Hi,<br><font><font>I have been trying to establish ikev2 tunnel and encrypt traffic using manual SAs on Android. <br><br>Details of my Setup:<br>
==============<br>
Android device: StrongSwan client. Config the virtual IP in ipsec.conf as 192.168.3.3<br>
AP: AP_2: subnet <a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a>: trusted network connected to server (for which traffic need not go via ikev2 tunnel)<br>
AP: AP_3: subnet <a href="http://192.168.3.0/24" target="_blank">192.168.3.0/24</a>: untrusted network connected to server (for which traffic needs to be encrypted)<br>
StrongSwan server: IP 192.168.1.154<br>
<br><br>
Steps Followed:<br>
1. I established the SAs first and then inserted the policies manually using ip xfrm: <br>
ip xfrm policy add dir out src <a href="http://192.168.3.3/32" target="_blank">192.168.3.3/32</a> dst <a href="http://192.168.1.154/32" target="_blank">192.168.1.154/32</a> proto
any priority 1000 tmpl src 192.168.3.3 dst 192.168.1.154 proto esp mode
tunnel reqid 1 level required<br>
ip xfrm policy add dir in src <a href="http://192.168.1.154/32" target="_blank">192.168.1.154/32</a> dst <a href="http://192.168.3.3/32" target="_blank">192.168.3.3/32</a> proto
any priority 1000 tmpl src 192.168.1.154 dst 192.168.3.3 proto esp mode
tunnel reqid 1 level required<br>
ip xfrm policy add dir fwd src <a href="http://192.168.1.154/32" target="_blank">192.168.1.154/32</a> dst <a href="http://192.168.3.3/32" target="_blank">192.168.3.3/32</a> proto
any priority 1000 tmpl src 192.168.1.154 dst 192.168.3.3 proto esp mode
tunnel reqid 1 level required<br>
<br>
2. Based on the policies, when traffic (ping to the SS server) goes via
trusted network (device connected to AP_2) it remains in plaintext,
while when it goes via untrusted network (device connected to AP_3) it gets encrypted and goes via IKEv2 tunnel.<br>
<br>
3. After 4-5 iterations (random), when device gets connected to the
untrusted network from trusted, it could not ping the server. At that
time following are the outputs of ip xfrm:<br>
root@android:/ # ip xfrm state <br>
src 192.168.1.154 dst 192.168.2.221<br>
proto esp spi 0xc1b76809 reqid 1 mode tunnel<br>
replay-window 0 <br>
sel src <a href="http://192.168.1.154/32" target="_blank">192.168.1.154/32</a> dst <a href="http://192.168.2.221/32" target="_blank">192.168.2.221/32</a> <br>
src 192.168.3.3 dst 192.168.1.154<br>
proto esp spi 0x00000000 reqid 1 mode tunnel<br>
replay-window 0 <br>
FIX ME! implement getprotobynumber() bionic/libc/bionic/stubs.c:456<br>
sel src <a href="http://192.168.3.3/32" target="_blank">192.168.3.3/32</a> dst <a href="http://192.168.1.154/32" target="_blank">192.168.1.154/32</a> proto 1 type 8 code 0 dev if9 <br>
src 192.168.2.221 dst 192.168.1.154<br>
proto esp spi 0xcf855e44 reqid 1 mode tunnel<br>
replay-window 32 flag af-unspec<br>
auth hmac(sha1) 0x92fde1dda8670763873e3363a658d58e62ef86f6<br>
enc cbc(aes) 0x03ad19ca7a51632bb1fde65f7d1b1440<br>
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0<br>
src 192.168.1.154 dst 192.168.2.221<br>
proto esp spi 0xc49b5eaf reqid 1 mode tunnel<br>
replay-window 32 flag af-unspec<br>
auth hmac(sha1) 0xc6b568b5222c9f4d6e8bb7c36d973310f6d2b8f0<br>
enc cbc(aes) 0xf32902e01155cc106b89ef711a131db1<br>
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0<br>
root@android:/data/local/tmp # ping 192.168.1.154<br>
connect: Network is unreachable<br>
root@android:/data/local/tmp # ping 192.168.1.154 <br>
connect: Network is unreachable<br>
root@android:/data/local/tmp # ping 192.168.1.154 <br>
connect: Network is unreachable<br>
root@android:/data/local/tmp # ping 192.168.1.154 <br>
connect: Network is unreachable<br>
<br>
root@android:/data/local/tmp # iptables -L -v <br>
