[strongSwan] Android/Stongswan Integration
Federico.Mancini at ffi.no
Federico.Mancini at ffi.no
Mon Nov 21 08:23:08 CET 2011
I think I know this one, I had the same problem.
Found the solution in the mailing list itself:
strongSwan requires the peer ID to be contained in the certificate
(either the complete DN, or as a subjectAltName, a matching CN= is
insufficient).
In my case the peer ID turned out to be the IP address itself.....
Federico
Fra: users-bounces+federico.mancini=ffi.no at lists.strongswan.org [mailto:users-bounces+federico.mancini=ffi.no at lists.strongswan.org] På vegne av zhen chen
Sendt: 21. november 2011 04:22
Til: Andreas Steffen
Kopi: users at lists.strongswan.org
Emne: Re: [strongSwan] Android/Stongswan Integration
Hi Andreas,
I loaded the strongswan.conf to the android emulator,the Android is able to load the CA cert successfully.
Thanks!
Now I started from the Android emulator and tried to add the IKEv2 IPSec tunnel. I entered the name, address of the GW, then tried to connect. I entered the username/password. The login failed. I checked the ipsec.conf and followed Tobias instruction on wiki. Couldn't find out what I did wrong. I used zhen as the user name in the Android side.
Thanks in advance!
-Zhen
The following is the main error on the GW side:
Nov 20 19:57:26 localhost charon: 11[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan CA"
Nov 20 19:57:26 localhost charon: 11[CFG] looking for peer configs matching 192.168.121.102[192.168.121.102]...192.168.121.104[zhen]
Nov 20 19:57:26 localhost charon: 11[CFG] no matching peer config found
The GW cert DN is: C=CH, O=zhen, CN=emac which I used as the left side id for the gw's ipsec.conf file.
The CA cert DN is: C=CH, O=strongSwan, CN=strongSwan CA
/etc/ipsec.secrets:
": RSA peerKey.der
zhen : EAP "password"
"
ipsec.conf file in the GW side (note android is the conn to the android phone):
"conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn rw
right=%any
rightid=@192.168.121.101
rightsourceip=%dhcp
leftfirewall=yes
left=192.168.121.102
leftsubnet=192.168.2.0/24
leftid=@192.168.121.102
auto=add
conn android
leftsubnet=0.0.0.0/0
leftcert=peerCert1.der
leftauth=pubkey
leftid="C=CH, O=zhen, CN=emac"
right=%any
rightsourceip=%dhcp
rightauth=eap-mschapv2
rightsendcert=never
keyexchange=ikev2
eap_identity=%any
auto=add
"
Gateway log:
Nov 20 19:51:30 localhost charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-raw socket-default updown eap-identity eap-md5 farp gtp
Nov 20 19:51:30 localhost charon: 00[JOB] spawning 16 worker threads
Nov 20 19:51:30 localhost charon: 06[CFG] received stroke: add connection 'rw'
Nov 20 19:51:30 localhost charon: 06[CFG] added configuration 'rw'
Nov 20 19:51:30 localhost charon: 08[CFG] received stroke: add connection 'android'
Nov 20 19:51:30 localhost charon: 08[CFG] left nor right host is our side, assuming left=local
Nov 20 19:51:30 localhost charon: 08[CFG] loaded certificate "C=CH, O=zhen, CN=emac" from 'peerCert1.der'
Nov 20 19:51:30 localhost charon: 08[CFG] added configuration 'android'
Nov 20 19:57:25 localhost charon: 10[NET] received packet: from 192.168.121.104[60653] to 192.168.121.102[500]
Nov 20 19:57:25 localhost charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Nov 20 19:57:25 localhost charon: 10[IKE] 192.168.121.104 is initiating an IKE_SA
Nov 20 19:57:25 localhost charon: 10[IKE] remote host is behind NAT
Nov 20 19:57:25 localhost charon: 10[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA"
Nov 20 19:57:25 localhost charon: 10[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA"
Nov 20 19:57:25 localhost charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Nov 20 19:57:25 localhost charon: 10[NET] sending packet: from 192.168.121.102[500] to 192.168.121.104[60653]
