[strongSwan] Android/Stongswan Integration

Federico.Mancini at ffi.no Federico.Mancini at ffi.no
Mon Nov 21 08:23:08 CET 2011


I think I know this one, I had the same problem.

Found the solution in the mailing list itself:

strongSwan requires the peer ID to be contained in the certificate

(either the complete DN, or as a subjectAltName, a matching CN= is

insufficient).

 

In my case the peer ID turned out to be the IP address itself.....

 

Federico

 

 

Fra: users-bounces+federico.mancini=ffi.no at lists.strongswan.org [mailto:users-bounces+federico.mancini=ffi.no at lists.strongswan.org] På vegne av zhen chen
Sendt: 21. november 2011 04:22
Til: Andreas Steffen
Kopi: users at lists.strongswan.org
Emne: Re: [strongSwan] Android/Stongswan Integration

 

Hi Andreas, 

 

I loaded the strongswan.conf to the android emulator,the Android is able to load the CA cert successfully. 

Thanks!

 

Now I started  from the Android emulator and tried to add the IKEv2 IPSec tunnel. I entered the name, address of the GW, then tried to connect. I entered the username/password. The login failed. I checked the ipsec.conf and followed Tobias instruction on wiki. Couldn't find out what I did wrong. I used zhen as the user name in the Android side. 

 

Thanks in advance!

-Zhen 

 

The following is the main error on the GW side: 

 

Nov 20 19:57:26 localhost charon: 11[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan CA" 

Nov 20 19:57:26 localhost charon: 11[CFG] looking for peer configs matching 192.168.121.102[192.168.121.102]...192.168.121.104[zhen] 

Nov 20 19:57:26 localhost charon: 11[CFG] no matching peer config found 

 

The GW cert DN is:  C=CH, O=zhen, CN=emac   which I used as the left side id for the gw's ipsec.conf file. 

The CA cert DN is:  C=CH, O=strongSwan, CN=strongSwan CA

 

/etc/ipsec.secrets:

 

": RSA peerKey.der

zhen : EAP "password"

"

 

ipsec.conf file in the GW side (note android is the conn to the android phone): 

 

"conn %default

        ikelifetime=60m

        keylife=20m

        rekeymargin=3m

        keyingtries=1

        keyexchange=ikev2

conn rw

        right=%any

        rightid=@192.168.121.101

        rightsourceip=%dhcp

        leftfirewall=yes

        left=192.168.121.102

        leftsubnet=192.168.2.0/24

        leftid=@192.168.121.102

        auto=add

conn android

        leftsubnet=0.0.0.0/0

        leftcert=peerCert1.der

        leftauth=pubkey

        leftid="C=CH, O=zhen, CN=emac"

        right=%any

        rightsourceip=%dhcp

        rightauth=eap-mschapv2

        rightsendcert=never

        keyexchange=ikev2

        eap_identity=%any

        auto=add

"

Gateway log: 

 

 

Nov 20 19:51:30 localhost charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-raw socket-default updown eap-identity eap-md5 farp gtp  

Nov 20 19:51:30 localhost charon: 00[JOB] spawning 16 worker threads 

Nov 20 19:51:30 localhost charon: 06[CFG] received stroke: add connection 'rw' 

Nov 20 19:51:30 localhost charon: 06[CFG] added configuration 'rw' 

Nov 20 19:51:30 localhost charon: 08[CFG] received stroke: add connection 'android' 

Nov 20 19:51:30 localhost charon: 08[CFG] left nor right host is our side, assuming left=local 

Nov 20 19:51:30 localhost charon: 08[CFG]   loaded certificate "C=CH, O=zhen, CN=emac" from 'peerCert1.der' 

Nov 20 19:51:30 localhost charon: 08[CFG] added configuration 'android' 

 

 

Nov 20 19:57:25 localhost charon: 10[NET] received packet: from 192.168.121.104[60653] to 192.168.121.102[500] 

Nov 20 19:57:25 localhost charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 

Nov 20 19:57:25 localhost charon: 10[IKE] 192.168.121.104 is initiating an IKE_SA 

Nov 20 19:57:25 localhost charon: 10[IKE] remote host is behind NAT 

Nov 20 19:57:25 localhost charon: 10[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA" 

Nov 20 19:57:25 localhost charon: 10[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA" 