Chain INPUT (policy ACCEPT 1155 packets, 109K bytes)<br>
pkts bytes target prot opt in out source destination <br>
0 0 all -- !lo+ any anywhere anywhere ! quota globalAlert: 2097152 bytes <br>
32 2304 ACCEPT all -- lo any anywhere anywhere <br>
109 18460 all -- any any anywhere anywhere owner socket exists<br>
<br>
Chain FORWARD (policy DROP 0 packets, 0 bytes)<br>
pkts bytes target prot opt in out source destination <br>
<br>
Chain OUTPUT (policy ACCEPT 2048 packets, 163K bytes)<br>
pkts bytes target prot opt in out source destination <br>
0 0 all -- any !lo+ anywhere anywhere ! quota globalAlert: 2097152 bytes <br>
32 2304 ACCEPT all -- any lo anywhere anywhere <br>
2048 163K all -- any any anywhere anywhere owner socket exists<br>
<br>
Chain costly_shared (0 references)<br>
pkts bytes target prot opt in out source destination <br>
0 0 penalty_box all -- any any anywhere anywhere <br>
0 0 all -- any any anywhere anywhere owner socket exists<br>
0 0 ACCEPT all -- any any anywhere anywhere <br>
<br>
Chain penalty_box (1 references)<br>
pkts bytes target prot opt in out source destination <br>
<br>
4. After sometime, the entries shown by 'ip xfrm state' gets cleared but network remains not reachable.<br>
root@android:/data/local/tmp # ping 192.168.1.154<br>
connect: Network is unreachable<br>
<br>
5. At this moment, when I selected AP_2 for device, it started to ping the network again.<br>
<br>
6. When I selected the untrusted AP_3 now, the ikev2 SAs got established again and ping messages started going in ESP.<br>
</font></font>==========================================================<br><br>Client's IPSEC.CONF:<br><br>config setup<br> plutostart=no<br> charondebug="knl 3, cfg 2, ike 2, chd 2, mgr 2, dmn 2"<br>
<br>conn %default<br> ikelifetime=60m<br> keylife=20m<br> keyexchange=ikev2<br> installpolicy=no<br> reauth=no<br> <br>conn android<br> left=%any<br> leftid="abc"<br>
leftauth=eap<br> leftsourceip=192.168.3.3<br> eap_identity=deepika<br> right=192.168.1.154<br> rightid=192.168.1.154<br> #rightsubnet=<a href="http://192.168.5.0/24">192.168.5.0/24</a><br> rightauth=pubkey <br>
reqid=1 <br> auto=route<br><br>=====================================================================<br><br>Logcat (at the time of Crash):<br><br>I/charon ( 1549): 12[IKE] sending keep alive<br>I/charon ( 1549): 12[NET] sending packet: from 192.168.2.221[4500] to 192.168.1.154[4500]<br>
I/charon ( 1549): 15[IKE] old path is not available anymore, try to find another<br>I/charon ( 1549): 15[IKE] no route found to reach 192.168.1.154, MOBIKE update deferred<br>I/charon ( 1549): 03[KNL] 192.168.3.3 appeared on wlan0<br>
I/charon ( 1549): 02[KNL] creating acquire job for policy <a href="http://192.168.3.3/32[1/8]">192.168.3.3/32[1/8]</a> === <a href="http://192.168.1.154/32[1]">192.168.1.154/32[1]</a> with reqid {1}<br>I/charon ( 1549): 11[IKE] establishing CHILD_SA android{1}<br>
I/charon ( 1549): 11[ENC] generating CREATE_CHILD_SA request 23 [ SA No TSi TSr ]<br>I/charon ( 1549): 11[NET] sending packet: from 192.168.2.221[4500] to 192.168.1.154[4500]<br>I/charon ( 1549): 05[NET] error writing to socket: Invalid argument<br>
I/charon ( 1549): 16[IKE] old path is not available anymore, try to find another<br>I/charon ( 1549): 16[IKE] requesting address change using MOBIKE<br>I/charon ( 1549): 03[KNL] fe80::a20b:baff:fec3:cf31 appeared on wlan0<br>
I/charon ( 1549): 08[IKE] old path is not available anymore, try to find another<br>I/charon ( 1549): 08[IKE] requesting address change using MOBIKE<br>D/dalvikvm( 201): GC_CONCURRENT freed 1031K, 12% free 17211K/19399K, paused 6ms+3ms<br>
