[strongSwan] Android/Stongswan Integration

zhen chen zchen2711 at yahoo.com
Mon Nov 21 04:21:41 CET 2011


Hi Andreas, 

I loaded the strongswan.conf to the android emulator,the Android is able to load the CA cert successfully. 
Thanks!

Now I started  from the Android emulator and tried to add the IKEv2 IPSec tunnel. I entered the name, address of the GW, then tried to connect. I entered the username/password. The login failed. I checked the ipsec.conf and followed Tobias instruction on wiki. Couldn't find out what I did wrong. I used zhen as the user name in the Android side. 

Thanks in advance!
-Zhen 
 
The following is the main error on the GW side: 


Nov 20 19:57:26 localhost charon: 11[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan CA" 
Nov 20 19:57:26 localhost charon: 11[CFG] looking for peer configs matching 192.168.121.102[192.168.121.102]...192.168.121.104[zhen] 
Nov 20 19:57:26 localhost charon: 11[CFG] no matching peer config found 

The GW cert DN is:  C=CH, O=zhen, CN=emac   which I used as the left side id for the gw's ipsec.conf file. 
The CA cert DN is:  C=CH, O=strongSwan, CN=strongSwan CA

/etc/ipsec.secrets:

": RSA peerKey.der
zhen : EAP "password"
"

ipsec.conf file in the GW side (note android is the conn to the android phone): 

"conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
conn rw
        right=%any
        rightid=@192.168.121.101
        rightsourceip=%dhcp
        leftfirewall=yes
        left=192.168.121.102
        leftsubnet=192.168.2.0/24
        leftid=@192.168.121.102
        auto=add
conn android
        leftsubnet=0.0.0.0/0
        leftcert=peerCert1.der
        leftauth=pubkey
        leftid="C=CH, O=zhen, CN=emac"
        right=%any
        rightsourceip=%dhcp
        rightauth=eap-mschapv2
        rightsendcert=never
        keyexchange=ikev2
        eap_identity=%any
        auto=add
"
Gateway log: 


Nov 20 19:51:30 localhost charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-raw socket-default updown eap-identity eap-md5 farp gtp  
Nov 20 19:51:30 localhost charon: 00[JOB] spawning 16 worker threads 
Nov 20 19:51:30 localhost charon: 06[CFG] received stroke: add connection 'rw' 
Nov 20 19:51:30 localhost charon: 06[CFG] added configuration 'rw' 
Nov 20 19:51:30 localhost charon: 08[CFG] received stroke: add connection 'android' 
Nov 20 19:51:30 localhost charon: 08[CFG] left nor right host is our side, assuming left=local 
Nov 20 19:51:30 localhost charon: 08[CFG]   loaded certificate "C=CH, O=zhen, CN=emac" from 'peerCert1.der' 
Nov 20 19:51:30 localhost charon: 08[CFG] added configuration 'android' 


Nov 20 19:57:25 localhost charon: 10[NET] received packet: from 192.168.121.104[60653] to 192.168.121.102[500] 
Nov 20 19:57:25 localhost charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 
Nov 20 19:57:25 localhost charon: 10[IKE] 192.168.121.104 is initiating an IKE_SA 
Nov 20 19:57:25 localhost charon: 10[IKE] remote host is behind NAT 
Nov 20 19:57:25 localhost charon: 10[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA" 
Nov 20 19:57:25 localhost charon: 10[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA" 
Nov 20 19:57:25 localhost charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] 
Nov 20 19:57:25 localhost charon: 10[NET] sending packet: from 192.168.121.102[500] to 192.168.121.104[60653] 
Nov 20 19:57:26 localhost charon: 11[NET] received packet: from 192.168.121.104[34320] to 192.168.121.102[4500] 
Nov 20 19:57:26 localhost charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] 
Nov 20 19:57:26 localhost charon: 11[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan CA" 
Nov 20 19:57:26 localhost charon: 11[CFG] looking for peer configs matching 192.168.121.102[192.168.121.102]...192.168.121.104[zhen] 
Nov 20 19:57:26 localhost charon: 11[CFG] no matching peer config found 
Nov 20 19:57:26 localhost charon: 11[IKE] peer supports MOBIKE 
Nov 20 19:57:26 localhost charon: 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] 
Nov 20 19:57:26 localhost charon: 11[NET] sending packet: from 192.168.121.102[4500] to 192.168.121.104[34320] 



