Yes Andreas, that worked straightaway. Thanks.<br><br>However, I am further facing two problems. First, in my configuration, I get a dynamic IP for my android client and whereas in my ipsec.conf at android, I am giving a fix ip address in the "left" field. When I use "left=%defaultroute", I get the following error:<br>
<br><div style="margin-left:40px"># ipsec starter<br>uname: not found<br>uname: not found<br>[: not found<br>Starting strongSwan 4.6.1 IPsec [starter]...<br>removing pidfile '/data/misc/vpn/charon.pid', process not running<br>
%defaultroute not supported, fallback to %any<br>modprobe: not found<br>modprobe: not found<br>modprobe: not found<br>modprobe: not found<br>modprobe: not found<br>removing pidfile '/data/misc/vpn/starter.pid', process not running<br>
# <br># <br># <br># ipsec stroke up android<br>uname: not found<br>uname: not found<br>[: not found<br>initiating IKE_SA android[1] to 192.168.1.154<br>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
sending packet: from 192.168.1.5[500] to 192.168.1.154[500]<br>received packet: from 192.168.1.154[500] to 192.168.1.5[500]<br>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]<br>sending cert request for "C=UK, CN=nits"<br>
establishing CHILD_SA android<br>generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]<br>sending packet: from 192.168.1.5[4500] to 192.168.1.154[4500]<br>
received packet: from 192.168.1.154[500] to 192.168.1.5[500]<br>parsed IKE_AUTH response 1 [ N(INVAL_SYN) ]<br>received INVALID_SYNTAX notify error<br><br></div>LOGCAT::<br>======<br><div style="margin-left:40px">I/charon ( 466): 00[CFG] loading ca certificates from '/system/etc/ipsec.d/cacerts'<br>
I/charon ( 466): 00[CFG] loaded ca certificate "C=UK, CN=nits" from '/system/etc/ipsec.d/cacerts/strongswanCert.pem'<br>I/charon ( 466): 00[CFG] loading aa certificates from '/system/etc/ipsec.d/aacerts'<br>
I/charon ( 466): 00[LIB] opening directory '/system/etc/ipsec.d/aacerts' failed: No such file or directory<br>I/charon ( 466): 00[CFG] reading directory failed<br>I/charon ( 466): 00[CFG] loading ocsp signer certificates from '/system/etc/ipsec.d/ocspcerts'<br>
I/charon ( 466): 00[LIB] opening directory '/system/etc/ipsec.d/ocspcerts' failed: No such file or directory<br>I/charon ( 466): 00[CFG] reading directory failed<br>I/charon ( 466): 00[CFG] loading attribute certificates from '/system/etc/ipsec.d/acerts'<br>
I/charon ( 466): 00[LIB] opening directory '/system/etc/ipsec.d/acerts' failed: No such file or directory<br>I/charon ( 466): 00[CFG] reading directory failed<br>I/charon ( 466): 00[CFG] loading crls from '/system/etc/ipsec.d/crls'<br>
I/charon ( 466): 00[LIB] opening directory '/system/etc/ipsec.d/crls' failed: No such file or directory<br>I/charon ( 466): 00[CFG] reading directory failed<br>I/charon ( 466): 00[CFG] loading secrets from '/system/etc/ipsec.secrets'<br>
I/charon ( 466): 00[CFG] loaded EAP secret for deepika<br>I/charon ( 466): 00[DMN] loaded plugins: openssl fips-prf random pubkey pkcs1 pem xcbc hmac kernel-netlink socket-default android stroke eap-identity eap-mschapv2 eap-md5 <br>
I/charon ( 466): 00[JOB] spawning 16 worker threads<br>I/charon ( 466): 10[CFG] received stroke: add connection 'android'<br>I/charon ( 466): 10[CFG] left nor right host is our side, assuming left=local<br>
I/charon ( 466): 10[CFG] added configuration 'android'<br>
I/charon ( 466): 03[CFG] received stroke: initiate 'android'<br>I/charon ( 466): 13[IKE] initiating IKE_SA android[1] to 192.168.1.154<br>I/charon ( 466): 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
