Hello,<br><br>I am new to the world of ipsec. I would like to set up a secure communication (IKEv2) between my android's phone and my PC. Both tools use the strongswan application. My computer supplies the ad hoc network with the wifi and my phone connects in it.<br>
<br>I'm using version 4.0.3 of android on an HTC (Access root) strongSwan 5.0.2dr4<br>The application ZT-180 Adhoc Switch allows me to connect with my PC.<br>The OS of the computer is version 11.04 of Ubunutu. strongswan 4.5.0<br>
<br>I put below all steps I followed, and application logs proposed by strongswan on my phone.<br><br>Can you tell me what I need to change for this to work.<br>Once it works, these documents will be used to make a tutorial for IPSec communication between a computer and an android phone.<br>
<br>Thank you in advance for your participation.<br><br><br><br>gedit /etc/ssl/openssl.conf<br><br>#--------------------------------------------------------------start of openssl.conf-----------------------------------------------------------------------<br>
[ ca ]<br>default_ca = CA_default # The default ca section<br><br>[ CA_default ]<br>dir = /etc/ipsec.d # Where everything is kept<br>certs = $dir/certs # Where the issued certs are kept<br>
database = $dir/index.txt # database index file.<br>new_certs_dir = $dir/newcerts # default place for new certs.<br>certificate = $dir/cacerts/strongswanCert.pem # The CA certificate<br>serial = $dir/serial # The current serial number<br>
private_key = $dir/private/strongswanKey.pem # The private key<br>RANDFILE = $dir/private/.rand # private random number file<br><br>x509_extensions = usr_cert # The extentions to add to the cert<br>
<br>default_days = 365 # how long to certify for<br>default_md = sha1 # which md to use.<br>preserve = no # keep passed DN ordering<br>policy = policy_match<br>
<br>[ policy_match ]<br>countryName = match<br>stateOrProvinceName = match<br>organizationName = match<br>organizationalUnitName = optional<br>commonName = supplied<br>emailAddress = optional<br>
<br>[ req ]<br>default_bits = 1024<br>default_keyfile = privkey.pem<br>distinguished_name = req_distinguished_name<br>attributes = req_attributes<br>x509_extensions = v3_ca<br><br>[ req_distinguished_name ]<br>
countryName = Country Name (2 letter code)<br>countryName_default = FR<br>countryName_min = 2<br>countryName_max = 2<br><br>stateOrProvinceName = State or Province Name (full name)<br>
stateOrProvinceName_default = France<br><br>localityName = Locality Name (eg, city)<br>localityName_default = Angers<br><br>0.organizationName = Organization Name (eg, company)<br>0.organizationName_default = myCompany<br>
<br>organizationalUnitName = Organizational Unit Name (eg, section)<br>organizationalUnitName_default = myUnit<br><br>commonName = Common Name (eg, YOUR name)<br>commonName_max = 64<br><br>emailAddress = Email Address<br>
emailAddress_max = 64<br><br>[ req_attributes ]<br>challengePassword = A challenge password<br>challengePassword_min = 4<br>challengePassword_max = 20<br>unstructuredName = An optional company name<br><br>[ usr_cert ]<br>
basicConstraints = CA:FALSE<br>nsComment = "OpenSSL Generated Certificate"<br>subjectKeyIdentifier = hash<br>authorityKeyIdentifier = keyid,issuer<br><br>[ v3_ca ]<br>subjectKeyIdentifier = hash<br>
authorityKeyIdentifier = keyid:always,issuer:always<br>basicConstraints = CA:true<br><br>[ v3_req ]<br>basicConstraints = CA:FALSE<br>keyUsage = nonRepudiation, digitalSignature, keyEncipherment<br><br>#---------------------------------------------------------------end of openssl.conf------------------------------------------------------------------------<br>
<br><br>cd /etc/ipsec.d<br><br>#I create my CA<br>openssl req -x509 -days 365 -newkey rsa:2048 -keyout private/strongswanKey.pem -out cacerts/strongswanCert.pem<br><br>#Enter PEM pass phrase: 1234<br>#Verifying - Enter PEM pass phrase: 1234<br>
