<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div><span><div>Hi Andreas, </div><div><br></div><div>I loaded the strongswan.conf to the android emulator,the Android is able to load the CA cert successfully. </div><div>Thanks!</div><div><br></div><div>Now I started from the Android emulator and tried to add the IKEv2 IPSec tunnel. I entered the name, address of the GW, then tried to connect. I entered the username/password. The login failed. I checked the ipsec.conf and followed Tobias instruction on wiki. Couldn't find out what I did wrong. I used zhen as the user name in the Android side. </div><div><br></div><div>Thanks in advance!</div><div>-Zhen </div><div> </div><div><div>The following is the main error on the GW side: <br></div><div><br></div><div>Nov 20 19:57:26 localhost charon: 11[IKE] received cert request for "C=CH,
O=strongSwan, CN=strongSwan CA" </div><div>Nov 20 19:57:26 localhost charon: 11[CFG] looking for peer configs matching 192.168.121.102[192.168.121.102]...192.168.121.104[zhen] </div><div>Nov 20 19:57:26 localhost charon: 11[CFG] no matching peer config found </div></div><div><br></div><div><div>The GW cert DN is: C=CH, O=zhen, CN=emac which I used as the left side id for the gw's ipsec.conf file. </div><div><div>The CA cert DN is: C=CH, O=strongSwan, CN=strongSwan CA</div><div><br></div></div></div><div>/etc/ipsec.secrets:</div><div><br></div><div><div>": RSA peerKey.der</div><div>zhen : EAP "password"</div><div>"</div></div><div><br></div><div>ipsec.conf file in the GW side (note android is the conn to the android phone): </div><div><br></div><div>"conn %default</div><div> ikelifetime=60m</div><div> keylife=20m</div><div>
rekeymargin=3m</div><div> keyingtries=1</div><div> keyexchange=ikev2</div><div>conn rw</div><div> right=%any</div><div> rightid=@192.168.121.101</div><div> rightsourceip=%dhcp</div><div> leftfirewall=yes</div><div> left=192.168.121.102</div><div> leftsubnet=192.168.2.0/24</div><div> leftid=@192.168.121.102</div><div> auto=add</div><div>conn android</div><div> leftsubnet=0.0.0.0/0</div><div> leftcert=peerCert1.der</div><div> leftauth=pubkey</div><div> leftid="C=CH, O=zhen, CN=emac"</div><div> right=%any</div><div>
rightsourceip=%dhcp</div><div> rightauth=eap-mschapv2</div><div> rightsendcert=never</div><div> keyexchange=ikev2</div><div> eap_identity=%any</div><div> auto=add</div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; ">"</div></span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; ">Gateway log: </div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; "><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; "><br></div><div><div>Nov 20 19:51:30 localhost charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-raw socket-default updown eap-identity eap-md5 farp gtp </div><div>Nov 20 19:51:30
localhost charon: 00[JOB] spawning 16 worker threads </div><div>Nov 20 19:51:30 localhost charon: 06[CFG] received stroke: add connection 'rw' </div><div>Nov 20 19:51:30 localhost charon: 06[CFG] added configuration 'rw' </div><div>Nov 20 19:51:30 localhost charon: 08[CFG] received stroke: add connection 'android' </div><div>Nov 20 19:51:30 localhost charon: 08[CFG] left nor right host is our side, assuming left=local </div><div>Nov 20 19:51:30 localhost charon: 08[CFG] loaded certificate "C=CH, O=zhen, CN=emac" from 'peerCert1.der' </div><div>Nov 20 19:51:30 localhost charon: 08[CFG] added configuration 'android' </div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; "><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; "><br></div><div><div>Nov 20 19:57:25 localhost charon: 10[NET] received packet: from 192.168.121.104[60653] to
