[strongSwan-dev] Problem with Android VPN Client on Motorola DROID RAZR running Android 4.1.2
Peck, Michael A
mpeck at mitre.org
Sun Apr 7 21:23:59 CEST 2013
Hi Tobias,
Thanks for the response. Answers below.
Mike
>-----Original Message-----
>From: Tobias Brunner [mailto:tobias at strongswan.org]
>Sent: Tuesday, April 02, 2013 6:33 AM
>To: Peck, Michael A
>Cc: dev at lists.strongswan.org
>Subject: Re: [strongSwan-dev] Problem with Android VPN Client on Motorola
>DROID RAZR running Android 4.1.2
>
>Hi Michael,
>
>> I compiled from source and had the same problem --- but I had been using
>> a previous version of strongSwan with no issues.
>
>Are you referring to the app or the strongSwan version on the gateway?
Sorry, I am referring to the Android app.
>
>> i.e. if I checkout master and run “git revert
>> 21dd4c4beab5b3e61dba28eedbc7aad375bdf0a3”, then build, the app works
>fine.
>>
>> Any thoughts on the problem?
>
>Could you check which of the two changes in the patch causes the issue?
The first change is the one that causes the issue with the Android app.
In src/libcharon/sa/ike_sa.c:
This code segment works:
/* update our address in any case */
if (!me->equals(me, this->my_host))
{
set_my_host(this, me->clone(me));
update = TRUE;
}
This code segment doesn't work:
/* update our address in any case */
if (force && !me->equals(me, this->my_host))
{
set_my_host(this, me->clone(me));
update = TRUE;
}
>What is your NAT situation? Is the gateway behind a NAT? Are any of
>the two Android devices? Could you send your gateway config? (In
>particular do you have mobike=no in your config?)
The gateway is an Amazon EC2 VM (strongSwan 4.5.2 running on Ubuntu 12.04.2 LTS). Its Internet-facing IP is not the same as the IP assigned to its eth0 interface.
The Android devices are behind a NAT. I've tested on both my home Wi-Fi and over cellular.
I have mobike=yes in the gateway config. Here is the gateway config:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
strictcrlpolicy=no
plutostart=no
charonstart=yes
# Add connections here.
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
conn mytest
left=%any
leftsubnet=0.0.0.0/0
mobike=yes
right=%any
auto=add
authby=pubkey
leftcert=ec2cert.pem
rightid=%any
leftid=%any
rightsourceip=192.168.100.0/24
esp=aes256-sha384
ike=aes256-sha384-modp2048
Here's the Charon.log from the Android app.
10.184.214.218 is the external interface (cellular data).
Notice the "sending packet: from 192.168.157.1[38661]" - that is not the external interface. I think it's one of the USB interfaces. 10.184.214.218 is the external interface on the Android phone. Could that be part of the problem? 54.242.XXX.YY is the internet-facing IP of the gateway, but the gateway sees its own address as 10.214.xxx.yy.
Apr 3 16:31:34 00[DMN] Starting IKE charon daemon (strongSwan 5.0.3rc1, Linux 3.0.8-gbacb1cf, armv7l)
Apr 3 16:31:35 00[DMN] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey pkcs1 pkcs8 pem xcbc hmac socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc
Apr 3 16:31:35 00[JOB] spawning 16 worker threads
Apr 3 16:31:35 16[CFG] loaded user certificate 'C=US, O=REMOVED, CN=REMOVED' and private key
Apr 3 16:31:35 16[CFG] loaded CA certificate 'C=US, O=REMOVED, CN=REMOVED-ROOT-CA'
Apr 3 16:31:36 16[IKE] initiating IKE_SA android[1] to 54.242.XXX.YY
Apr 3 16:31:36 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Apr 3 16:31:36 16[NET] sending packet: from 192.168.157.1[38661] to 54.242.XXX.YY[500] (648 bytes)
Apr 3 16:31:36 13[NET] received packet: from 54.242.XXX.YY[500] to 10.184.214.218[38661] (465 bytes)
Apr 3 16:31:36 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Apr 3 16:31:36 13[IKE] local host is behind NAT, sending keep alives
Apr 3 16:31:36 13[IKE] remote host is behind NAT
Apr 3 16:31:36 13[IKE] received cert request for "C=US, O=REMOVED, CN=REMOVED-ROOT-CA"
Apr 3 16:31:36 13[IKE] sending cert request for "C=US, O=REMOVED, CN=REMOVED-ROOT-CA"
Apr 3 16:31:36 13[IKE] authentication of 'C=US, O=REMOVED, CN=REMOVED' (myself) with RSA signature successful
Apr 3 16:31:36 13[IKE] sending end entity cert "C=US, O=REMOVED, CN=REMOVED"
Apr 3 16:31:36 13[IKE] establishing CHILD_SA android
Apr 3 16:31:36 13[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CP(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Apr 3 16:31:36 13[NET] sending packet: from 10.184.214.218[54393] to 54.242.XXX.YY[4500] (1560 bytes)
Apr 3 16:31:37 10[NET] received packet: from 54.242.XXX.YY[4500] to 10.184.214.218[54393] (1432 bytes)
Apr 3 16:31:37 10[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CP(ADDR DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Apr 3 16:31:37 10[IKE] received end entity cert "C=US, O=REMOVED, CN=removed.com"
Apr 3 16:31:37 10[CFG] using certificate "C=US, O=REMOVED, CN=removed.com"
Apr 3 16:31:37 10[CFG] using trusted ca certificate "C=US, O=REMOVED, CN=REMOVED-ROOT-CA"
Apr 3 16:31:37 10[CFG] reached self-signed root ca with a path length of 0
Apr 3 16:31:37 10[IKE] authentication of 'C=US, O=REMOVED, CN=removed.com' with RSA signature successful
Apr 3 16:31:37 10[IKE] IKE_SA android[1] established between 10.184.214.218[C=US, O=REMOVED, CN=REMOVED]...54.242.XXX.YY[C=US, O=REMOVED, CN=removed.com]
Apr 3 16:31:37 10[IKE] scheduling rekeying in 35588s
Apr 3 16:31:37 10[IKE] maximum IKE_SA lifetime 36188s
Apr 3 16:31:37 10[IKE] installing new virtual IP 192.168.100.1
Apr 3 16:31:37 10[IKE] CHILD_SA android{1} established with SPIs 50d2eb02_i cb7893c3_o and TS 192.168.100.1/32 === 0.0.0.0/0
Apr 3 16:31:37 10[DMN] setting up TUN device for CHILD_SA android{1}
Apr 3 16:31:37 10[DMN] successfully created TUN device
Apr 3 16:31:37 10[IKE] received AUTH_LIFETIME of 3280s, scheduling reauthentication in 2680s
Apr 3 16:31:37 10[IKE] peer supports MOBIKE
Apr 3 16:31:58 02[IKE] sending keep alive to 54.242.XXX.YY[4500]
More information about the Dev
mailing list