I/charon ( 466): 13[NET] sending packet: from 192.168.1.5[500] to 192.168.1.154[500]<br>I/charon ( 466): 14[NET] received packet: from 192.168.1.154[500] to 192.168.1.5[500]<br>I/charon ( 466): 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]<br>
I/charon ( 466): 14[IKE] sending cert request for "C=UK, CN=nits"<br>I/charon ( 466): 14[IKE] establishing CHILD_SA android<br>I/charon ( 466): 14[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]<br>
I/charon ( 466): 14[NET] sending packet: from 192.168.1.5[4500] to 192.168.1.154[4500]<br>I/charon ( 466): 15[NET] received packet: from 192.168.1.154[500] to 192.168.1.5[500]<br>I/charon ( 466): 15[ENC] parsed IKE_AUTH response 1 [ N(INVAL_SYN) ]<br>
I/charon ( 466): 15[IKE] received INVALID_SYNTAX notify error<br></div><br>SYSLOG at server:<br>==============<br><br><div style="margin-left: 40px;">Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[MGR] checkout IKE_SA by message<br>
<br>Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[MGR] created IKE_SA (unnamed)[4]<br><br>Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[NET] received packet: from 192.168.1.5[500] to 192.168.1.154[500]<br><br>Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
<br>Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[CFG] looking for an ike config for 192.168.1.154...192.168.1.5<br><br>Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[CFG] candidate: 192.168.1.154...%any, prio 5<br>
<br>Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[CFG] found matching ike config: 192.168.1.154...%any with prio 5<br><br>Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[IKE] 192.168.1.5 is initiating an IKE_SA<br><br>
Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[IKE] 192.168.1.5 is initiating an IKE_SA<br><br>Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[IKE] IKE_SA (unnamed)[4] state change: CREATED => CONNECTING<br><br>Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[CFG] selecting proposal:<br>
<br>Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[CFG] proposal matches<br><br>Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/AES_XCBC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160<br>
<br>Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/AES_XCBC_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160<br>
<br>Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048<br><br>Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]<br>
<br>Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 10[NET] sending packet: from 192.168.1.154[500] to 192.168.1.5[500]<br><br>Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 10[MGR] checkin IKE_SA (unnamed)[4]<br><br>Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 10[MGR] check-in of IKE_SA successful.<br>
<br>Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[MGR] checkout IKE_SA by message<br><br>Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[MGR] IKE_SA (unnamed)[4] successfully checked out<br><br>Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[NET] received packet: from 192.168.1.5[4500] to 192.168.1.154[4500]<br>
<br>Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[ENC] received ID with reserved type 0<br><br>Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[ENC] ID_INITIATOR verification failed<br><br>Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[ENC] could not decrypt payloads<br>