#Country Name (2 letter code) [FR]:FR<br>#State or Province Name (full name) [France]:France<br>#Locality Name (eg, city) [Angers]:Angers<br>#Organization Name (eg, company) [myCompany]:myCompany<br>#Organization Unit Name (eg, section) [myUnit]:myUnit<br>
#Common Name (eg, YOUR name) []:<a href="http://example.com">example.com</a><br>#Email Address []:<a href="mailto:root@example.com">root@example.com</a><br><br>cp cacerts/strongswanCert.pem certs/<br><br><br>mkdir newcerts #If Dir not exist<br>
touch index.txt<br>echo "00" > serial<br><br>#I generate a user certificate<br>openssl req -newkey rsa:1024 -keyout private/hostKey.pem -out reqs/hostReq.pem<br><br>#Country Name (2 letter code) [FR]:FR<br>#State or Province Name (full name) [France]:France<br>
#Locality Name (eg, city) [Angers]:Angers<br>#Organization Name (eg, company) [myCompany]:myCompany<br>#Organization Unit Name (eg, section) [myUnit]:myUnit<br>#Common Name (eg, YOUR name) []:<a href="http://user.com">user.com</a><br>
#Email Address []:<a href="mailto:root@user.com">root@user.com</a><br>#A challenge password: hello<br>#An optional company name[]:<br><br>gedit index.txt.attr<br>#--------------------------------------------------------------start of index.txt.attr-----------------------------------------------------------------------<br>
unique_subject = no<br>#---------------------------------------------------------------end of index.txt.attr------------------------------------------------------------------------<br><br>#I sign it for two years<br>openssl ca -in reqs/hostReq.pem -days 730 -out certs/hostCert.pem -notext<br>
<br>#I put its private key, its host certificate and the CA certificate into a PKCS#12 file<br>openssl pkcs12 -export -inkey private/hostKey.pem -in certs/hostCert.pem -name "host" -certfile cacerts/strongswanCert.pem -caname "strongSwan Root CA" -out host.p12<br>
<br>gedit /etc/ipsec.secrets<br>#--------------------------------------------------------------start of ipsec.secrets-----------------------------------------------------------------------<br>:RSA strongswanKey.pem "1234"<br>
test:EAP "hello"<br>#---------------------------------------------------------------end of ipsec.secrets------------------------------------------------------------------------<br><br>gedit /etc/ipsec.conf<br>#--------------------------------------------------------------start of ipsec.conf-----------------------------------------------------------------------<br>
# ipsec.conf - strongSwan IPsec configuration file<br><br>config setup<br> charonstart=yes<br> uniqueids=yes<br><br>conn %default<br> authby=rsasig<br> leftrsasigkey=%cert<br> rightrsasigkey=%cert<br> keyingtries=1<br>
keylife=20m<br> ikelifetime=240m<br><br>conn android<br> leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br> leftcert=strongswanCert.pem<br> leftauth=pubkey<br> leftid=@<a href="http://example.com">example.com</a><br>
right=%any<br> rightauth=eap-mschapv2<br> rightsendcert=never<br> rightcert=hostCert.pem<br> keyexchange=ikev2<br> eap_identity=%any<br> auto=route<br>#---------------------------------------------------------------end of ipsec.conf------------------------------------------------------------------------<br>
<br>cp host.p12 certs/strongswanCert.pem /media/140B-B107 #The SDD card of the android 4.0+ phone<br><br>ipsec start<br><br>#On the android phone i have the strongswan app configured like that:<br><br> #Profile Name: test<br>
#Gateway: IP of the pc<br> #Type IKEv2 EAP (Username/Password)<br> #Username: test<br> #Password: hello<br> #CA certificate: myCompany <a href="http://example.com">example.com</a><br><br>######IT DOES NOT WORK!##########<br>
