[strongSwan] can not establish MSCHAPv2 tunnel using ipsec.conf/ipsec.secrets in strongswan 4.6.1 release on Android Gingerbread

Nitin Verma nitin.jndm at gmail.com
Mon Nov 21 10:56:15 CET 2011 

Hi,
I have been able to successfully establish IPSec IKEv2 tunnel between Nexus
S (running 2.3.5_r1) and a ubuntu server. However, the latest 4.6.1 release
supports starter and stroke executables at Android and I am trying to
establish the same connection using ipsec.conf and ipsec.secrets.

My server side configuration is:
======================

server IP: *192.168.1.154*

ipsec.conf:

config setup
        crlcheckinterval=180
        strictcrlpolicy=no
        plutostart=no
        charondebug="knl 3, cfg 2, ike 2, chd 2, mgr 2, dmn 2"

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        # leftcert=moonCert.pem

# Add connections here.

conn android
    left=192.168.1.154
    leftid=192.168.1.154
    leftcert=moonCert.pem
    leftauth=pubkey
    right=%any
    rightsourceip=10.0.5.0/24
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=deepika
    auto=add

ipsec.secrets:

: RSA moonKey.pem

deepika : EAP "deepika"

Configuration at Nexus S (Android 2.3.5_r1):
================================

I manually created "ipsec.d" directory in /system/etc/ and put my ca
certificate in cacerts there, and then created ipsec.conf and ipsec.secrets
in /system/etc/

/system/etc/ipsec.conf

config setup
    plutostart=no
    charondebug="knl 3, cfg 2, ike 2, chd 2, mgr 2, dmn 2"

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev2

# Add connections here.

# Sample VPN connections

conn android
    left=192.168.1.2
    leftauth=eap
    eap_identity=deepika
    right=192.168.1.154
    rightid=192.168.1.154
    rightauth=pubkey
    auto=add

/system/etc/ipsec.secrets

deepika : EAP "deepika"



But when I start the connection I am getting the following error:

# ipsec stroke up android
uname: not found
uname: not found
[: not found
initiating IKE_SA android[2] to 192.168.1.154
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.2[500] to 192.168.1.154[500]
received packet: from 192.168.1.154[500] to 192.168.1.2[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(MULT_AUTH) ]
sending cert request for "C=UK, CN=nits"
establishing CHILD_SA android
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(DNS) SA
TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]
received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
received end entity cert "C=UK, CN=nits"
  using certificate "C=UK, CN=nits"
  using trusted ca certificate "C=UK, CN=nits"
  reached self-signed root ca with a path length of 0
authentication of '192.168.1.154' with RSA signature successful
server requested EAP_MSCHAPV2 authentication (id 0x75)
no EAP key found for hosts '192.168.1.154' - '192.168.1.2'
EAP_MSCHAPV2 method failed


Output of logcat:

I/charon  (  469): 00[CFG] loading ca certificates from
'/system/etc/ipsec.d/cacerts'
I/charon  (  469): 00[CFG]   loaded ca certificate "C=UK, CN=nits" from
'/system/etc/ipsec.d/cacerts/strongswanCert.pem'
I/charon  (  469): 00[CFG] loading aa certificates from
'/system/etc/ipsec.d/aacerts'
I/charon  (  469): 00[LIB] opening directory '/system/etc/ipsec.d/aacerts'
failed: No such file or directory
I/charon  (  469): 00[CFG]   reading directory failed
I/charon  (  469): 00[CFG] loading ocsp signer certificates from
'/system/etc/ipsec.d/ocspcerts'
I/charon  (  469): 00[LIB] opening directory
'/system/etc/ipsec.d/ocspcerts' failed: No such file or directory
I/charon  (  469): 00[CFG]   reading directory failed
I/charon  (  469): 00[CFG] loading attribute certificates from
'/system/etc/ipsec.d/acerts'
I/charon  (  469): 00[LIB] opening directory '/system/etc/ipsec.d/acerts'
failed: No such file or directory
I/charon  (  469): 00[CFG]   reading directory failed
I/charon  (  469): 00[CFG] loading crls from '/system/etc/ipsec.d/crls'
I/charon  (  469): 00[LIB] opening directory '/system/etc/ipsec.d/crls'
failed: No such file or directory
I/charon  (  469): 00[CFG]   reading directory failed
I/charon  (  469): 00[CFG] loading secrets from '/system/etc/ipsec.secrets'
I/charon  (  469): 00[CFG]   loaded EAP secret for deepika
I/charon  (  469): 00[DMN] loaded plugins: openssl fips-prf random pubkey
pkcs1 pem xcbc hmac kernel-netlink socket-default android stroke
eap-identity eap-mschapv2 eap-md5
I/charon  (  469): 00[JOB] spawning 16 worker threads
I/charon  (  469): 11[CFG] received stroke: add connection 'android'
I/charon  (  469): 11[CFG] added configuration 'android'