Android adb logcat: 

I/SProxy_charon(  351): Start VPN daemon: charon
D/SProxy_charon(  351): charon is running after 0 msec
D/SProxy_charon(  351): service not yet listen()ing; try again
I/charon  (  800): 00[DMN] loaded plugins: openssl fips-prf random pubkey pkcs1 pem xcbc hmac kernel-netlink socket-default android eap-identity eap-mschapv2 eap-md5 
I/charon  (  800): 00[DMN] removing pidfile '/data/misc/vpn/charon.pid', process not running
I/charon  (  800): 00[JOB] spawning 16 worker threads
I/keystore(   37): uid: 1016 action: g -> 1 state: 1 -> 1 retry: 4
I/charon  (  800): 06[CFG] using CA certificate, gateway identitiy '192.168.121.102'
I/charon  (  800): 06[CFG] status of Android plugin changed: 4
I/SProxy_charon(  351): got data from control socket: 4
I/charon  (  800): 06[IKE] initiating IKE_SA android[1] to 192.168.121.102
I/charon  (  800): 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
I/charon  (  800): 06[NET] sending packet: from 10.0.2.15[500] to 192.168.121.102[500]
I/charon  (  800): 07[NET] received packet: from 192.168.121.102[500] to 10.0.2.15[500]
I/charon  (  800): 07[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
I/charon  (  800): 07[IKE] local host is behind NAT, sending keep alives
I/charon  (  800): 07[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan CA"
I/charon  (  800): 07[IKE] received 1 cert requests for an unknown ca
I/charon  (  800): 07[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA"
I/charon  (  800): 07[IKE] establishing CHILD_SA android
I/charon  (  800): 07[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
I/charon  (  800): 07[NET] sending packet: from 10.0.2.15[4500] to 192.168.121.102[4500]
I/charon  (  800): 08[NET] received packet: from 192.168.121.102[4500] to 10.0.2.15[4500]
I/charon  (  800): 08[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
I/charon  (  800): 08[IKE] received AUTHENTICATION_FAILED notify error


________________________________
 From: Andreas Steffen <andreas.steffen at strongswan.org>
To: zhen chen <zchen2711 at yahoo.com> 
Cc: Tobias Brunner <tobias at strongswan.org>; "users at lists.strongswan.org" <users at lists.strongswan.org> 
Sent: Sunday, November 20, 2011 7:36 AM
Subject: Re: [strongSwan] Android/Stongswan Integration
 
Hello Zhen,

the actual error is

I/charon  (  362): 07[LIB] found unsupported critical X.509 extension
I/charon  (  362): 07[LIB] OpenSSL X.509 parsing failed

if you have a strongswan.conf file on your Android platform
please add the entry

libstrongswan {
  x509 {
    enforce_critical = no
  }
}

You could also try to add the x509 plugin and add it in front of
the openssl plugin in the libcharon load list. The x509 plugin$
might be able handle the unknown critical extension contained
in your certificate.