<br>Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[IKE] message verification failed<br><br>Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[ENC] generating IKE_AUTH response 1 [ N(INVAL_SYN) ]<br><br>Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[NET] sending packet: from 192.168.1.154[500] to 192.168.1.5[500]<br>
<br>Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[IKE] IKE_AUTH request with message ID 1 processing failed<br><br>Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[MGR] checkin IKE_SA (unnamed)[4]<br><br>Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[MGR] check-in of IKE_SA successful.<br>
<br>Nov 22 13:32:38 ubuntu1-OptiPlex-160L charon: 04[MGR] checkout IKE_SA<br><br>Nov 22 13:32:38 ubuntu1-OptiPlex-160L charon: 04[MGR] IKE_SA (unnamed)[4] successfully checked out<br><br>Nov 22 13:32:38 ubuntu1-OptiPlex-160L charon: 04[JOB] deleting half open IKE_SA after timeout<br>
<br>Nov 22 13:32:38 ubuntu1-OptiPlex-160L charon: 04[MGR] checkin and destroy IKE_SA (unnamed)[4]<br><br>Nov 22 13:32:38 ubuntu1-OptiPlex-160L charon: 04[IKE] IKE_SA (unnamed)[4] state change: CONNECTING => DESTROYING<br>
<br>Nov 22 13:32:38 ubuntu1-OptiPlex-160L charon: 04[MGR] check-in and destroy of IKE_SA successful<br></div><br>Does that mean "defaultroute" does not work at Android? Everytime I get a different IP from gateway, do I have to modify the ipsec.conf?<br>
<br>My second problem is that since ipsec stop command does not work directly, I have to restart the phone everytime I make changes in ipsec.conf. Is there any way to avoid the restart in Android?<br><br>My appologies for bothering you with so many questions.<br>
<br>Regards,<br>Nitin<br><br><br><br><br><div class="gmail_quote">On Mon, Nov 21, 2011 at 5:51 PM, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Nitin,<br>
<br>
on the Androis side add<br>
<br>
leftsourceip=%config<br>
<br>
to the connection definition in ipsec.conf.<br>
<br>
Regards<br>
<br>
Andreas<br>
<div><br>
On 21.11.2011 12:38, Nitin Verma wrote:<br>
> Hi Andreas,<br>
> Thanks for the quick reply. It solve the problem.<br>
> Now at the Android:<br>
><br>
> # ipsec stroke status<br>
> uname: not found<br>
> uname: not found<br>
> [: not found<br>
> Security Associations (1 up, 0 connecting):<br>
> android[2]: ESTABLISHED 6 minutes ago,<br>
> 192.168.1.2[192.168.1.2]...192.168.1.154[192.168.1.154]<br>
> android{1}: INSTALLED, TUNNEL, ESP SPIs: c5974d0b_i c8a59239_o<br>
</div>> android{1}: <a href="http://192.168.1.2/32" target="_blank">192.168.1.2/32</a> <<a href="http://192.168.1.2/32" target="_blank">http://192.168.1.2/32</a>> ===<br>
> <a href="http://192.168.1.154/32" target="_blank">192.168.1.154/32</a> <<a href="http://192.168.1.154/32" target="_blank">http://192.168.1.154/32</a>><br>
<div><div></div><div>> #<br>
><br>
> # ipsec stroke up android<br>
> uname: not found<br>
> uname: not found<br>
> [: not found<br>
> initiating IKE_SA android[2] to 192.168.1.154<br>
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
> sending packet: from 192.168.1.2[500] to 192.168.1.154[500]<br>
> received packet: from 192.168.1.154[500] to 192.168.1.2[500]<br>
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)<br>
> N(MULT_AUTH) ]<br>
> sending cert request for "C=UK, CN=nits"<br>
> establishing CHILD_SA android<br>
> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(DNS)<br>
> SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]<br>
> sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]<br>
> received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]<br>
> parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]<br>
