> >
> > Hello Nitin,
> >
> > your ubuntu server does not initiate EAP-Identity. Therefore
> > the EAP-MSCHAPv2 authentication requested is for IKEv2 user
> > identity 192.168.1.2 and not for EAP identity deepika.
> >
> > You should change the ubuntu server entry to
> >
> > eap_identity=%any
> >
> > and make sure that you enabled, built and loaded the eap_identity
> > plugin.
> >
> > Regards
> >
> > Andreas
> >
> > On 21.11.2011 10:56, Nitin Verma wrote:
> > > Hi,
> > > I have been able to successfully establish IPSec IKEv2 tunnel
> between
> > > Nexus S (running 2.3.5_r1) and a ubuntu server. However, the latest
> > > 4.6.1 release supports starter and stroke executables at
> Android and I
> > > am trying to establish the same connection using ipsec.conf and
> > > ipsec.secrets.
> > >
> > > My server side configuration is:
> > > ======================
> > >
> > > server IP: /192.168.1.154/ <http://192.168.1.154/>
> <http://192.168.1.154/>
> > >
> > > ipsec.conf:
> > >
> > > config setup
> > > crlcheckinterval=180
> > > strictcrlpolicy=no
> > > plutostart=no
> > > charondebug="knl 3, cfg 2, ike 2, chd 2, mgr 2, dmn 2"
> > >
> > > conn %default
> > > ikelifetime=60m
> > > keylife=20m
> > > rekeymargin=3m
> > > keyingtries=1
> > > keyexchange=ikev2
> > > # leftcert=moonCert.pem
> > >
> > > # Add connections here.
> > >
> > > conn android
> > > left=192.168.1.154
> > > leftid=192.168.1.154
> > > leftcert=moonCert.pem
> > > leftauth=pubkey
> > > right=%any
> > > rightsourceip=10.0.5.0/24 <http://10.0.5.0/24>
> <http://10.0.5.0/24>
> > <http://10.0.5.0/24>
> > > rightauth=eap-mschapv2
> > > rightsendcert=never
> > > eap_identity=deepika
> > > auto=add
> > >
> > > ipsec.secrets:
> > >
> > > : RSA moonKey.pem
> > >
> > > deepika : EAP "deepika"
> > >
> > > Configuration at Nexus S (Android 2.3.5_r1):
> > > ================================
> > >
> > > I manually created "ipsec.d" directory in /system/etc/ and put
> my ca
> > > certificate in cacerts there, and then created ipsec.conf and
> > > ipsec.secrets in /system/etc/
> > >
> > > /system/etc/ipsec.conf
> > >
> > > config setup
> > > plutostart=no
> > > charondebug="knl 3, cfg 2, ike 2, chd 2, mgr 2, dmn 2"
> > >
> > > conn %default
> > > ikelifetime=60m
> > > keylife=20m
> > > rekeymargin=3m
> > > keyingtries=1
> > > keyexchange=ikev2
> > >
> > > # Add connections here.
> > >
> > > # Sample VPN connections
> > >
> > > conn android
> > > left=192.168.1.2
> > > leftauth=eap
> > > eap_identity=deepika
> > > right=192.168.1.154
> > > rightid=192.168.1.154
> > > rightauth=pubkey
> > > auto=add
> > >
> > > /system/etc/ipsec.secrets
> > >
> > > deepika : EAP "deepika"
> > >
> > >
> > >
> > > But when I start the connection I am getting the following error:
> > >
> > > # ipsec stroke up android
> > > uname: not found
> > > uname: not found
> > > [: not found
> > > initiating IKE_SA android[2] to 192.168.1.154
> > > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> > N(NATD_D_IP) ]
> > > sending packet: from 192.168.1.2[500] to 192.168.1.154[500]
> > > received packet: from 192.168.1.154[500] to 192.168.1.2[500]
> > > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> > > N(MULT_AUTH) ]
> > > sending cert request for "C=UK, CN=nits"
> > > establishing CHILD_SA android
> > > generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr
> > CP(DNS)
> > > SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> > > sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]
> > > received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]
> > > parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
