[strongSwan] can not establish MSCHAPv2 tunnel using ipsec.conf/ipsec.secrets in strongswan 4.6.1 release on Android Gingerbread
Nitin Verma
nitin.jndm at gmail.com
Mon Nov 21 12:38:36 CET 2011
Hi Andreas,
Thanks for the quick reply. It solve the problem.
Now at the Android:
# ipsec stroke status
uname: not found
uname: not found
[: not found
Security Associations (1 up, 0 connecting):
android[2]: ESTABLISHED 6 minutes ago,
192.168.1.2[192.168.1.2]...192.168.1.154[192.168.1.154]
android{1}: INSTALLED, TUNNEL, ESP SPIs: c5974d0b_i c8a59239_o
android{1}: 192.168.1.2/32 === 192.168.1.154/32
#
# ipsec stroke up android
uname: not found
uname: not found
[: not found
initiating IKE_SA android[2] to 192.168.1.154
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.2[500] to 192.168.1.154[500]
received packet: from 192.168.1.154[500] to 192.168.1.2[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(MULT_AUTH) ]
sending cert request for "C=UK, CN=nits"
establishing CHILD_SA android
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(DNS) SA
TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]
received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
received end entity cert "C=UK, CN=nits"
using certificate "C=UK, CN=nits"
using trusted ca certificate "C=UK, CN=nits"
reached self-signed root ca with a path length of 0
authentication of '192.168.1.154' with RSA signature successful
server requested EAP_IDENTITY (id 0x00), sending 'deepika'
generating IKE_AUTH request 2 [ EAP/RES/ID ]
sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]
received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]
parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
server requested EAP_MSCHAPV2 authentication (id 0x79)
generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]
received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]
parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]
received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]
parsed IKE_AUTH response 4 [ EAP/SUCC ]
EAP method EAP_MSCHAPV2 succeeded, MSK established
authentication of '192.168.1.2' (myself) with EAP
generating IKE_AUTH request 5 [ AUTH ]
sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]
received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]
parsed IKE_AUTH response 5 [ AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP)
N(NO_ADD_ADDR) ]
authentication of '192.168.1.154' with EAP successful
IKE_SA android[2] established between
192.168.1.2[192.168.1.2]...192.168.1.154[192.168.1.154]
scheduling reauthentication in 3362s
maximum IKE_SA lifetime 3542s
I noticed that it doesn't request for virtual ip as it asked when I used
the front-end related changes. Is that possible to request for the virtual
ip also?
Thanks again.
Regards,
Nitin
On Mon, Nov 21, 2011 at 4:19 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:
> Hello Nitin,
>
> your ubuntu server does not initiate EAP-Identity. Therefore
> the EAP-MSCHAPv2 authentication requested is for IKEv2 user
> identity 192.168.1.2 and not for EAP identity deepika.
>
> You should change the ubuntu server entry to
>
> eap_identity=%any
>
> and make sure that you enabled, built and loaded the eap_identity
> plugin.
>
> Regards
>
> Andreas
>
> On 21.11.2011 10:56, Nitin Verma wrote:
> > Hi,
> > I have been able to successfully establish IPSec IKEv2 tunnel between
> > Nexus S (running 2.3.5_r1) and a ubuntu server. However, the latest
> > 4.6.1 release supports starter and stroke executables at Android and I
> > am trying to establish the same connection using ipsec.conf and
> > ipsec.secrets.
> >
> > My server side configuration is:
> > ======================
> >
> > server IP: /192.168.1.154/
> >
> > ipsec.conf:
> >
> > config setup
> > crlcheckinterval=180
> > strictcrlpolicy=no
> > plutostart=no
> > charondebug="knl 3, cfg 2, ike 2, chd 2, mgr 2, dmn 2"
> >
> > conn %default
> > ikelifetime=60m
> > keylife=20m
> > rekeymargin=3m
> > keyingtries=1
> > keyexchange=ikev2
> > # leftcert=moonCert.pem
> >
> > # Add connections here.
> >
> > conn android
> > left=192.168.1.154
> > leftid=192.168.1.154
> > leftcert=moonCert.pem
> > leftauth=pubkey
> > right=%any
> > rightsourceip=10.0.5.0/24 <http://10.0.5.0/24>
> > rightauth=eap-mschapv2
> > rightsendcert=never
> > eap_identity=deepika
> > auto=add
> >
> > ipsec.secrets:
> >
> > : RSA moonKey.pem
> >
> > deepika : EAP "deepika"
> >
> > Configuration at Nexus S (Android 2.3.5_r1):
> > ================================
> >
> > I manually created "ipsec.d" directory in /system/etc/ and put my ca
> > certificate in cacerts there, and then created ipsec.conf and
> > ipsec.secrets in /system/etc/
> >
> > /system/etc/ipsec.conf
> >
> > config setup
> > plutostart=no
> > charondebug="knl 3, cfg 2, ike 2, chd 2, mgr 2, dmn 2"
> >
> > conn %default
> > ikelifetime=60m
> > keylife=20m
> > rekeymargin=3m
> > keyingtries=1
> > keyexchange=ikev2
> >
> > # Add connections here.
