<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta name=Generator content="Microsoft Word 12 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML-forhåndsformatert Tegn";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.EpostStil17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.HTML-forhndsformatertTegn
{mso-style-name:"HTML-forhåndsformatert Tegn";
mso-style-priority:99;
mso-style-link:HTML-forhåndsformatert;
font-family:"Courier New";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=NO-BOK link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I think I know this one, I had the same problem.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Found the solution in the mailing list itself:<o:p></o:p></span></p><p class=MsoNormal style='background:white'><i><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New";color:black'>strongSwan requires the peer ID to be contained in the certificate<o:p></o:p></span></i></p><p class=MsoNormal style='background:white'><i><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New";color:black'> (either the complete DN, or as a subjectAltName, a matching CN= is<o:p></o:p></span></i></p><p class=MsoNormal style='background:white'><i><span style='font-size:10.0pt;font-family:"Courier New";color:black'>insufficient).<o:p></o:p></span></i></p><p class=MsoNormal style='background:white'><i><span style='font-size:10.0pt;font-family:"Courier New";color:black'><o:p> </o:p></span></i></p><p class=MsoNormal style='background:white'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#4F81BD'>In my case the peer ID turned out to be the IP address itself…..<o:p></o:p></span></p><p class=MsoNormal style='background:white'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#4F81BD'><o:p> </o:p></span></p><p class=MsoNormal style='background:white'><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#4F81BD'>Federico</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#4F81BD'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>Fra:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> users-bounces+federico.mancini=ffi.no@lists.strongswan.org [mailto:users-bounces+federico.mancini=ffi.no@lists.strongswan.org] <b>På vegne av</b> zhen chen<br><b>Sendt:</b> 21. november 2011 04:22<br><b>Til:</b> Andreas Steffen<br><b>Kopi:</b> users@lists.strongswan.org<br><b>Emne:</b> Re: [strongSwan] Android/Stongswan Integration<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><div><p class=MsoNormal style='background:white'><span style='color:black'>Hi Andreas, <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>I loaded the strongswan.conf to the android emulator,the Android is able to load the CA cert successfully. <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Thanks!<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Now I started from the Android emulator and tried to add the IKEv2 IPSec tunnel. I entered the name, address of the GW, then tried to connect. I entered the username/password. The login failed. I checked the ipsec.conf and followed Tobias instruction on wiki. Couldn't find out what I did wrong. I used zhen as the user name in the Android side. <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Thanks in advance!<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>-Zhen <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'> <o:p></o:p></span></p></div><div><div><p class=MsoNormal style='background:white'><span style='color:black'>The following is the main error on the GW side: <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Nov 20 19:57:26 localhost charon: 11[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan CA" <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Nov 20 19:57:26 localhost charon: 11[CFG] looking for peer configs matching 192.168.121.102[192.168.121.102]...192.168.121.104[zhen] <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Nov 20 19:57:26 localhost charon: 11[CFG] no matching peer config found <o:p></o:p></span></p></div></div><div><p class=MsoNormal style='background:white'><span style='color:black'><o:p> </o:p></span></p></div><div><div><p class=MsoNormal style='background:white'><span style='color:black'>The GW cert DN is: C=CH, O=zhen, CN=emac which I used as the left side id for the gw's ipsec.conf file. <o:p></o:p></span></p></div><div><div><p class=MsoNormal style='background:white'><span style='color:black'>The CA cert DN is: C=CH, O=strongSwan, CN=strongSwan CA<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'><o:p> </o:p></span></p></div></div></div><div><p class=MsoNormal style='background:white'><span style='color:black'>/etc/ipsec.secrets:<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'><o:p> </o:p></span></p></div><div><div><p class=MsoNormal style='background:white'><span style='color:black'>": RSA peerKey.der<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>zhen : EAP "password"<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>"<o:p></o:p></span></p></div></div><div><p class=MsoNormal style='background:white'><span style='color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>ipsec.conf file in the GW side (note android is the conn to the android