I/charon  (  469): 12[CFG] received stroke: initiate 'android'
I/charon  (  469): 14[IKE] initiating IKE_SA android[1] to 192.168.1.154
I/charon  (  469): 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]
I/charon  (  469): 14[NET] sending packet: from 192.168.1.2[500] to
192.168.1.154[500]
D/GpsLocationProvider(  107): NTP server returned: 1321866231250 (Mon Nov
21 09:03:51 GMT+00:00 2011) reference: 318100 certainty: 337 system time
offset: -20070741
I/charon  (  469): 15[IKE] retransmit 1 of request with message ID 0
I/charon  (  469): 15[NET] sending packet: from 192.168.1.2[500] to
192.168.1.154[500]
I/charon  (  469): 03[IKE] retransmit 2 of request with message ID 0
I/charon  (  469): 03[NET] sending packet: from 192.168.1.2[500] to
192.168.1.154[500]
I/charon  (  469): 16[IKE] retransmit 3 of request with message ID 0
I/charon  (  469): 16[NET] sending packet: from 192.168.1.2[500] to
192.168.1.154[500]
I/charon  (  469): 02[NET] received packet: from 192.168.1.154[500] to
192.168.1.2[500]
I/charon  (  469): 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
I/charon  (  469): 02[IKE] sending cert request for "C=UK, CN=nits"
I/charon  (  469): 02[IKE] establishing CHILD_SA android
I/charon  (  469): 02[ENC] generating IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) CERTREQ IDr CP(DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR)
N(MULT_AUTH) N(EAP_ONLY) ]
I/charon  (  469): 02[NET] sending packet: from 192.168.1.2[4500] to
192.168.1.154[4500]
I/charon  (  469): 01[NET] received packet: from 192.168.1.154[4500] to
192.168.1.2[4500]
I/charon  (  469): 01[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH
EAP/REQ/MSCHAPV2 ]
I/charon  (  469): 01[IKE] received end entity cert "C=UK, CN=nits"
I/charon  (  469): 01[CFG]   using certificate "C=UK, CN=nits"
I/charon  (  469): 01[CFG]   using trusted ca certificate "C=UK, CN=nits"
I/charon  (  469): 01[CFG]   reached self-signed root ca with a path length
of 0
I/charon  (  469): 01[IKE] authentication of '192.168.1.154' with RSA
signature successful
I/charon  (  469): 01[IKE] server requested EAP_MSCHAPV2 authentication (id
0xFD)
I/charon  (  469): 01[IKE] no EAP key found for hosts '192.168.1.154' -
'192.168.1.2'
I/charon  (  469): 01[IKE] EAP_MSCHAPV2 method failed
I/dalvikvm(  164): Total arena pages for JIT: 11
I/charon  (  469): 11[CFG] received stroke: initiate 'android'
I/charon  (  469): 14[IKE] initiating IKE_SA android[2] to 192.168.1.154
I/charon  (  469): 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]
I/charon  (  469): 14[NET] sending packet: from 192.168.1.2[500] to
192.168.1.154[500]
I/charon  (  469): 15[NET] received packet: from 192.168.1.154[500] to
192.168.1.2[500]
I/charon  (  469): 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
I/charon  (  469): 15[IKE] sending cert request for "C=UK, CN=nits"
I/charon  (  469): 15[IKE] establishing CHILD_SA android
I/charon  (  469): 15[ENC] generating IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) CERTREQ IDr CP(DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR)
N(MULT_AUTH) N(EAP_ONLY) ]
I/charon  (  469): 15[NET] sending packet: from 192.168.1.2[4500] to
192.168.1.154[4500]
I/charon  (  469): 03[NET] received packet: from 192.168.1.154[4500] to
192.168.1.2[4500]
I/charon  (  469): 03[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH
EAP/REQ/MSCHAPV2 ]
I/charon  (  469): 03[IKE] received end entity cert "C=UK, CN=nits"
I/charon  (  469): 03[CFG]   using certificate "C=UK, CN=nits"
I/charon  (  469): 03[CFG]   using trusted ca certificate "C=UK, CN=nits"
I/charon  (  469): 03[CFG]   reached self-signed root ca with a path length
of 0
I/charon  (  469): 03[IKE] authentication of '192.168.1.154' with RSA
signature successful
I/charon  (  469): 03[IKE] server requested EAP_MSCHAPV2 authentication (id
0x75)
I/charon  (  469): 03[IKE] no EAP key found for hosts '192.168.1.154' -
'192.168.1.2'
I/charon  (  469): 03[IKE] EAP_MSCHAPV2 method failed

Am I missing something or there are some issues with the release?

Thanks in advance.
Regards,
Nitin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111121/65f3556f/attachment.html>

More information about the Users mailing list