> received end entity cert "C=UK, CN=nits"<br>
> using certificate "C=UK, CN=nits"<br>
> using trusted ca certificate "C=UK, CN=nits"<br>
> reached self-signed root ca with a path length of 0<br>
> authentication of '192.168.1.154' with RSA signature successful<br>
> server requested EAP_IDENTITY (id 0x00), sending 'deepika'<br>
> generating IKE_AUTH request 2 [ EAP/RES/ID ]<br>
> sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]<br>
> received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]<br>
> parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]<br>
> server requested EAP_MSCHAPV2 authentication (id 0x79)<br>
> generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]<br>
> sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]<br>
> received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]<br>
> parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]<br>
> EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'<br>
> generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]<br>
> sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]<br>
> received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]<br>
> parsed IKE_AUTH response 4 [ EAP/SUCC ]<br>
> EAP method EAP_MSCHAPV2 succeeded, MSK established<br>
> authentication of '192.168.1.2' (myself) with EAP<br>
> generating IKE_AUTH request 5 [ AUTH ]<br>
> sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]<br>
> received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]<br>
> parsed IKE_AUTH response 5 [ AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP)<br>
> N(NO_ADD_ADDR) ]<br>
> authentication of '192.168.1.154' with EAP successful<br>
> IKE_SA android[2] established between<br>
> 192.168.1.2[192.168.1.2]...192.168.1.154[192.168.1.154]<br>
> scheduling reauthentication in 3362s<br>
> maximum IKE_SA lifetime 3542s<br>
><br>
> I noticed that it doesn't request for virtual ip as it asked when I used<br>
> the front-end related changes. Is that possible to request for the<br>
> virtual ip also?<br>
><br>
> Thanks again.<br>
> Regards,<br>
> Nitin<br>
><br>
><br>
> On Mon, Nov 21, 2011 at 4:19 PM, Andreas Steffen<br>
</div></div>> <<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a> <mailto:<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a>>><br>
<div>> wrote:<br>
><br>
> Hello Nitin,<br>
><br>
> your ubuntu server does not initiate EAP-Identity. Therefore<br>
> the EAP-MSCHAPv2 authentication requested is for IKEv2 user<br>
> identity 192.168.1.2 and not for EAP identity deepika.<br>
><br>
> You should change the ubuntu server entry to<br>
><br>
> eap_identity=%any<br>
><br>
> and make sure that you enabled, built and loaded the eap_identity<br>
> plugin.<br>
><br>
> Regards<br>
><br>
> Andreas<br>
><br>
> On 21.11.2011 10:56, Nitin Verma wrote:<br>
> > Hi,<br>
> > I have been able to successfully establish IPSec IKEv2 tunnel between<br>
> > Nexus S (running 2.3.5_r1) and a ubuntu server. However, the latest<br>
> > 4.6.1 release supports starter and stroke executables at Android and I<br>
> > am trying to establish the same connection using ipsec.conf and<br>
> > ipsec.secrets.<br>
> ><br>
> > My server side configuration is:<br>
> > ======================<br>
> ><br>
</div>> > server IP: /<a href="http://192.168.1.154/" target="_blank">192.168.1.154/</a> <<a href="http://192.168.1.154/" target="_blank">http://192.168.1.154/</a>><br>
<div><div></div><div>> ><br>
> > ipsec.conf:<br>
> ><br>
> > config setup<br>
> > crlcheckinterval=180<br>
> > strictcrlpolicy=no<br>