<br>Feb 1 10:24:19 00[DMN] Starting IKE charon daemon (strongSwan 5.0.2dr4, Linux 3.0.16-g31a4fc7, armv7l)<br>Feb 1 10:24:19 00[DMN] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey pkcs1 pkcs8 pem xcbc hmac socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc<br>
Feb 1 10:24:19 00[JOB] spawning 16 worker threads<br>Feb 1 10:24:19 10[IKE] initiating IKE_SA android[4] to 10.42.43.1<br>Feb 1 10:24:19 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
Feb 1 10:24:19 10[NET] sending packet: from 10.42.43.36[48460] to 10.42.43.1[500]<br>Feb 1 10:24:19 13[NET] received packet: from 10.42.43.1[500] to 10.42.43.36[48460]<br>Feb 1 10:24:19 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]<br>
Feb 1 10:24:20 13[IKE] faking NAT situation to enforce UDP encapsulation<br>Feb 1 10:24:20 13[IKE] sending cert request for "C=FR, ST=France, L=Angers, O=myCompany, OU=myUnit, CN=<a href="http://example.com">example.com</a>, E=<a href="mailto:root@example.com">root@example.com</a>"<br>
Feb 1 10:24:20 13[IKE] establishing CHILD_SA android<br>Feb 1 10:24:20 13[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]<br>
Feb 1 10:24:20 13[NET] sending packet: from 10.42.43.36[41241] to 10.42.43.1[4500]<br>Feb 1 10:24:20 03[NET] received packet: from 10.42.43.1[4500] to 10.42.43.36[41241]<br>Feb 1 10:24:20 03[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]<br>
Feb 1 10:24:20 03[IKE] received AUTHENTICATION_FAILED notify error<br><br>#I also try with<br><br> #On the android phone i have the strongswan app configured like that:<br> #Profile Name: test<br> #Gateway: IP of the pc<br>
#Type IKEv2 Certificate<br> #User certificate: host CN=..., OU=..., ...<br> #CA certificate: myCompany <a href="http://example.com">example.com</a><br><br>######IT DOES NOT WORK TOO!##########<br><br>Feb 1 10:15:06 00[DMN] Starting IKE charon daemon (strongSwan 5.0.2dr4, Linux 3.0.16-g31a4fc7, armv7l)<br>
Feb 1 10:15:06 00[DMN] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey pkcs1 pkcs8 pem xcbc hmac socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc<br>Feb 1 10:15:06 00[JOB] spawning 16 worker threads<br>
Feb 1 10:15:06 11[CFG] loaded user certificate 'C=FR, ST=France, O=myCompany, OU=myUnit, CN=<a href="http://user.com">user.com</a>, E=<a href="mailto:root@user.com">root@user.com</a>' and private key<br>Feb 1 10:15:06 11[CFG] loaded CA certificate 'C=FR, ST=France, L=Angers, O=myCompany, OU=myUnit, CN=<a href="http://example.com">example.com</a>, E=<a href="mailto:root@example.com">root@example.com</a>'<br>
Feb 1 10:15:06 11[IKE] initiating IKE_SA android[1] to 10.42.43.1<br>Feb 1 10:15:07 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>Feb 1 10:15:07 11[NET] sending packet: from 10.42.43.36[49549] to 10.42.43.1[500]<br>
Feb 1 10:15:07 15[NET] received packet: from 10.42.43.1[500] to 10.42.43.36[49549]<br>Feb 1 10:15:07 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]<br>Feb 1 10:15:07 15[IKE] faking NAT situation to enforce UDP encapsulation<br>
Feb 1 10:15:07 15[IKE] sending cert request for "C=FR, ST=France, L=Angers, O=myCompany, OU=myUnit, CN=<a href="http://example.com">example.com</a>, E=<a href="mailto:root@example.com">root@example.com</a>"<br>
Feb 1 10:15:07 15[IKE] authentication of 'C=FR, ST=France, O=myCompany, OU=myUnit, CN=<a href="http://user.com">user.com</a>, E=<a href="mailto:root@user.com">root@user.com</a>' (myself) with RSA signature successful<br>
Feb 1 10:15:07 15[IKE] establishing CHILD_SA android<br>Feb 1 10:15:07 15[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ AUTH CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]<br>
Feb 1 10:15:07 15[NET] sending packet: from 10.42.43.36[36844] to 10.42.43.1[4500]<br>Feb 1 10:15:07 12[NET] received packet: from 10.42.43.1[4500] to 10.42.43.36[36844]<br>Feb 1 10:15:07 12[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]<br>
Feb 1 10:15:07 12[IKE] received AUTHENTICATION_FAILED notify error<br>