Nov 20 19:57:26 localhost charon: 11[NET] received packet: from 192.168.121.104[34320] to 192.168.121.102[4500]
Nov 20 19:57:26 localhost charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Nov 20 19:57:26 localhost charon: 11[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan CA"
Nov 20 19:57:26 localhost charon: 11[CFG] looking for peer configs matching 192.168.121.102[192.168.121.102]...192.168.121.104[zhen]
Nov 20 19:57:26 localhost charon: 11[CFG] no matching peer config found
Nov 20 19:57:26 localhost charon: 11[IKE] peer supports MOBIKE
Nov 20 19:57:26 localhost charon: 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Nov 20 19:57:26 localhost charon: 11[NET] sending packet: from 192.168.121.102[4500] to 192.168.121.104[34320]
Android adb logcat:
I/SProxy_charon( 351): Start VPN daemon: charon
D/SProxy_charon( 351): charon is running after 0 msec
D/SProxy_charon( 351): service not yet listen()ing; try again
I/charon ( 800): 00[DMN] loaded plugins: openssl fips-prf random pubkey pkcs1 pem xcbc hmac kernel-netlink socket-default android eap-identity eap-mschapv2 eap-md5
I/charon ( 800): 00[DMN] removing pidfile '/data/misc/vpn/charon.pid', process not running
I/charon ( 800): 00[JOB] spawning 16 worker threads
I/keystore( 37): uid: 1016 action: g -> 1 state: 1 -> 1 retry: 4
I/charon ( 800): 06[CFG] using CA certificate, gateway identitiy '192.168.121.102'
I/charon ( 800): 06[CFG] status of Android plugin changed: 4
I/SProxy_charon( 351): got data from control socket: 4
I/charon ( 800): 06[IKE] initiating IKE_SA android[1] to 192.168.121.102
I/charon ( 800): 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
I/charon ( 800): 06[NET] sending packet: from 10.0.2.15[500] to 192.168.121.102[500]
I/charon ( 800): 07[NET] received packet: from 192.168.121.102[500] to 10.0.2.15[500]
I/charon ( 800): 07[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
I/charon ( 800): 07[IKE] local host is behind NAT, sending keep alives
I/charon ( 800): 07[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan CA"
I/charon ( 800): 07[IKE] received 1 cert requests for an unknown ca
I/charon ( 800): 07[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA"
I/charon ( 800): 07[IKE] establishing CHILD_SA android
I/charon ( 800): 07[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
I/charon ( 800): 07[NET] sending packet: from 10.0.2.15[4500] to 192.168.121.102[4500]
I/charon ( 800): 08[NET] received packet: from 192.168.121.102[4500] to 10.0.2.15[4500]
I/charon ( 800): 08[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
I/charon ( 800): 08[IKE] received AUTHENTICATION_FAILED notify error
________________________________
From: Andreas Steffen <andreas.steffen at strongswan.org>
To: zhen chen <zchen2711 at yahoo.com>
Cc: Tobias Brunner <tobias at strongswan.org>; "users at lists.strongswan.org" <users at lists.strongswan.org>
Sent: Sunday, November 20, 2011 7:36 AM
Subject: Re: [strongSwan] Android/Stongswan Integration
Hello Zhen,
the actual error is
I/charon ( 362): 07[LIB] found unsupported critical X.509 extension
I/charon ( 362): 07[LIB] OpenSSL X.509 parsing failed
if you have a strongswan.conf file on your Android platform
please add the entry
libstrongswan {
x509 {
enforce_critical = no
}
}
You could also try to add the x509 plugin and add it in front of
the openssl plugin in the libcharon load list. The x509 plugin$
might be able handle the unknown critical extension contained
in your certificate.
Regards
Andreas
On 11/20/2011 12:41 AM, zhen chen wrote:
> Hi Tobias,
>
> I followed the procedure to create the CA certificate and imported it to
> the Android emulator successfully.