Nov 20 19:57:25 localhost charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] 

Nov 20 19:57:25 localhost charon: 10[NET] sending packet: from 192.168.121.102[500] to 192.168.121.104[60653] 

Nov 20 19:57:26 localhost charon: 11[NET] received packet: from 192.168.121.104[34320] to 192.168.121.102[4500] 

Nov 20 19:57:26 localhost charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] 

Nov 20 19:57:26 localhost charon: 11[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan CA" 

Nov 20 19:57:26 localhost charon: 11[CFG] looking for peer configs matching 192.168.121.102[192.168.121.102]...192.168.121.104[zhen] 

Nov 20 19:57:26 localhost charon: 11[CFG] no matching peer config found 

Nov 20 19:57:26 localhost charon: 11[IKE] peer supports MOBIKE 

Nov 20 19:57:26 localhost charon: 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] 

Nov 20 19:57:26 localhost charon: 11[NET] sending packet: from 192.168.121.102[4500] to 192.168.121.104[34320] 

 

 

 

Android adb logcat: 

 

I/SProxy_charon(  351): Start VPN daemon: charon

D/SProxy_charon(  351): charon is running after 0 msec

D/SProxy_charon(  351): service not yet listen()ing; try again

I/charon  (  800): 00[DMN] loaded plugins: openssl fips-prf random pubkey pkcs1 pem xcbc hmac kernel-netlink socket-default android eap-identity eap-mschapv2 eap-md5 

I/charon  (  800): 00[DMN] removing pidfile '/data/misc/vpn/charon.pid', process not running

I/charon  (  800): 00[JOB] spawning 16 worker threads

I/keystore(   37): uid: 1016 action: g -> 1 state: 1 -> 1 retry: 4

I/charon  (  800): 06[CFG] using CA certificate, gateway identitiy '192.168.121.102'

I/charon  (  800): 06[CFG] status of Android plugin changed: 4

I/SProxy_charon(  351): got data from control socket: 4

I/charon  (  800): 06[IKE] initiating IKE_SA android[1] to 192.168.121.102

I/charon  (  800): 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]

I/charon  (  800): 06[NET] sending packet: from 10.0.2.15[500] to 192.168.121.102[500]

I/charon  (  800): 07[NET] received packet: from 192.168.121.102[500] to 10.0.2.15[500]

I/charon  (  800): 07[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]

I/charon  (  800): 07[IKE] local host is behind NAT, sending keep alives

I/charon  (  800): 07[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan CA"

I/charon  (  800): 07[IKE] received 1 cert requests for an unknown ca

I/charon  (  800): 07[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA"

I/charon  (  800): 07[IKE] establishing CHILD_SA android

I/charon  (  800): 07[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]

I/charon  (  800): 07[NET] sending packet: from 10.0.2.15[4500] to 192.168.121.102[4500]

I/charon  (  800): 08[NET] received packet: from 192.168.121.102[4500] to 10.0.2.15[4500]

I/charon  (  800): 08[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]

I/charon  (  800): 08[IKE] received AUTHENTICATION_FAILED notify error

 

________________________________

From: Andreas Steffen <andreas.steffen at strongswan.org>
To: zhen chen <zchen2711 at yahoo.com> 
Cc: Tobias Brunner <tobias at strongswan.org>; "users at lists.strongswan.org" <users at lists.strongswan.org> 
Sent: Sunday, November 20, 2011 7:36 AM
Subject: Re: [strongSwan] Android/Stongswan Integration

Hello Zhen,

the actual error is

I/charon  (  362): 07[LIB] found unsupported critical X.509 extension
I/charon  (  362): 07[LIB] OpenSSL X.509 parsing failed

if you have a strongswan.conf file on your Android platform
please add the entry

libstrongswan {
  x509 {
    enforce_critical = no
  }
}

You could also try to add the x509 plugin and add it in front of
the openssl plugin in the libcharon load list. The x509 plugin$
might be able handle the unknown critical extension contained
in your certificate.