phone): <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>"conn %default<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'> ikelifetime=60m<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'> keylife=20m<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'> rekeymargin=3m<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'> keyingtries=1<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'> keyexchange=ikev2<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>conn rw<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'> right=%any<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'> rightid=@192.168.121.101<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'> rightsourceip=%dhcp<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'> leftfirewall=yes<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'> left=192.168.121.102<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'> leftsubnet=192.168.2.0/24<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'> leftid=@192.168.121.102<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'> auto=add<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>conn android<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'> leftsubnet=0.0.0.0/0<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'> leftcert=peerCert1.der<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'> leftauth=pubkey<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'> leftid="C=CH, O=zhen, CN=emac"<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'> right=%any<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'> rightsourceip=%dhcp<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'> rightauth=eap-mschapv2<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'> rightsendcert=never<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'> keyexchange=ikev2<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'> eap_identity=%any<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'> auto=add<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>"<o:p></o:p></span></p></div></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Gateway log: <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'><o:p> </o:p></span></p></div><div><div><p class=MsoNormal style='background:white'><span style='color:black'>Nov 20 19:51:30 localhost charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-raw socket-default updown eap-identity eap-md5 farp gtp <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Nov 20 19:51:30 localhost charon: 00[JOB] spawning 16 worker threads <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Nov 20 19:51:30 localhost charon: 06[CFG] received stroke: add connection 'rw' <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Nov 20 19:51:30 localhost charon: 06[CFG] added configuration 'rw' <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Nov 20 19:51:30 localhost charon: 08[CFG] received stroke: add connection 'android' <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Nov 20 19:51:30 localhost charon: 08[CFG] left nor right host is our side, assuming left=local <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Nov 20 19:51:30 localhost charon: 08[CFG] loaded certificate "C=CH, O=zhen, CN=emac" from 'peerCert1.der' <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Nov 20 19:51:30 localhost charon: 08[CFG] added configuration 'android' <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'><o:p> </o:p></span></p></div><div><div><p class=MsoNormal style='background:white'><span style='color:black'>Nov 20 19:57:25 localhost charon: 10[NET] received packet: from 192.168.121.104[60653] to 192.168.121.102[500] <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Nov 20 19:57:25 localhost charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Nov 20 19:57:25 localhost charon: 10[IKE] 192.168.121.104 is initiating an IKE_SA <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Nov 20 19:57:25 localhost charon: 10[IKE] remote host is behind NAT <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Nov 20 19:57:25 localhost charon: 10[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA" <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Nov 20 19:57:25 localhost charon: 10[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA" <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Nov 20 19:57:25 localhost charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Nov 20 19:57:25 localhost charon: 10[NET] sending packet: from 192.168.121.102[500] to 192.168.121.104[60653] <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Nov 20 19:57:26 localhost charon: 11[NET] received packet: from 192.168.121.104[34320] to 192.168.121.102[4500] <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Nov 20 19:57:26 localhost charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Nov 20 19:57:26 localhost charon: 11[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan CA" <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Nov 20 19:57:26 localhost charon: 11[CFG] looking for peer configs matching 192.168.121.102[192.168.121.102]...192.168.121.104[zhen] <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Nov 20 19:57:26 localhost charon: 