192.168.121.102[500] </div><div>Nov 20 19:57:25 localhost charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] </div><div>Nov 20 19:57:25 localhost charon: 10[IKE] 192.168.121.104 is initiating an IKE_SA </div><div>Nov 20 19:57:25 localhost charon: 10[IKE] remote host is behind NAT </div><div>Nov 20 19:57:25 localhost charon: 10[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA" </div><div>Nov 20 19:57:25 localhost charon: 10[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA" </div><div>Nov 20 19:57:25 localhost charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] </div><div>Nov 20 19:57:25 localhost charon: 10[NET] sending packet: from 192.168.121.102[500] to 192.168.121.104[60653] </div><div>Nov 20 19:57:26 localhost charon: 11[NET] received packet: from 192.168.121.104[34320] to
192.168.121.102[4500] </div><div>Nov 20 19:57:26 localhost charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] </div><div>Nov 20 19:57:26 localhost charon: 11[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan CA" </div><div>Nov 20 19:57:26 localhost charon: 11[CFG] looking for peer configs matching 192.168.121.102[192.168.121.102]...192.168.121.104[zhen] </div><div>Nov 20 19:57:26 localhost charon: 11[CFG] no matching peer config found </div><div>Nov 20 19:57:26 localhost charon: 11[IKE] peer supports MOBIKE </div><div>Nov 20 19:57:26 localhost charon: 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] </div><div>Nov 20 19:57:26 localhost charon: 11[NET] sending packet: from 192.168.121.102[4500] to 192.168.121.104[34320] </div><div style="font-family: 'times new roman', 'new york', times,
serif; font-size: 12pt; "><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; "><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; "><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; ">Android adb logcat: </div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; "><br></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; "><div style="font-size: 16px; ">I/SProxy_charon( 351): Start VPN daemon: charon</div><div style="font-size: 16px; ">D/SProxy_charon( 351): charon is running after 0 msec</div><div style="font-size: 16px; ">D/SProxy_charon( 351): service not yet listen()ing; try again</div><div style="font-size: 16px; ">I/charon ( 800): 00[DMN] loaded plugins: openssl fips-prf random pubkey pkcs1 pem xcbc hmac
kernel-netlink socket-default android eap-identity eap-mschapv2 eap-md5 </div><div style="font-size: 16px; ">I/charon ( 800): 00[DMN] removing pidfile '/data/misc/vpn/charon.pid', process not running</div><div style="font-size: 16px; ">I/charon ( 800): 00[JOB] spawning 16 worker threads</div><div style="font-size: 16px; ">I/keystore( 37): uid: 1016 action: g -> 1 state: 1 -> 1 retry: 4</div><div style="font-size: 16px; ">I/charon ( 800): 06[CFG] using CA certificate, gateway identitiy '192.168.121.102'</div><div style="font-size: 16px; ">I/charon ( 800): 06[CFG] status of Android plugin changed: 4</div><div style="font-size: 16px; ">I/SProxy_charon( 351): got data from control socket: 4</div><div style="font-size: 16px; ">I/charon ( 800): 06[IKE] initiating IKE_SA android[1] to 192.168.121.102</div><div style="font-size: 16px; ">I/charon ( 800): 06[ENC]
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</div><div style="font-size: 16px; ">I/charon ( 800): 06[NET] sending packet: from 10.0.2.15[500] to 192.168.121.102[500]</div><div style="font-size: 16px; ">I/charon ( 800): 07[NET] received packet: from 192.168.121.102[500] to 10.0.2.15[500]</div><div style="font-size: 16px; ">I/charon ( 800): 07[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]</div><div style="font-size: 16px; ">I/charon ( 800): 07[IKE] local host is behind NAT, sending keep alives</div><div style="font-size: 16px; ">I/charon ( 800): 07[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan CA"</div><div style="font-size: 16px; ">I/charon ( 800): 07[IKE] received 1 cert requests for an unknown ca</div><div style="font-size: 16px; ">I/charon ( 800): 07[IKE] sending cert