D/DhcpInfoInternal( 201): makeLinkProperties with empty dns2!<br>D/DhcpInfoInternal( 201): makeLinkProperties with empty dns2!<br>D/ConnectivityService( 201): ConnectivityChange for WIFI: CONNECTED/CONNECTED<br>W/NetworkStats( 201): dropping UID delta from unknown iface: iface=wlan0 uid=0 set=DEFAULT tag=0x0 rxBytes=576 rxPackets=1 txBytes=280 txPackets=4 operations=0<br>
D/ConnectivityService( 201): ConnectivityChange for WIFI: CONNECTED/CONNECTED<br>D/ConnectivityService( 201): handleConnectivityChange: address are the same reset per doReset linkProperty[1]: resetMask=0<br>I/charon ( 1549): 04[IKE] old path is not available anymore, try to find another<br>
I/charon ( 1549): 04[IKE] requesting address change using MOBIKE<br>I/charon ( 1549): 12[IKE] retransmit 1 of request with message ID 23<br>I/charon ( 1549): 12[NET] sending packet: from 192.168.2.221[4500] to 192.168.1.154[4500]<br>
I/charon ( 1549): 05[NET] error writing to socket: Invalid argument<br>I/charon ( 1549): 14[IKE] retransmit 2 of request with message ID 23<br>I/charon ( 1549): 14[NET] sending packet: from 192.168.2.221[4500] to 192.168.1.154[4500]<br>
I/charon ( 1549): 05[NET] error writing to socket: Invalid argument<br>I/charon ( 1549): 07[IKE] retransmit 3 of request with message ID 23<br>I/charon ( 1549): 07[NET] sending packet: from 192.168.2.221[4500] to 192.168.1.154[4500]<br>
I/charon ( 1549): 05[NET] error writing to socket: Invalid argument<br>I/charon ( 1549): 16[IKE] sending keep alive<br>I/charon ( 1549): 16[NET] sending packet: from 192.168.2.221[4500] to 192.168.1.154[4500]<br>I/charon ( 1549): 05[NET] error writing to socket: Invalid argument<br>
I/charon ( 1549): 10[IKE] retransmit 4 of request with message ID 23<br>I/charon ( 1549): 10[NET] sending packet: from 192.168.2.221[4500] to 192.168.1.154[4500]<br>I/charon ( 1549): 05[NET] error writing to socket: Invalid argument<br>
I/charon ( 1549): 13[IKE] sending keep alive<br>I/charon ( 1549): 13[NET] sending packet: from 192.168.2.221[4500] to 192.168.1.154[4500]<br>I/charon ( 1549): 05[NET] error writing to socket: Invalid argument<br>I/charon ( 1549): 04[IKE] sending keep alive<br>
I/charon ( 1549): 04[NET] sending packet: from 192.168.2.221[4500] to 192.168.1.154[4500]<br>I/charon ( 1549): 05[NET] error writing to socket: Invalid argument<br>I/charon ( 1549): 12[IKE] retransmit 5 of request with message ID 23<br>
I/charon ( 1549): 12[NET] sending packet: from 192.168.2.221[4500] to 192.168.1.154[4500]<br>I/charon ( 1549): 05[NET] error writing to socket: Invalid argument<br>I/charon ( 1549): 15[IKE] sending keep alive<br>I/charon ( 1549): 15[NET] sending packet: from 192.168.2.221[4500] to 192.168.1.154[4500]<br>
I/charon ( 1549): 05[NET] error writing to socket: Invalid argument<br>I/charon ( 1549): 07[IKE] sending keep alive<br>I/charon ( 1549): 07[NET] sending packet: from 192.168.2.221[4500] to 192.168.1.154[4500]<br>I/charon ( 1549): 05[NET] error writing to socket: Invalid argument<br>
I/charon ( 1549): 11[IKE] sending keep alive<br>I/charon ( 1549): 11[NET] sending packet: from 192.168.2.221[4500] to 192.168.1.154[4500]<br>I/charon ( 1549): 05[NET] error writing to socket: Invalid argument<br>I/charon ( 1549): 02[KNL] creating delete job for ESP CHILD_SA with SPI c1b76809 and reqid {1}<br>
I/charon ( 1549): 10[IKE] giving up after 5 retransmits<br>I/charon ( 1549): 10[KNL] received netlink error: No such process (3)<br>I/charon ( 1549): 10[KNL] unable to delete SAD entry with SPI c1b76809<br>I/charon ( 1549): 03[KNL] 192.168.3.3 disappeared from wlan0<br>
==================================================================<br><br>Any idea what is going wrong? The number of iterations is random. It seems that strongSwan doesn't delete the old SAs' entries but created new ones and hence some corruption.<br>
<br>Regards,<br>Nitin<br> <br>