> >
> > # Sample VPN connections
> >
> > conn android
> > left=192.168.1.2
> > leftauth=eap
> > eap_identity=deepika
> > right=192.168.1.154
> > rightid=192.168.1.154
> > rightauth=pubkey
> > auto=add
> >
> > /system/etc/ipsec.secrets
> >
> > deepika : EAP "deepika"
> >
> >
> >
> > But when I start the connection I am getting the following error:
> >
> > # ipsec stroke up android
> > uname: not found
> > uname: not found
> > [: not found
> > initiating IKE_SA android[2] to 192.168.1.154
> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > sending packet: from 192.168.1.2[500] to 192.168.1.154[500]
> > received packet: from 192.168.1.154[500] to 192.168.1.2[500]
> > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> > N(MULT_AUTH) ]
> > sending cert request for "C=UK, CN=nits"
> > establishing CHILD_SA android
> > generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(DNS)
> > SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> > sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]
> > received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]
> > parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
> > received end entity cert "C=UK, CN=nits"
> > using certificate "C=UK, CN=nits"
> > using trusted ca certificate "C=UK, CN=nits"
> > reached self-signed root ca with a path length of 0
> > authentication of '192.168.1.154' with RSA signature successful
> > server requested EAP_MSCHAPV2 authentication (id 0x75)
> > no EAP key found for hosts '192.168.1.154' - '192.168.1.2'
> > EAP_MSCHAPV2 method failed
> >
> >
> > Output of logcat:
> >
> > I/charon ( 469): 00[CFG] loading ca certificates from
> > '/system/etc/ipsec.d/cacerts'
> > I/charon ( 469): 00[CFG] loaded ca certificate "C=UK, CN=nits" from
> > '/system/etc/ipsec.d/cacerts/strongswanCert.pem'
> > I/charon ( 469): 00[CFG] loading aa certificates from
> > '/system/etc/ipsec.d/aacerts'
> > I/charon ( 469): 00[LIB] opening directory
> > '/system/etc/ipsec.d/aacerts' failed: No such file or directory
> > I/charon ( 469): 00[CFG] reading directory failed
> > I/charon ( 469): 00[CFG] loading ocsp signer certificates from
> > '/system/etc/ipsec.d/ocspcerts'
> > I/charon ( 469): 00[LIB] opening directory
> > '/system/etc/ipsec.d/ocspcerts' failed: No such file or directory
> > I/charon ( 469): 00[CFG] reading directory failed
> > I/charon ( 469): 00[CFG] loading attribute certificates from
> > '/system/etc/ipsec.d/acerts'
> > I/charon ( 469): 00[LIB] opening directory
> > '/system/etc/ipsec.d/acerts' failed: No such file or directory
> > I/charon ( 469): 00[CFG] reading directory failed
> > I/charon ( 469): 00[CFG] loading crls from '/system/etc/ipsec.d/crls'
> > I/charon ( 469): 00[LIB] opening directory '/system/etc/ipsec.d/crls'
> > failed: No such file or directory
> > I/charon ( 469): 00[CFG] reading directory failed
> > I/charon ( 469): 00[CFG] loading secrets from
> '/system/etc/ipsec.secrets'
> > I/charon ( 469): 00[CFG] loaded EAP secret for deepika
> > I/charon ( 469): 00[DMN] loaded plugins: openssl fips-prf random
> > pubkey pkcs1 pem xcbc hmac kernel-netlink socket-default android stroke
> > eap-identity eap-mschapv2 eap-md5
> > I/charon ( 469): 00[JOB] spawning 16 worker threads
> > I/charon ( 469): 11[CFG] received stroke: add connection 'android'
> > I/charon ( 469): 11[CFG] added configuration 'android'
> >
> > I/charon ( 469): 12[CFG] received stroke: initiate 'android'
> > I/charon ( 469): 14[IKE] initiating IKE_SA android[1] to 192.168.1.154
> > I/charon ( 469): 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No
> > N(NATD_S_IP) N(NATD_D_IP) ]
> > I/charon ( 469): 14[NET] sending packet: from 192.168.1.2[500] to
> > 192.168.1.154[500]
> > D/GpsLocationProvider( 107): NTP server returned: 1321866231250 (Mon
> > Nov 21 09:03:51 GMT+00:00 2011) reference: 318100 certainty: 337 system
> > time offset: -20070741
> > I/charon ( 469): 15[IKE] retransmit 1 of request with message ID 0