> > > received end entity cert "C=UK, CN=nits"
> > > using certificate "C=UK, CN=nits"
> > > using trusted ca certificate "C=UK, CN=nits"
> > > reached self-signed root ca with a path length of 0
> > > authentication of '192.168.1.154' with RSA signature successful
> > > server requested EAP_MSCHAPV2 authentication (id 0x75)
> > > no EAP key found for hosts '192.168.1.154' - '192.168.1.2'
> > > EAP_MSCHAPV2 method failed
> > >
> > >
> > > Output of logcat:
> > >
> > > I/charon ( 469): 00[CFG] loading ca certificates from
> > > '/system/etc/ipsec.d/cacerts'
> > > I/charon ( 469): 00[CFG] loaded ca certificate "C=UK, CN=nits"
> > from
> > > '/system/etc/ipsec.d/cacerts/strongswanCert.pem'
> > > I/charon ( 469): 00[CFG] loading aa certificates from
> > > '/system/etc/ipsec.d/aacerts'
> > > I/charon ( 469): 00[LIB] opening directory
> > > '/system/etc/ipsec.d/aacerts' failed: No such file or directory
> > > I/charon ( 469): 00[CFG] reading directory failed
> > > I/charon ( 469): 00[CFG] loading ocsp signer certificates from
> > > '/system/etc/ipsec.d/ocspcerts'
> > > I/charon ( 469): 00[LIB] opening directory
> > > '/system/etc/ipsec.d/ocspcerts' failed: No such file or directory
> > > I/charon ( 469): 00[CFG] reading directory failed
> > > I/charon ( 469): 00[CFG] loading attribute certificates from
> > > '/system/etc/ipsec.d/acerts'
> > > I/charon ( 469): 00[LIB] opening directory
> > > '/system/etc/ipsec.d/acerts' failed: No such file or directory
> > > I/charon ( 469): 00[CFG] reading directory failed
> > > I/charon ( 469): 00[CFG] loading crls from
> > '/system/etc/ipsec.d/crls'
> > > I/charon ( 469): 00[LIB] opening directory
> > '/system/etc/ipsec.d/crls'
> > > failed: No such file or directory
> > > I/charon ( 469): 00[CFG] reading directory failed
> > > I/charon ( 469): 00[CFG] loading secrets from
> > '/system/etc/ipsec.secrets'
> > > I/charon ( 469): 00[CFG] loaded EAP secret for deepika
> > > I/charon ( 469): 00[DMN] loaded plugins: openssl fips-prf random
> > > pubkey pkcs1 pem xcbc hmac kernel-netlink socket-default android
> > stroke
> > > eap-identity eap-mschapv2 eap-md5
> > > I/charon ( 469): 00[JOB] spawning 16 worker threads
> > > I/charon ( 469): 11[CFG] received stroke: add connection
> 'android'
> > > I/charon ( 469): 11[CFG] added configuration 'android'
> > >
> > > I/charon ( 469): 12[CFG] received stroke: initiate 'android'
> > > I/charon ( 469): 14[IKE] initiating IKE_SA android[1] to
> > 192.168.1.154
> > > I/charon ( 469): 14[ENC] generating IKE_SA_INIT request 0 [
> SA KE No
> > > N(NATD_S_IP) N(NATD_D_IP) ]
> > > I/charon ( 469): 14[NET] sending packet: from 192.168.1.2[500] to
> > > 192.168.1.154[500]
> > > D/GpsLocationProvider( 107): NTP server returned:
> 1321866231250 (Mon
> > > Nov 21 09:03:51 GMT+00:00 2011) reference: 318100 certainty: 337
> > system
> > > time offset: -20070741
> > > I/charon ( 469): 15[IKE] retransmit 1 of request with message
> ID 0
> > > I/charon ( 469): 15[NET] sending packet: from 192.168.1.2[500] to
> > > 192.168.1.154[500]
> > > I/charon ( 469): 03[IKE] retransmit 2 of request with message
> ID 0
> > > I/charon ( 469): 03[NET] sending packet: from 192.168.1.2[500] to
> > > 192.168.1.154[500]
> > > I/charon ( 469): 16[IKE] retransmit 3 of request with message
> ID 0
> > > I/charon ( 469): 16[NET] sending packet: from 192.168.1.2[500] to
> > > 192.168.1.154[500]
> > > I/charon ( 469): 02[NET] received packet: from
> 192.168.1.154[500] to
> > > 192.168.1.2[500]
> > > I/charon ( 469): 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No