> Now after I configure the GW side ipsec.conf. I created a IKEV2 VPN in
> the emulator. Then tried to connect to it:
>
> the logcat is giving me the foloowing errors:
>
> D/SProxy_charon( 351): stopping charon, success? true
> D/VpnService( 351): Local IP: 10.0.2.15, if: eth0
> D/VpnService( 351): VPN UP: down
> I/SProxy_charon( 351): Start VPN daemon: charon
> D/SProxy_charon( 351): charon is running after 0 msec
> D/SProxy_charon( 351): service not yet listen()ing; try again
> I/charon ( 362): 00[DMN] loaded plugins: openssl fips-prf random
> pubkey pkcs1 pem xcbc hmac kernel-netlink socket-default android
> eap-identity eap-mschapv2 eap-md5
> I/charon ( 362): 00[DMN] removing pidfile '/data/misc/vpn/charon.pid',
> process not running
> I/charon ( 362): 00[JOB] spawning 16 worker threads
> I/keystore( 37): uid: 1016 action: g -> 1 state: 1 -> 1 retry: 4
> I/charon ( 362): 07[LIB] found unsupported critical X.509 extension
> I/charon ( 362): 07[LIB] OpenSSL X.509 parsing failed
> I/charon ( 362): 07[LIB] building CRED_CERTIFICATE - X509 failed,
> tried 2 builders
> I/charon ( 362): 07[CFG] failed to load CA certificate
> I/charon ( 362): 07[CFG] using CA certificate, gateway identitiy
> '192.168.121.102'
> I/charon ( 362): 07[CFG] status of Android plugin changed: 4
>
> Now it seems like Android is not able to load the certificate I created
> using ipsec pki.
> Is that because the way I created the CA cert? or something is missing
> in the Android charon?
>
> thanks!
> -zhen
>
>
> ------------------------------------------------------------------------
> *From:* Tobias Brunner <tobias at strongswan.org>
> *To:* zhen chen <zchen2711 at yahoo.com>
> *Cc:* "users at lists.strongswan.org" <users at lists.strongswan.org>
> *Sent:* Tuesday, November 15, 2011 9:52 AM
> *Subject:* Re: [strongSwan] Android/Stongswan Integration
>
> Hello Zhen,
>
>> I have been trying to bring Strongswan 4.5.3 to Android
>
> If possible, you should update to 4.6.1 as there are several Android
> related improvements included in that release.
>
>> 1. When I ran charon in adb shell, it started, but said: "android plugin
>> failed to load, can't open android control socket".
>
> That's because the control socket is only available, if charon gets
> started by the patched Android VPN GUI. With 4.6.1 it's possible to use
> the plugin even if charon is not started by the GUI.
>
>> I did some search, the android plugin is something related to DNS.
>
> That's correct it installs DNS servers received from the gateway where
> Android expects them to be (there is no resolv.conf on Android).
>
>> Question: do i have to to enable this plugin for VPN to work on the
>> emulator?
>
> Only if you need DNS servers installed, or logging via logcat. These
> are currently the only two functions provided by the plugin, which are
> usable without GUI patch.
>
>> If so, i did some ./configure --enable-android, it failed
>> because it couldn't find a requied lib.
>
> Running ./configure won't work. To enable/disable plugins you have to
> edit the plugin list in the top Android.mk <http://Android.mk> within
> the strongSwan source
> tree. But the plugin is enabled anyway, by default, it just can't be
> loaded without the control socket provided by the frontend in 4.5.3.
>
>> 2. In the frontend integration site, it says it needs CA assigned certs,
>> quoted below.
>> Question: Does the certificate have to be issued by CA? Would
>> self-assigned certificate work? I am just playing with it and wouldn't
>> want to spend $1500 to buy one from verisign. :(
>
> Don't worry :) You can absolutely build your own CA (e.g. with the
> ipsec pki tool [1]). Just make sure you install the CA certificate in
> the Android certificate store as described on the page you quoted. Then
> use this CA to issue a certificate for the gateway you want to test against.
>
> With 4.6.1 you now have also the option to build starter and stroke
> which allows you to use an ipsec.conf based configuration, instead of
> using the frontend patch.
>
> Regards,
> Tobias
>
> [1] http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111121/ac874de8/attachment.html>
More information about the Users
mailing list