> > I/charon ( 469): 15[NET] sending packet: from 192.168.1.2[500] to
> > 192.168.1.154[500]
> > I/charon ( 469): 03[IKE] retransmit 2 of request with message ID 0
> > I/charon ( 469): 03[NET] sending packet: from 192.168.1.2[500] to
> > 192.168.1.154[500]
> > I/charon ( 469): 16[IKE] retransmit 3 of request with message ID 0
> > I/charon ( 469): 16[NET] sending packet: from 192.168.1.2[500] to
> > 192.168.1.154[500]
> > I/charon ( 469): 02[NET] received packet: from 192.168.1.154[500] to
> > 192.168.1.2[500]
> > I/charon ( 469): 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No
> > N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> > I/charon ( 469): 02[IKE] sending cert request for "C=UK, CN=nits"
> > I/charon ( 469): 02[IKE] establishing CHILD_SA android
> > I/charon ( 469): 02[ENC] generating IKE_AUTH request 1 [ IDi
> > N(INIT_CONTACT) CERTREQ IDr CP(DNS) SA TSi TSr N(MOBIKE_SUP)
> > N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> > I/charon ( 469): 02[NET] sending packet: from 192.168.1.2[4500] to
> > 192.168.1.154[4500]
> > I/charon ( 469): 01[NET] received packet: from 192.168.1.154[4500] to
> > 192.168.1.2[4500]
> > I/charon ( 469): 01[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH
> > EAP/REQ/MSCHAPV2 ]
> > I/charon ( 469): 01[IKE] received end entity cert "C=UK, CN=nits"
> > I/charon ( 469): 01[CFG] using certificate "C=UK, CN=nits"
> > I/charon ( 469): 01[CFG] using trusted ca certificate "C=UK, CN=nits"
> > I/charon ( 469): 01[CFG] reached self-signed root ca with a path
> > length of 0
> > I/charon ( 469): 01[IKE] authentication of '192.168.1.154' with RSA
> > signature successful
> > I/charon ( 469): 01[IKE] server requested EAP_MSCHAPV2 authentication
> > (id 0xFD)
> > I/charon ( 469): 01[IKE] no EAP key found for hosts '192.168.1.154' -
> > '192.168.1.2'
> > I/charon ( 469): 01[IKE] EAP_MSCHAPV2 method failed
> > I/dalvikvm( 164): Total arena pages for JIT: 11
> > I/charon ( 469): 11[CFG] received stroke: initiate 'android'
> > I/charon ( 469): 14[IKE] initiating IKE_SA android[2] to 192.168.1.154
> > I/charon ( 469): 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No
> > N(NATD_S_IP) N(NATD_D_IP) ]
> > I/charon ( 469): 14[NET] sending packet: from 192.168.1.2[500] to
> > 192.168.1.154[500]
> > I/charon ( 469): 15[NET] received packet: from 192.168.1.154[500] to
> > 192.168.1.2[500]
> > I/charon ( 469): 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No
> > N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> > I/charon ( 469): 15[IKE] sending cert request for "C=UK, CN=nits"
> > I/charon ( 469): 15[IKE] establishing CHILD_SA android
> > I/charon ( 469): 15[ENC] generating IKE_AUTH request 1 [ IDi
> > N(INIT_CONTACT) CERTREQ IDr CP(DNS) SA TSi TSr N(MOBIKE_SUP)
> > N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> > I/charon ( 469): 15[NET] sending packet: from 192.168.1.2[4500] to
> > 192.168.1.154[4500]
> > I/charon ( 469): 03[NET] received packet: from 192.168.1.154[4500] to
> > 192.168.1.2[4500]
> > I/charon ( 469): 03[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH
> > EAP/REQ/MSCHAPV2 ]
> > I/charon ( 469): 03[IKE] received end entity cert "C=UK, CN=nits"
> > I/charon ( 469): 03[CFG] using certificate "C=UK, CN=nits"
> > I/charon ( 469): 03[CFG] using trusted ca certificate "C=UK, CN=nits"
> > I/charon ( 469): 03[CFG] reached self-signed root ca with a path
> > length of 0
> > I/charon ( 469): 03[IKE] authentication of '192.168.1.154' with RSA
> > signature successful
> > I/charon ( 469): 03[IKE] server requested EAP_MSCHAPV2 authentication
> > (id 0x75)
> > I/charon ( 469): 03[IKE] no EAP key found for hosts '192.168.1.154' -
> > '192.168.1.2'
> > I/charon ( 469): 03[IKE] EAP_MSCHAPV2 method failed
> >
> > Am I missing something or there are some issues with the release?
> >
> > Thanks in advance.
> > Regards,
>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111121/e1a59010/attachment.html>
More information about the Users
mailing list