> > plutostart=no<br>
> > charondebug="knl 3, cfg 2, ike 2, chd 2, mgr 2, dmn 2"<br>
> ><br>
> > conn %default<br>
> > ikelifetime=60m<br>
> > keylife=20m<br>
> > rekeymargin=3m<br>
> > keyingtries=1<br>
> > keyexchange=ikev2<br>
> > # leftcert=moonCert.pem<br>
> ><br>
> > # Add connections here.<br>
> ><br>
> > conn android<br>
> > left=192.168.1.154<br>
> > leftid=192.168.1.154<br>
> > leftcert=moonCert.pem<br>
> > leftauth=pubkey<br>
> > right=%any<br>
> > rightsourceip=<a href="http://10.0.5.0/24" target="_blank">10.0.5.0/24</a> <<a href="http://10.0.5.0/24" target="_blank">http://10.0.5.0/24</a>><br>
> <<a href="http://10.0.5.0/24" target="_blank">http://10.0.5.0/24</a>><br>
> > rightauth=eap-mschapv2<br>
> > rightsendcert=never<br>
> > eap_identity=deepika<br>
> > auto=add<br>
> ><br>
> > ipsec.secrets:<br>
> ><br>
> > : RSA moonKey.pem<br>
> ><br>
> > deepika : EAP "deepika"<br>
> ><br>
> > Configuration at Nexus S (Android 2.3.5_r1):<br>
> > ================================<br>
> ><br>
> > I manually created "ipsec.d" directory in /system/etc/ and put my ca<br>
> > certificate in cacerts there, and then created ipsec.conf and<br>
> > ipsec.secrets in /system/etc/<br>
> ><br>
> > /system/etc/ipsec.conf<br>
> ><br>
> > config setup<br>
> > plutostart=no<br>
> > charondebug="knl 3, cfg 2, ike 2, chd 2, mgr 2, dmn 2"<br>
> ><br>
> > conn %default<br>
> > ikelifetime=60m<br>
> > keylife=20m<br>
> > rekeymargin=3m<br>
> > keyingtries=1<br>
> > keyexchange=ikev2<br>
> ><br>
> > # Add connections here.<br>
> ><br>
> > # Sample VPN connections<br>
> ><br>
> > conn android<br>
> > left=192.168.1.2<br>
> > leftauth=eap<br>
> > eap_identity=deepika<br>
> > right=192.168.1.154<br>
> > rightid=192.168.1.154<br>
> > rightauth=pubkey<br>
> > auto=add<br>
> ><br>
> > /system/etc/ipsec.secrets<br>
> ><br>
> > deepika : EAP "deepika"<br>
> ><br>
> ><br>
> ><br>
> > But when I start the connection I am getting the following error:<br>
> ><br>
> > # ipsec stroke up android<br>
> > uname: not found<br>
> > uname: not found<br>
> > [: not found<br>
> > initiating IKE_SA android[2] to 192.168.1.154<br>
> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)<br>
> N(NATD_D_IP) ]<br>
> > sending packet: from 192.168.1.2[500] to 192.168.1.154[500]<br>
> > received packet: from 192.168.1.154[500] to 192.168.1.2[500]<br>
> > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)<br>
> > N(MULT_AUTH) ]<br>
> > sending cert request for "C=UK, CN=nits"<br>
> > establishing CHILD_SA android<br>
> > generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr<br>
> CP(DNS)<br>
> > SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]<br>
> > sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]<br>
> > received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]<br>
> > parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]<br>
> > received end entity cert "C=UK, CN=nits"<br>
> > using certificate "C=UK, CN=nits"<br>
> > using trusted ca certificate "C=UK, CN=nits"<br>
> > reached self-signed root ca with a path length of 0<br>
> > authentication of '192.168.1.154' with RSA signature successful<br>
> > server requested EAP_MSCHAPV2 authentication (id 0x75)<br>
> > no EAP key found for hosts '192.168.1.154' - '192.168.1.2'<br>
> > EAP_MSCHAPV2 method failed<br>
> ><br>
> ><br>
> > Output of logcat:<br>
> ><br>
> > I/charon ( 469): 00[CFG] loading ca certificates from<br>
> > '/system/etc/ipsec.d/cacerts'<br>
> > I/charon ( 469): 00[CFG] loaded ca certificate "C=UK, CN=nits"<br>
> from<br>