Regards

Andreas

On 11/20/2011 12:41 AM, zhen chen wrote:
> Hi Tobias, 
> 
> I followed the procedure to create the CA certificate and imported it to
> the Android emulator successfully. 
> Now after I configure the GW side ipsec.conf. I created a IKEV2 VPN in
> the emulator. Then tried to connect to it: 
> 
> the logcat is giving me the foloowing errors:
> 
> D/SProxy_charon(  351): stopping charon, success? true
> D/VpnService(  351):  Local IP: 10.0.2.15, if: eth0
> D/VpnService(  351):        VPN UP: down
> I/SProxy_charon(  351): Start VPN daemon: charon
> D/SProxy_charon(  351): charon is running after 0 msec
> D/SProxy_charon(  351): service not yet listen()ing; try again
> I/charon  (  362): 00[DMN] loaded plugins: openssl fips-prf random
> pubkey pkcs1 pem xcbc hmac kernel-netlink socket-default android
> eap-identity eap-mschapv2 eap-md5 
> I/charon  (  362): 00[DMN] removing pidfile '/data/misc/vpn/charon.pid',
> process not running
> I/charon  (  362): 00[JOB] spawning 16 worker threads
> I/keystore(  37): uid: 1016 action: g -> 1 state: 1 -> 1 retry: 4
> I/charon  (  362): 07[LIB] found unsupported critical X.509 extension
> I/charon  (  362): 07[LIB] OpenSSL X.509 parsing failed
> I/charon  (  362): 07[LIB] building CRED_CERTIFICATE - X509 failed,
> tried 2 builders
> I/charon  (  362): 07[CFG] failed to load CA certificate
> I/charon  (  362): 07[CFG] using CA certificate, gateway identitiy
> '192.168.121.102'
> I/charon  (  362): 07[CFG] status of Android plugin changed: 4
> 
> Now it seems like Android is not able to load the certificate I created
> using ipsec pki.  
> Is that because the way I created the CA cert? or something is missing
> in the Android charon? 
> 
> thanks!
> -zhen
> 
> 
> ------------------------------------------------------------------------
> *From:* Tobias Brunner <tobias at strongswan.org>
> *To:* zhen chen <zchen2711 at yahoo.com>
> *Cc:* "users at lists.strongswan.org" <users at lists.strongswan.org>
> *Sent:* Tuesday, November 15, 2011 9:52 AM
> *Subject:* Re: [strongSwan] Android/Stongswan Integration
> 
> Hello Zhen,
> 
>> I have been trying to bring Strongswan 4.5.3 to Android
> 
> If possible, you should update to 4.6.1 as there are several Android
> related improvements included in that release.
> 
>> 1. When I ran charon in adb shell, it started, but said: "android plugin
>> failed to load, can't open android control socket".
> 
> That's because the control socket is only available, if charon gets
> started by the patched Android VPN GUI.  With 4.6.1 it's possible to use
> the plugin even if charon is not started by the GUI.
> 
>> I did some search, the android plugin is something related to DNS.
> 
> That's correct it installs DNS servers received from the gateway where
> Android expects them to be (there is no resolv.conf on Android).
> 
>> Question: do i have to to enable this plugin for VPN to work on the
>> emulator?
> 
> Only if you need DNS servers installed, or logging via logcat.  These
> are currently the only two functions provided by the plugin, which are
> usable without GUI patch.
> 
>> If so, i did some ./configure --enable-android, it failed
>> because it couldn't find a requied lib.
> 
> Running ./configure won't work.  To enable/disable plugins you have to
> edit the plugin list in the top Android.mk <http://Android.mk> within
> the strongSwan source
> tree.  But the plugin is enabled anyway, by default, it just can't be
> loaded without the control socket provided by the frontend in 4.5.3.
> 
>> 2. In the frontend integration site, it says it needs CA assigned certs,
>> quoted below.
>> Question: Does the certificate have to be issued by CA? Would
>> self-assigned certificate work? I am just playing with it and wouldn't
>> want to spend $1500 to buy one from verisign. :(
> 
> Don't worry :)  You can absolutely build your own CA (e.g. with the
> ipsec pki tool [1]).  Just make sure you install the CA certificate in
> the Android certificate store as described on the page you quoted.  Then
> use this CA to issue a certificate for the gateway you want to test against.
> 
> With 4.6.1 you now have also the option to build starter and stroke
> which allows you to use an ipsec.conf based configuration, instead of
> using the frontend patch.
> 
> Regards,
> Tobias
> 
> [1] http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
>
-- 
======================================================================
Andreas Steffen                        andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111121/ac874de8/attachment.html>


More information about the Users mailing list