11[CFG] no matching peer config found <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Nov 20 19:57:26 localhost charon: 11[IKE] peer supports MOBIKE <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Nov 20 19:57:26 localhost charon: 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Nov 20 19:57:26 localhost charon: 11[NET] sending packet: from 192.168.121.102[4500] to 192.168.121.104[34320] <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Android adb logcat: <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'><o:p> </o:p></span></p></div><div><div><p class=MsoNormal style='background:white'><span style='color:black'>I/SProxy_charon( 351): Start VPN daemon: charon<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>D/SProxy_charon( 351): charon is running after 0 msec<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>D/SProxy_charon( 351): service not yet listen()ing; try again<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>I/charon ( 800): 00[DMN] loaded plugins: openssl fips-prf random pubkey pkcs1 pem xcbc hmac kernel-netlink socket-default android eap-identity eap-mschapv2 eap-md5 <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>I/charon ( 800): 00[DMN] removing pidfile '/data/misc/vpn/charon.pid', process not running<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>I/charon ( 800): 00[JOB] spawning 16 worker threads<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>I/keystore( 37): uid: 1016 action: g -> 1 state: 1 -> 1 retry: 4<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>I/charon ( 800): 06[CFG] using CA certificate, gateway identitiy '192.168.121.102'<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>I/charon ( 800): 06[CFG] status of Android plugin changed: 4<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>I/SProxy_charon( 351): got data from control socket: 4<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>I/charon ( 800): 06[IKE] initiating IKE_SA android[1] to 192.168.121.102<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>I/charon ( 800): 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>I/charon ( 800): 06[NET] sending packet: from 10.0.2.15[500] to 192.168.121.102[500]<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>I/charon ( 800): 07[NET] received packet: from 192.168.121.102[500] to 10.0.2.15[500]<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>I/charon ( 800): 07[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>I/charon ( 800): 07[IKE] local host is behind NAT, sending keep alives<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>I/charon ( 800): 07[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan CA"<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>I/charon ( 800): 07[IKE] received 1 cert requests for an unknown ca<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>I/charon ( 800): 07[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA"<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>I/charon ( 800): 07[IKE] establishing CHILD_SA android<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>I/charon ( 800): 07[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>I/charon ( 800): 07[NET] sending packet: from 10.0.2.15[4500] to 192.168.121.102[4500]<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>I/charon ( 800): 08[NET] received packet: from 192.168.121.102[4500] to 10.0.2.15[4500]<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>I/charon ( 800): 08[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>I/charon ( 800): 08[IKE] received AUTHENTICATION_FAILED notify error<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'><o:p> </o:p></span></p></div></div></div></div><div><div><div class=MsoNormal align=center style='text-align:center;background:white'><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'><hr size=1 width="100%" align=center></span></div><p class=MsoNormal style='margin-bottom:12.0pt;background:white'><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>From:</span></b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'> Andreas Steffen <andreas.steffen@strongswan.org><br><b>To:</b> zhen chen <zchen2711@yahoo.com> <br><b>Cc:</b> Tobias Brunner <tobias@strongswan.org>; "users@lists.strongswan.org" <users@lists.strongswan.org> <br><b>Sent:</b> Sunday, November 20, 2011 7:36 AM<br><b>Subject:</b> Re: [strongSwan] Android/Stongswan Integration<br></span><span style='color:black'><br>Hello Zhen,<br><br>the actual error is<br><br>I/charon ( 362): 07[LIB] found unsupported critical X.509 extension<br>I/charon ( 362): 07[LIB] OpenSSL X.509 parsing failed<br><br>if you have a strongswan.conf file on your Android platform<br>please add the entry<br><br>libstrongswan {<br> x509 {<br> enforce_critical = no<br> }<br>}<br><br>You could also try to add the x509 plugin and add it in front of<br>the openssl plugin in the libcharon load list. The x509 plugin$<br>might be able handle the unknown critical extension contained<br>in your certificate.