[strongSwan] Upgraded from 4.5.2 and now Motorola Droid Pro is broken

Clarence clarencehj at gmail.com
Thu Oct 25 17:59:31 CEST 2012 

Hi All...

   I've been banging my head against the wall for about a week now and I
cant get my Motorola Droid Pro phone to connect to the StrongSwan 5.0.1.

 This is the deal...  It worked with StrongSwan v4.5.2 but as soon as I
upgraded to 5.0.1 it broke.  I


**  **

 I think it maybe failing to connect because of the following 3 lines:
  -- Oct 24 16:49:36 16[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not
using ESPv3 TFC padding
 -- Oct 24 16:49:36 16[CFG] received proposals:
ESP:AES_GCM_16_256/NO_EXT_SEQ
 --Oct 24 16:49:36 16[CFG] configured proposals:  ... <see below>

 I also tried several different settings for the "esp=" and the "ike="
options. We also changed the
 templates file that Authentec uses to setup new VPN connections.  I have
even created a template that
 matches the settings that are suggested in the charon.log file("configured
proposals:" line.) and it still fails to connect.

  Is the new StrongSwan incompatible with Android Froyo phones ( Motorola
Droid Pro)???

** **



--------------------   ipsec.conf  -------------------

config setup
      # plutodebug=all
      # crlcheckinterval=600
      # strictcrlpolicy=yes
      # strictcrlpolicy=no
      # cachecrls=yes
      # nat_traversal=yes
      #  charonstart=yes
      #  plutostart=no

conn MOTOROLA
      left=1.1.1.51 #outside source ip
      leftsubnet=0.0.0.0/0
      leftcert=MOTOROLA.pem
      right=%any
      rightsourceip=192.168.151.128/25
      keyexchange=ikev2
      auto=add
      forceencaps=yes
      #  esp=aes256gcm16,aes128gcm16!
      # AES_GCM_16_256
      #  ike=aes128-sha384-modp2048,aes256-sha384-modp2048!
      leftfirewall=no



 --------------------------------------  charon.log
-------------------------------------------