> > > N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> > > I/charon ( 469): 02[IKE] sending cert request for "C=UK, CN=nits"
> > > I/charon ( 469): 02[IKE] establishing CHILD_SA android
> > > I/charon ( 469): 02[ENC] generating IKE_AUTH request 1 [ IDi
> > > N(INIT_CONTACT) CERTREQ IDr CP(DNS) SA TSi TSr N(MOBIKE_SUP)
> > > N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> > > I/charon ( 469): 02[NET] sending packet: from
> 192.168.1.2[4500] to
> > > 192.168.1.154[4500]
> > > I/charon ( 469): 01[NET] received packet: from
> > 192.168.1.154[4500] to
> > > 192.168.1.2[4500]
> > > I/charon ( 469): 01[ENC] parsed IKE_AUTH response 1 [ IDr
> CERT AUTH
> > > EAP/REQ/MSCHAPV2 ]
> > > I/charon ( 469): 01[IKE] received end entity cert "C=UK, CN=nits"
> > > I/charon ( 469): 01[CFG] using certificate "C=UK, CN=nits"
> > > I/charon ( 469): 01[CFG] using trusted ca certificate "C=UK,
> > CN=nits"
> > > I/charon ( 469): 01[CFG] reached self-signed root ca with a
> path
> > > length of 0
> > > I/charon ( 469): 01[IKE] authentication of '192.168.1.154'
> with RSA
> > > signature successful
> > > I/charon ( 469): 01[IKE] server requested EAP_MSCHAPV2
> > authentication
> > > (id 0xFD)
> > > I/charon ( 469): 01[IKE] no EAP key found for hosts
> > '192.168.1.154' -
> > > '192.168.1.2'
> > > I/charon ( 469): 01[IKE] EAP_MSCHAPV2 method failed
> > > I/dalvikvm( 164): Total arena pages for JIT: 11
> > > I/charon ( 469): 11[CFG] received stroke: initiate 'android'
> > > I/charon ( 469): 14[IKE] initiating IKE_SA android[2] to
> > 192.168.1.154
> > > I/charon ( 469): 14[ENC] generating IKE_SA_INIT request 0 [
> SA KE No
> > > N(NATD_S_IP) N(NATD_D_IP) ]
> > > I/charon ( 469): 14[NET] sending packet: from 192.168.1.2[500] to
> > > 192.168.1.154[500]
> > > I/charon ( 469): 15[NET] received packet: from
> 192.168.1.154[500] to
> > > 192.168.1.2[500]
> > > I/charon ( 469): 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No
> > > N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> > > I/charon ( 469): 15[IKE] sending cert request for "C=UK, CN=nits"
> > > I/charon ( 469): 15[IKE] establishing CHILD_SA android
> > > I/charon ( 469): 15[ENC] generating IKE_AUTH request 1 [ IDi
> > > N(INIT_CONTACT) CERTREQ IDr CP(DNS) SA TSi TSr N(MOBIKE_SUP)
> > > N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> > > I/charon ( 469): 15[NET] sending packet: from
> 192.168.1.2[4500] to
> > > 192.168.1.154[4500]
> > > I/charon ( 469): 03[NET] received packet: from
> > 192.168.1.154[4500] to
> > > 192.168.1.2[4500]
> > > I/charon ( 469): 03[ENC] parsed IKE_AUTH response 1 [ IDr
> CERT AUTH
> > > EAP/REQ/MSCHAPV2 ]
> > > I/charon ( 469): 03[IKE] received end entity cert "C=UK, CN=nits"
> > > I/charon ( 469): 03[CFG] using certificate "C=UK, CN=nits"
> > > I/charon ( 469): 03[CFG] using trusted ca certificate "C=UK,
> > CN=nits"
> > > I/charon ( 469): 03[CFG] reached self-signed root ca with a
> path
> > > length of 0
> > > I/charon ( 469): 03[IKE] authentication of '192.168.1.154'
> with RSA
> > > signature successful
> > > I/charon ( 469): 03[IKE] server requested EAP_MSCHAPV2
> > authentication
> > > (id 0x75)
> > > I/charon ( 469): 03[IKE] no EAP key found for hosts
> > '192.168.1.154' -
> > > '192.168.1.2'
> > > I/charon ( 469): 03[IKE] EAP_MSCHAPV2 method failed
> > >
> > > Am I missing something or there are some issues with the release?
> > >
> > > Thanks in advance.
> > > Regards,
>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> <mailto:andreas.steffen at strongswan.org>
> strongSwan - the Linux VPN Solution! www.strongswan.org
> <http://www.strongswan.org>
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list