request for "C=CH, O=strongSwan, CN=strongSwan CA"</div><div style="font-size: 16px; ">I/charon ( 800): 07[IKE] establishing CHILD_SA android</div><div style="font-size: 16px; ">I/charon ( 800): 07[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]</div><div style="font-size: 16px; ">I/charon ( 800): 07[NET] sending packet: from 10.0.2.15[4500] to 192.168.121.102[4500]</div><div style="font-size: 16px; ">I/charon ( 800): 08[NET] received packet: from 192.168.121.102[4500] to 10.0.2.15[4500]</div><div style="font-size: 16px; ">I/charon ( 800): 08[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]</div><div style="font-size: 16px; ">I/charon ( 800): 08[IKE] received AUTHENTICATION_FAILED notify error</div><div style="font-size: 12pt; "><br></div></div></div></div> <div style="font-size:
12pt; font-family: 'times new roman', 'new york', times, serif; "> <div style="font-size: 12pt; font-family: 'times new roman', 'new york', times, serif; "> <font size="2" face="Arial"> <hr size="1"> <b><span style="font-weight:bold;">From:</span></b> Andreas Steffen <andreas.steffen@strongswan.org><br> <b><span style="font-weight: bold;">To:</span></b> zhen chen <zchen2711@yahoo.com> <br><b><span style="font-weight: bold;">Cc:</span></b> Tobias Brunner <tobias@strongswan.org>; "users@lists.strongswan.org" <users@lists.strongswan.org> <br> <b><span style="font-weight: bold;">Sent:</span></b> Sunday, November 20, 2011 7:36 AM<br> <b><span style="font-weight: bold;">Subject:</span></b> Re: [strongSwan] Android/Stongswan Integration<br> </font> <br>
Hello Zhen,<br><br>the actual error is<br><br> I/charon ( 362): 07[LIB] found unsupported critical X.509 extension<br> I/charon ( 362): 07[LIB] OpenSSL X.509 parsing failed<br><br>if you have a strongswan.conf file on your Android platform<br>please add the entry<br><br>libstrongswan {<br> x509 {<br> enforce_critical = no<br> }<br>}<br><br>You could also try to add the x509 plugin and add it in front of<br>the openssl plugin in the libcharon load list. The x509 plugin$<br>might be able handle the unknown critical extension contained<br>in your certificate.<br><br>Regards<br><br>Andreas<br><br>On 11/20/2011 12:41 AM, zhen chen wrote:<br>> Hi Tobias, <br>> <br>> I followed the procedure to create the CA certificate and imported it to<br>> the Android emulator successfully. <br>> Now after I configure the GW side ipsec.conf. I created a IKEV2 VPN in<br>> the emulator. Then tried to connect
to it: <br>> <br>> the logcat is giving me the foloowing errors:<br>> <br>> D/SProxy_charon( 351): stopping charon, success? true<br>> D/VpnService( 351): Local IP: 10.0.2.15, if: eth0<br>> D/VpnService( 351): VPN UP: down<br>> I/SProxy_charon( 351): Start VPN daemon: charon<br>> D/SProxy_charon( 351): charon is running after 0 msec<br>> D/SProxy_charon( 351): service not yet listen()ing; try again<br>> I/charon ( 362): 00[DMN] loaded plugins: openssl fips-prf random<br>> pubkey pkcs1 pem xcbc hmac kernel-netlink socket-default android<br>> eap-identity eap-mschapv2 eap-md5 <br>> I/charon ( 362): 00[DMN] removing pidfile '/data/misc/vpn/charon.pid',<br>> process not running<br>> I/charon ( 362): 00[JOB] spawning 16 worker threads<br>> I/keystore( 37): uid: 1016 action: g -> 1 state: 1 -> 1
retry: 4<br>> I/charon ( 362): 07[LIB] found unsupported critical X.509 extension<br>> I/charon ( 362): 07[LIB] OpenSSL X.509 parsing failed<br>> I/charon ( 362): 07[LIB] building CRED_CERTIFICATE - X509 failed,<br>> tried 2 builders<br>> I/charon ( 362): 07[CFG] failed to load CA certificate<br>> I/charon ( 362): 07[CFG] using CA certificate, gateway identitiy<br>> '192.168.121.102'<br>> I/charon ( 362): 07[CFG] status of Android plugin changed: 4<br>> <br>> Now it seems like Android is not able to load the certificate I created<br>> using ipsec pki. <br>> Is that because the way I created the CA cert? or something is missing<br>> in the Android charon? <br>> <br>> thanks!<br>> -zhen<br>> <br>> <br>> ------------------------------------------------------------------------<br>> *From:* Tobias Brunner <<a