Regards

Andreas

On 11/20/2011 12:41 AM, zhen chen wrote:
> Hi Tobias, 
> 
> I followed the procedure to create the CA certificate and imported it to
> the Android emulator successfully. 
> Now after I configure the GW side ipsec.conf. I created a IKEV2 VPN in
> the emulator. Then tried to connect to it: 
> 
> the logcat is giving me the foloowing errors:
> 
> D/SProxy_charon(  351): stopping charon, success? true
> D/VpnService(  351):   Local IP: 10.0.2.15, if: eth0
> D/VpnService(  351):        VPN UP: down
> I/SProxy_charon(  351): Start VPN daemon: charon
> D/SProxy_charon(  351): charon is running after 0 msec
> D/SProxy_charon(  351): service not yet listen()ing; try again
> I/charon  (  362): 00[DMN] loaded plugins: openssl fips-prf random
> pubkey pkcs1 pem xcbc hmac kernel-netlink socket-default android
> eap-identity eap-mschapv2 eap-md5 
> I/charon  (  362): 00[DMN] removing pidfile '/data/misc/vpn/charon.pid',
> process not running
> I/charon  (  362): 00[JOB] spawning 16 worker threads
> I/keystore(   37): uid: 1016 action: g -> 1 state: 1 -> 1 retry: 4
> I/charon  (  362): 07[LIB] found unsupported critical X.509 extension
> I/charon  (  362): 07[LIB] OpenSSL X.509 parsing failed
> I/charon  (  362): 07[LIB] building CRED_CERTIFICATE - X509 failed,
> tried 2 builders
> I/charon  (  362): 07[CFG] failed to load CA certificate
> I/charon  (  362): 07[CFG] using CA certificate, gateway identitiy
> '192.168.121.102'
> I/charon  (  362): 07[CFG] status of Android plugin changed: 4
> 
> Now it seems like Android is not able to load the certificate I created
> using ipsec pki.  
> Is that because the way I created the CA cert? or something is missing
> in the Android charon? 
> 
> thanks!
> -zhen
> 
> 
> ------------------------------------------------------------------------
> *From:* Tobias Brunner <tobias at strongswan.org>
> *To:* zhen chen <zchen2711 at yahoo.com>
> *Cc:* "users at lists.strongswan.org" <users at lists.strongswan.org>
> *Sent:* Tuesday, November 15, 2011 9:52 AM
> *Subject:* Re: [strongSwan] Android/Stongswan Integration
> 
> Hello Zhen,
> 
>> I have been trying to bring Strongswan 4.5.3 to Android
> 
> If possible, you should update to 4.6.1 as there are several Android
> related improvements included in that release.
> 
>> 1. When I ran charon in adb shell, it started, but said: "android plugin
>> failed to load, can't open android control socket".
> 
> That's because the control socket is only available, if charon gets
> started by the patched Android VPN GUI.  With 4.6.1 it's possible to use
> the plugin even if charon is not started by the GUI.
> 
>> I did some search, the android plugin is something related to DNS.
> 
> That's correct it installs DNS servers received from the gateway where
> Android expects them to be (there is no resolv.conf on Android).
> 
>> Question: do i have to to enable this plugin for VPN to work on the
>> emulator?
> 
> Only if you need DNS servers installed, or logging via logcat.  These
> are currently the only two functions provided by the plugin, which are
> usable without GUI patch.
> 
>> If so, i did some ./configure --enable-android, it failed
>> because it couldn't find a requied lib.
> 
> Running ./configure won't work.  To enable/disable plugins you have to
> edit the plugin list in the top Android.mk <http://Android.mk> within
> the strongSwan source
> tree.  But the plugin is enabled anyway, by default, it just can't be
> loaded without the control socket provided by the frontend in 4.5.3.
> 
>> 2. In the frontend integration site, it says it needs CA assigned certs,
>> quoted below.
>> Question: Does the certificate have to be issued by CA? Would
>> self-assigned certificate work? I am just playing with it and wouldn't
>> want to spend $1500 to buy one from verisign. :(
> 
> Don't worry :)  You can absolutely build your own CA (e.g. with the
> ipsec pki tool [1]).  Just make sure you install the CA certificate in
> the Android certificate store as described on the page you quoted.  Then
> use this CA to issue a certificate for the gateway you want to test against.
> 
> With 4.6.1 you now have also the option to build starter and stroke
> which allows you to use an ipsec.conf based configuration, instead of
> using the frontend patch.
> 
> Regards,
> Tobias
> 
> [1] http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
>
-- 
======================================================================
Andreas Steffen                        andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111120/9957645d/attachment.html>


More information about the Users mailing list