Oct 24 16:49:36 03[NET] received packet: from 1.1.1.58[60500] to
1.1.1.51[500]
Oct 24 16:49:36 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) V ]
Oct 24 16:49:36 03[ENC] received unknown vendor ID:
ff:44:ff:26:68:75:0f:03:b0:8d:f6:eb:e1:d0:04:03
Oct 24 16:49:36 03[IKE] 1.1.1.58 is initiating an IKE_SA
Oct 24 16:49:36 03[IKE] faking NAT situation to enforce UDP encapsulation
Oct 24 16:49:36 03[IKE] sending cert request for "C=US, ST=Florida,
L=TimBuck2, O=ABC123, OU=ABC, CN=crap-cacert-2048-GD"
Oct 24 16:49:36 03[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct 24 16:49:36 03[NET] sending packet: from 1.1.1.51[500] to
1.1.1.58[60500]
Oct 24 16:49:36 16[NET] received packet: from 1.1.1.58[64500] to
1.1.1.51[4500]
Oct 24 16:49:36 16[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH
CP(MASK ADDR DNS) SA TSi TSr N(HTTP_CERT_LOOK) N(INIT_CONTACT)
N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Oct 24 16:49:36 16[IKE] received cert request for "C=US, ST=Florida,
L=TimBuck2, O=ABC123, OU=ABC, CN=crap-cacert-2048-GD"
Oct 24 16:49:36 16[IKE] received end entity cert "C=US, ST=Florida,
L=TimBuck2, O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA"
Oct 24 16:49:36 16[CFG] looking for peer configs matching
1.1.1.51[%any]...1.1.1.58[C=US, ST=Florida, L=TimBuck2, O=ABC123, OU=ABC,
CN=0128-1024-MOTOROLA]
Oct 24 16:49:36 16[CFG] selected peer config 'MOTOROLA'
Oct 24 16:49:36 16[CFG]   using certificate "C=US, ST=Florida, L=TimBuck2,
O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA"
Oct 24 16:49:36 16[CFG]   using trusted ca certificate "C=US, ST=Florida,
L=TimBuck2, O=ABC123, OU=ABC, CN=crap-cacert-2048-GD"
Oct 24 16:49:36 16[CFG] checking certificate status of "C=US, ST=Florida,
L=TimBuck2, O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA"
Oct 24 16:49:36 16[CFG] certificate status is not available
Oct 24 16:49:36 16[CFG]   reached self-signed root ca with a path length of
0
Oct 24 16:49:36 16[IKE] authentication of 'C=US, ST=Florida, L=TimBuck2,
O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA' with RSA signature successful
Oct 24 16:49:36 16[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using
ESPv3 TFC padding
Oct 24 16:49:36 16[IKE] destroying duplicate IKE_SA for peer 'C=US,
ST=Florida, L=TimBuck2, O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA', received
INITIAL_CONTACT
Oct 24 16:49:36 16[CFG] lease 192.168.151.129 by 'C=US, ST=Florida,
L=TimBuck2, O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA' went offline
Oct 24 16:49:36 16[IKE] authentication of 'C=US, ST=Florida, L=TimBuck2,
O=ABC123, OU=ABC, CN=crap-cacert-2048-GD' (myself) with RSA signature
successful
Oct 24 16:49:36 16[IKE] IKE_SA MOTOROLA[15] established between
1.1.1.51[C=US, ST=Florida, L=TimBuck2, O=ABC123, OU=ABC,
CN=crap-cacert-2048-GD]...1.1.1.58[C=US, ST=Florida, L=TimBuck2, O=ABC123,
OU=ABC, CN=0128-1024-MOTOROLA]
Oct 24 16:49:36 16[IKE] scheduling reauthentication in 10160s
Oct 24 16:49:36 16[IKE] maximum IKE_SA lifetime 10700s
Oct 24 16:49:36 16[IKE] sending end entity cert "C=US, ST=Florida,
L=TimBuck2, O=ABC123, OU=ABC, CN=crap-cacert-2048-GD"
Oct 24 16:49:36 16[IKE] peer requested virtual IP %any
Oct 24 16:49:36 16[CFG] reassigning offline lease to 'C=US, ST=Florida,
L=TimBuck2, O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA'
Oct 24 16:49:36 16[IKE] assigning virtual IP 192.168.151.129 to peer 'C=US,
ST=Florida, L=TimBuck2, O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA'
Oct 24 16:49:36 16[CFG] received proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ
Oct 24 16:49:36 16[CFG] configured proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ,
ESP:3DES_CBC/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Oct 24 16:49:36 16[IKE] no acceptable proposal found
Oct 24 16:49:36 16[IKE] failed to establish CHILD_SA, keeping IKE_SA
Oct 24 16:49:36 16[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH
CP(ADDR DNS) N(AUTH_LFT) N(NO_PROP) ]
Oct 24 16:49:36 16[NET] sending packet: from 1.1.1.51[4500] to
1.1.1.58[64500]
Oct 24 19:38:56 03[IKE] initiator did not reauthenticate as requested
Oct 24 19:38:56 03[IKE] IKE_SA MOTOROLA[15] will timeout in 9 minutes
Oct 24 19:47:56 05[IKE] deleting IKE_SA MOTOROLA[15] between 1.1.1.51[C=US,
ST=Florida, L=TimBuck2, O=ABC123, OU=ABC,
CN=crap-cacert-2048-GD]...1.1.1.58[C=US, ST=Florida, L=TimBuck2, O=ABC123,
OU=ABC, CN=0128-1024-MOTOROLA]
Oct 24 19:47:56 05[IKE] sending DELETE for IKE_SA MOTOROLA[15]
Oct 24 19:47:56 05[ENC] generating INFORMATIONAL request 0 [ D ]
Oct 24 19:47:56 05[NET] sending packet: from 1.1.1.51[4500] to
1.1.1.58[64500]
Oct 24 19:48:00 15[IKE] retransmit 1 of request with message ID 0
Oct 24 19:48:00 15[NET] sending packet: from 1.1.1.51[4500] to
1.1.1.58[64500]
Oct 24 19:48:07 01[IKE] retransmit 2 of request with message ID 0
Oct 24 19:48:07 01[NET] sending packet: from 1.1.1.51[4500] to
1.1.1.58[64500]
Oct 24 19:48:20 02[IKE] retransmit 3 of request with message ID 0
Oct 24 19:48:20 02[NET] sending packet: from 1.1.1.51[4500] to
1.1.1.58[64500]
Oct 24 19:48:44 04[IKE] retransmit 4 of request with message ID 0
Oct 24 19:48:44 04[NET] sending packet: from 1.1.1.51[4500] to
1.1.1.58[64500]
Oct 24 19:49:26 03[IKE] retransmit 5 of request with message ID 0
Oct 24 19:49:26 03[NET] sending packet: from 1.1.1.51[4500] to
1.1.1.58[64500]
Oct 24 19:50:41 16[IKE] giving up after 5 retransmits
Oct 24 19:50:41 16[IKE] proper IKE_SA delete failed, peer not responding
Oct 24 19:50:41 16[CFG lease 192.168.151.129 by 'C=US, ST=Florida,
L=TimBuck2, O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA' went offline
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121025/ff20ee08/attachment.html>

More information about the Users mailing list