> > '/system/etc/ipsec.d/cacerts/strongswanCert.pem'<br>
> > I/charon ( 469): 00[CFG] loading aa certificates from<br>
> > '/system/etc/ipsec.d/aacerts'<br>
> > I/charon ( 469): 00[LIB] opening directory<br>
> > '/system/etc/ipsec.d/aacerts' failed: No such file or directory<br>
> > I/charon ( 469): 00[CFG] reading directory failed<br>
> > I/charon ( 469): 00[CFG] loading ocsp signer certificates from<br>
> > '/system/etc/ipsec.d/ocspcerts'<br>
> > I/charon ( 469): 00[LIB] opening directory<br>
> > '/system/etc/ipsec.d/ocspcerts' failed: No such file or directory<br>
> > I/charon ( 469): 00[CFG] reading directory failed<br>
> > I/charon ( 469): 00[CFG] loading attribute certificates from<br>
> > '/system/etc/ipsec.d/acerts'<br>
> > I/charon ( 469): 00[LIB] opening directory<br>
> > '/system/etc/ipsec.d/acerts' failed: No such file or directory<br>
> > I/charon ( 469): 00[CFG] reading directory failed<br>
> > I/charon ( 469): 00[CFG] loading crls from<br>
> '/system/etc/ipsec.d/crls'<br>
> > I/charon ( 469): 00[LIB] opening directory<br>
> '/system/etc/ipsec.d/crls'<br>
> > failed: No such file or directory<br>
> > I/charon ( 469): 00[CFG] reading directory failed<br>
> > I/charon ( 469): 00[CFG] loading secrets from<br>
> '/system/etc/ipsec.secrets'<br>
> > I/charon ( 469): 00[CFG] loaded EAP secret for deepika<br>
> > I/charon ( 469): 00[DMN] loaded plugins: openssl fips-prf random<br>
> > pubkey pkcs1 pem xcbc hmac kernel-netlink socket-default android<br>
> stroke<br>
> > eap-identity eap-mschapv2 eap-md5<br>
> > I/charon ( 469): 00[JOB] spawning 16 worker threads<br>
> > I/charon ( 469): 11[CFG] received stroke: add connection 'android'<br>
> > I/charon ( 469): 11[CFG] added configuration 'android'<br>
> ><br>
> > I/charon ( 469): 12[CFG] received stroke: initiate 'android'<br>
> > I/charon ( 469): 14[IKE] initiating IKE_SA android[1] to<br>
> 192.168.1.154<br>
> > I/charon ( 469): 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No<br>
> > N(NATD_S_IP) N(NATD_D_IP) ]<br>
> > I/charon ( 469): 14[NET] sending packet: from 192.168.1.2[500] to<br>
> > 192.168.1.154[500]<br>
> > D/GpsLocationProvider( 107): NTP server returned: 1321866231250 (Mon<br>
> > Nov 21 09:03:51 GMT+00:00 2011) reference: 318100 certainty: 337<br>
> system<br>
> > time offset: -20070741<br>
> > I/charon ( 469): 15[IKE] retransmit 1 of request with message ID 0<br>
> > I/charon ( 469): 15[NET] sending packet: from 192.168.1.2[500] to<br>
> > 192.168.1.154[500]<br>
> > I/charon ( 469): 03[IKE] retransmit 2 of request with message ID 0<br>
> > I/charon ( 469): 03[NET] sending packet: from 192.168.1.2[500] to<br>
> > 192.168.1.154[500]<br>
> > I/charon ( 469): 16[IKE] retransmit 3 of request with message ID 0<br>
> > I/charon ( 469): 16[NET] sending packet: from 192.168.1.2[500] to<br>
> > 192.168.1.154[500]<br>
> > I/charon ( 469): 02[NET] received packet: from 192.168.1.154[500] to<br>
> > 192.168.1.2[500]<br>
> > I/charon ( 469): 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No<br>
> > N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]<br>
> > I/charon ( 469): 02[IKE] sending cert request for "C=UK, CN=nits"<br>
> > I/charon ( 469): 02[IKE] establishing CHILD_SA android<br>
> > I/charon ( 469): 02[ENC] generating IKE_AUTH request 1 [ IDi<br>
> > N(INIT_CONTACT) CERTREQ IDr CP(DNS) SA TSi TSr N(MOBIKE_SUP)<br>
> > N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]<br>
> > I/charon ( 469): 02[NET] sending packet: from 192.168.1.2[4500] to<br>
> > 192.168.1.154[4500]<br>