<br><br>Regards<br><br>Andreas<br><br>On 11/20/2011 12:41 AM, zhen chen wrote:<br>> Hi Tobias, <br>> <br>> I followed the procedure to create the CA certificate and imported it to<br>> the Android emulator successfully. <br>> Now after I configure the GW side ipsec.conf. I created a IKEV2 VPN in<br>> the emulator. Then tried to connect to it: <br>> <br>> the logcat is giving me the foloowing errors:<br>> <br>> D/SProxy_charon( 351): stopping charon, success? true<br>> D/VpnService( 351): Local IP: 10.0.2.15, if: eth0<br>> D/VpnService( 351): VPN UP: down<br>> I/SProxy_charon( 351): Start VPN daemon: charon<br>> D/SProxy_charon( 351): charon is running after 0 msec<br>> D/SProxy_charon( 351): service not yet listen()ing; try again<br>> I/charon ( 362): 00[DMN] loaded plugins: openssl fips-prf random<br>> pubkey pkcs1 pem xcbc hmac kernel-netlink socket-default android<br>> eap-identity eap-mschapv2 eap-md5 <br>> I/charon ( 362): 00[DMN] removing pidfile '/data/misc/vpn/charon.pid',<br>> process not running<br>> I/charon ( 362): 00[JOB] spawning 16 worker threads<br>> I/keystore( 37): uid: 1016 action: g -> 1 state: 1 -> 1 retry: 4<br>> I/charon ( 362): 07[LIB] found unsupported critical X.509 extension<br>> I/charon ( 362): 07[LIB] OpenSSL X.509 parsing failed<br>> I/charon ( 362): 07[LIB] building CRED_CERTIFICATE - X509 failed,<br>> tried 2 builders<br>> I/charon ( 362): 07[CFG] failed to load CA certificate<br>> I/charon ( 362): 07[CFG] using CA certificate, gateway identitiy<br>> '192.168.121.102'<br>> I/charon ( 362): 07[CFG] status of Android plugin changed: 4<br>> <br>> Now it seems like Android is not able to load the certificate I created<br>> using ipsec pki. <br>> Is that because the way I created the CA cert? or something is missing<br>> in the Android charon? <br>> <br>> thanks!<br>> -zhen<br>> <br>> <br>> ------------------------------------------------------------------------<br>> *From:* Tobias Brunner <<a href="mailto:tobias@strongswan.org">tobias@strongswan.org</a>><br>> *To:* zhen chen <<a href="mailto:zchen2711@yahoo.com">zchen2711@yahoo.com</a>><br>> *Cc:* "<a href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a>" <<a href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a>><br>> *Sent:* Tuesday, November 15, 2011 9:52 AM<br>> *Subject:* Re: [strongSwan] Android/Stongswan Integration<br>> <br>> Hello Zhen,<br>> <br>>> I have been trying to bring Strongswan 4.5.3 to Android<br>> <br>> If possible, you should update to 4.6.1 as there are several Android<br>> related improvements included in that release.<br>> <br>>> 1. When I ran charon in adb shell, it started, but said: "android plugin<br>>> failed to load, can't open android control socket".<br>> <br>> That's because the control socket is only available, if charon gets<br>> started by the patched Android VPN GUI. With 4.6.1 it's possible to use<br>> the plugin even if charon is not started by the GUI.<br>> <br>>> I did some search, the android plugin is something related to DNS.<br>> <br>> That's correct it installs DNS servers received from the gateway where<br>> Android expects them to be (there is no resolv.conf on Android).<br>> <br>>> Question: do i have to to enable this plugin for VPN to work on the<br>>> emulator?<br>> <br>> Only if you need DNS servers installed, or logging via logcat. These<br>> are currently the only two functions provided by the plugin, which are<br>> usable without GUI patch.<br>> <br>>> If so, i did some ./configure --enable-android, it failed<br>>> because it couldn't find a requied lib.<br>> <br>> Running ./configure won't work. To enable/disable plugins you have to<br>> edit the plugin list in the top <a href="http://Android.mk" target="_blank">Android.mk</a> <<a href="http://Android.mk" target="_blank">http://Android.mk</a>> within<br>> the strongSwan source<br>> tree. But the plugin is enabled anyway, by default, it just can't be<br>> loaded without the control socket provided by the frontend in 4.5.3.<br>> <br>>> 2. In the frontend integration site, it says it needs CA assigned certs,<br>>> quoted below.<br>>> Question: Does the certificate have to be issued by CA? Would<br>>> self-assigned certificate work? I am just playing with it and wouldn't<br>>> want to spend $1500 to buy one from verisign. :(<br>> <br>> Don't worry :) You can absolutely build your own CA (e.g. with the<br>> ipsec pki tool [1]). Just make sure you install the CA certificate in<br>> the Android certificate store as described on the page you quoted. Then<br>> use this CA to issue a certificate for the gateway you want to test against.<br>> <br>> With 4.6.1 you now have also the option to build starter and stroke<br>> which allows you to use an ipsec.conf based configuration, instead of<br>> using the frontend patch.<br>> <br>> Regards,<br>> Tobias<br>> <br>> [1] http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA<br>><br>-- <br>======================================================================<br>Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>strongSwan - the Linux VPN Solution! <a href="http://www.strongswan.org" target="_blank">www.strongswan.org</a><br>Institute for Internet Technologies and Applications<br>University of Applied Sciences Rapperswil<br>CH-8640 Rapperswil (Switzerland)<br>===========================================================[ITA-HSR]==<br><br><o:p></o:p></span></p></div></div></div></div></body></html>