ymailto="mailto:tobias@strongswan.org" href="mailto:tobias@strongswan.org">tobias@strongswan.org</a>><br>> *To:* zhen chen <<a ymailto="mailto:zchen2711@yahoo.com" href="mailto:zchen2711@yahoo.com">zchen2711@yahoo.com</a>><br>> *Cc:* "<a ymailto="mailto:users@lists.strongswan.org" href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a>" <<a ymailto="mailto:users@lists.strongswan.org" href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a>><br>> *Sent:* Tuesday, November 15, 2011 9:52 AM<br>> *Subject:* Re: [strongSwan] Android/Stongswan Integration<br>> <br>> Hello Zhen,<br>> <br>>> I have been trying to bring Strongswan 4.5.3 to Android<br>> <br>> If possible, you should update to 4.6.1 as there are several Android<br>> related improvements included in that release.<br>> <br>>> 1. When I ran charon in adb shell, it started, but said: "android plugin<br>>>
failed to load, can't open android control socket".<br>> <br>> That's because the control socket is only available, if charon gets<br>> started by the patched Android VPN GUI. With 4.6.1 it's possible to use<br>> the plugin even if charon is not started by the GUI.<br>> <br>>> I did some search, the android plugin is something related to DNS.<br>> <br>> That's correct it installs DNS servers received from the gateway where<br>> Android expects them to be (there is no resolv.conf on Android).<br>> <br>>> Question: do i have to to enable this plugin for VPN to work on the<br>>> emulator?<br>> <br>> Only if you need DNS servers installed, or logging via logcat. These<br>> are currently the only two functions provided by the plugin, which are<br>> usable without GUI patch.<br>> <br>>> If so, i did some ./configure --enable-android, it failed<br>>> because it couldn't find a
requied lib.<br>> <br>> Running ./configure won't work. To enable/disable plugins you have to<br>> edit the plugin list in the top <a target="_blank" href="http://Android.mk">Android.mk</a> <<a href="http://Android.mk" target="_blank">http://Android.mk</a>> within<br>> the strongSwan source<br>> tree. But the plugin is enabled anyway, by default, it just can't be<br>> loaded without the control socket provided by the frontend in 4.5.3.<br>> <br>>> 2. In the frontend integration site, it says it needs CA assigned certs,<br>>> quoted below.<br>>> Question: Does the certificate have to be issued by CA? Would<br>>> self-assigned certificate work? I am just playing with it and wouldn't<br>>> want to spend $1500 to buy one from verisign. :(<br>> <br>> Don't worry :) You can absolutely build your own CA (e.g. with the<br>> ipsec pki tool [1]). Just make sure you install
the CA certificate in<br>> the Android certificate store as described on the page you quoted. Then<br>> use this CA to issue a certificate for the gateway you want to test against.<br>> <br>> With 4.6.1 you now have also the option to build starter and stroke<br>> which allows you to use an ipsec.conf based configuration, instead of<br>> using the frontend patch.<br>> <br>> Regards,<br>> Tobias<br>> <br>> [1] http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA<br>><br>-- <br>======================================================================<br>Andreas Steffen <a ymailto="mailto:andreas.steffen@strongswan.org" href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>strongSwan - the Linux VPN Solution! <a target="_blank"
href="http://www.strongswan.org">www.strongswan.org</a><br>Institute for Internet Technologies and Applications<br>University of Applied Sciences Rapperswil<br>CH-8640 Rapperswil (Switzerland)<br>===========================================================[ITA-HSR]==<br><br><br> </div> </div> </div></body></html>