> > I/charon ( 469): 01[NET] received packet: from<br>
> 192.168.1.154[4500] to<br>
> > 192.168.1.2[4500]<br>
> > I/charon ( 469): 01[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH<br>
> > EAP/REQ/MSCHAPV2 ]<br>
> > I/charon ( 469): 01[IKE] received end entity cert "C=UK, CN=nits"<br>
> > I/charon ( 469): 01[CFG] using certificate "C=UK, CN=nits"<br>
> > I/charon ( 469): 01[CFG] using trusted ca certificate "C=UK,<br>
> CN=nits"<br>
> > I/charon ( 469): 01[CFG] reached self-signed root ca with a path<br>
> > length of 0<br>
> > I/charon ( 469): 01[IKE] authentication of '192.168.1.154' with RSA<br>
> > signature successful<br>
> > I/charon ( 469): 01[IKE] server requested EAP_MSCHAPV2<br>
> authentication<br>
> > (id 0xFD)<br>
> > I/charon ( 469): 01[IKE] no EAP key found for hosts<br>
> '192.168.1.154' -<br>
> > '192.168.1.2'<br>
> > I/charon ( 469): 01[IKE] EAP_MSCHAPV2 method failed<br>
> > I/dalvikvm( 164): Total arena pages for JIT: 11<br>
> > I/charon ( 469): 11[CFG] received stroke: initiate 'android'<br>
> > I/charon ( 469): 14[IKE] initiating IKE_SA android[2] to<br>
> 192.168.1.154<br>
> > I/charon ( 469): 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No<br>
> > N(NATD_S_IP) N(NATD_D_IP) ]<br>
> > I/charon ( 469): 14[NET] sending packet: from 192.168.1.2[500] to<br>
> > 192.168.1.154[500]<br>
> > I/charon ( 469): 15[NET] received packet: from 192.168.1.154[500] to<br>
> > 192.168.1.2[500]<br>
> > I/charon ( 469): 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No<br>
> > N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]<br>
> > I/charon ( 469): 15[IKE] sending cert request for "C=UK, CN=nits"<br>
> > I/charon ( 469): 15[IKE] establishing CHILD_SA android<br>
> > I/charon ( 469): 15[ENC] generating IKE_AUTH request 1 [ IDi<br>
> > N(INIT_CONTACT) CERTREQ IDr CP(DNS) SA TSi TSr N(MOBIKE_SUP)<br>
> > N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]<br>
> > I/charon ( 469): 15[NET] sending packet: from 192.168.1.2[4500] to<br>
> > 192.168.1.154[4500]<br>
> > I/charon ( 469): 03[NET] received packet: from<br>
> 192.168.1.154[4500] to<br>
> > 192.168.1.2[4500]<br>
> > I/charon ( 469): 03[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH<br>
> > EAP/REQ/MSCHAPV2 ]<br>
> > I/charon ( 469): 03[IKE] received end entity cert "C=UK, CN=nits"<br>
> > I/charon ( 469): 03[CFG] using certificate "C=UK, CN=nits"<br>
> > I/charon ( 469): 03[CFG] using trusted ca certificate "C=UK,<br>
> CN=nits"<br>
> > I/charon ( 469): 03[CFG] reached self-signed root ca with a path<br>
> > length of 0<br>
> > I/charon ( 469): 03[IKE] authentication of '192.168.1.154' with RSA<br>
> > signature successful<br>
> > I/charon ( 469): 03[IKE] server requested EAP_MSCHAPV2<br>
> authentication<br>
> > (id 0x75)<br>
> > I/charon ( 469): 03[IKE] no EAP key found for hosts<br>
> '192.168.1.154' -<br>
> > '192.168.1.2'<br>
> > I/charon ( 469): 03[IKE] EAP_MSCHAPV2 method failed<br>
> ><br>
> > Am I missing something or there are some issues with the release?<br>
> ><br>
> > Thanks in advance.<br>
> > Regards,<br>
<br>
======================================================================<br>
Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a><br>
strongSwan - the Linux VPN Solution! <a href="http://www.strongswan.org" target="_blank">www.strongswan.org</a><br>
Institute for Internet Technologies and Applications<br>
University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>
===========================================================[ITA-HSR]==<br>
<br>
</div></div></blockquote></div><br>