[strongSwan] can not establish MSCHAPv2 tunnel using ipsec.conf/ipsec.secrets in strongswan 4.6.1 release on Android Gingerbread

Andreas Steffen andreas.steffen at strongswan.org
Mon Nov 21 13:21:59 CET 2011


Hi Nitin,

on the Androis side add

  leftsourceip=%config

to the connection definition in ipsec.conf.

Regards

Andreas

On 21.11.2011 12:38, Nitin Verma wrote:
> Hi Andreas,
> Thanks for the quick reply. It solve the problem.
> Now at the Android:
> 
> # ipsec stroke status
> uname: not found
> uname: not found
> [: not found
> Security Associations (1 up, 0 connecting):
>      android[2]: ESTABLISHED 6 minutes ago,
> 192.168.1.2[192.168.1.2]...192.168.1.154[192.168.1.154]
>      android{1}:  INSTALLED, TUNNEL, ESP SPIs: c5974d0b_i c8a59239_o
>      android{1}:   192.168.1.2/32 <http://192.168.1.2/32> ===
> 192.168.1.154/32 <http://192.168.1.154/32>
> #
> 
> # ipsec stroke up android
> uname: not found
> uname: not found
> [: not found
> initiating IKE_SA android[2] to 192.168.1.154
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 192.168.1.2[500] to 192.168.1.154[500]
> received packet: from 192.168.1.154[500] to 192.168.1.2[500]
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(MULT_AUTH) ]
> sending cert request for "C=UK, CN=nits"
> establishing CHILD_SA android
> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(DNS)
> SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]
> received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]
> parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> received end entity cert "C=UK, CN=nits"
>   using certificate "C=UK, CN=nits"
>   using trusted ca certificate "C=UK, CN=nits"
>   reached self-signed root ca with a path length of 0
> authentication of '192.168.1.154' with RSA signature successful
> server requested EAP_IDENTITY (id 0x00), sending 'deepika'
> generating IKE_AUTH request 2 [ EAP/RES/ID ]
> sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]
> received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]
> parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
> server requested EAP_MSCHAPV2 authentication (id 0x79)
> generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
> sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]
> received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]
> parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
> EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
> generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
> sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]
> received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]
> parsed IKE_AUTH response 4 [ EAP/SUCC ]
> EAP method EAP_MSCHAPV2 succeeded, MSK established
> authentication of '192.168.1.2' (myself) with EAP
> generating IKE_AUTH request 5 [ AUTH ]
> sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]
> received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]
> parsed IKE_AUTH response 5 [ AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP)
> N(NO_ADD_ADDR) ]
> authentication of '192.168.1.154' with EAP successful
> IKE_SA android[2] established between
> 192.168.1.2[192.168.1.2]...192.168.1.154[192.168.1.154]
> scheduling reauthentication in 3362s
> maximum IKE_SA lifetime 3542s
> 
> I noticed that it doesn't request for virtual ip as it asked when I used
> the front-end related changes. Is that possible to request for the
> virtual ip also?
> 
> Thanks again.
> Regards,
> Nitin
> 
> 
> On Mon, Nov 21, 2011 at 4:19 PM, Andreas Steffen
> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> wrote:
> 
>     Hello Nitin,
> 
>     your ubuntu server does not initiate EAP-Identity. Therefore
>     the EAP-MSCHAPv2 authentication requested is for IKEv2 user
>     identity 192.168.1.2 and not for EAP identity deepika.
> 
>     You should change the ubuntu server entry to
> 
>     eap_identity=%any
> 
>     and make sure that you enabled, built and loaded the eap_identity
>     plugin.
> 
>     Regards
> 
>     Andreas
> 
>     On 21.11.2011 10:56, Nitin Verma wrote:
>     > Hi,
>     > I have been able to successfully establish IPSec IKEv2 tunnel between
>     > Nexus S (running 2.3.5_r1) and a ubuntu server. However, the latest
>     > 4.6.1 release supports starter and stroke executables at Android and I
>     > am trying to establish the same connection using ipsec.conf and
>     > ipsec.secrets.
>     >
>     > My server side configuration is:
>     > ======================
>     >
>     > server IP: /192.168.1.154/ <http://192.168.1.154/>
>     >
>     > ipsec.conf:
>     >
>     > config setup
>     >         crlcheckinterval=180
>     >         strictcrlpolicy=no
>     >         plutostart=no
>     >         charondebug="knl 3, cfg 2, ike 2, chd 2, mgr 2, dmn 2"
>     >
>     > conn %default
>     >         ikelifetime=60m
>     >         keylife=20m
>     >         rekeymargin=3m
>     >         keyingtries=1
>     >         keyexchange=ikev2
>     >         # leftcert=moonCert.pem
>     >
>     > # Add connections here.
>     >
>     > conn android
>     >     left=192.168.1.154
>     >     leftid=192.168.1.154
>     >     leftcert=moonCert.pem
>     >     leftauth=pubkey
>     >     right=%any
>     >     rightsourceip=10.0.5.0/24 <http://10.0.5.0/24>
>     <http://10.0.5.0/24>
>     >     rightauth=eap-mschapv2
>     >     rightsendcert=never
>     >     eap_identity=deepika
>     >     auto=add
>     >
>     > ipsec.secrets:
>     >
>     > : RSA moonKey.pem
>     >
>     > deepika : EAP "deepika"
>     >
>     > Configuration at Nexus S (Android 2.3.5_r1):
>     > ================================
>     >
>     > I manually created "ipsec.d" directory in /system/etc/ and put my ca
>     > certificate in cacerts there, and then created ipsec.conf and
>     > ipsec.secrets in /system/etc/
>     >
>     > /system/etc/ipsec.conf
>     >
>     > config setup
>     >     plutostart=no
>     >     charondebug="knl 3, cfg 2, ike 2, chd 2, mgr 2, dmn 2"
>     >
>     > conn %default
>     >     ikelifetime=60m
>     >     keylife=20m
>     >     rekeymargin=3m
>     >     keyingtries=1
>     >     keyexchange=ikev2
>     >
>     > # Add connections here.
>     >
>     > # Sample VPN connections
>     >
>     > conn android
>     >     left=192.168.1.2
>     >     leftauth=eap
>     >     eap_identity=deepika
>     >     right=192.168.1.154
>     >     rightid=192.168.1.154
>     >     rightauth=pubkey
>     >     auto=add
>     >
>     > /system/etc/ipsec.secrets
>     >
>     > deepika : EAP "deepika"
>     >
>     >
>     >
>     > But when I start the connection I am getting the following error:
>     >
>     > # ipsec stroke up android
>     > uname: not found
>     > uname: not found
>     > [: not found
>     > initiating IKE_SA android[2] to 192.168.1.154
>     > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
>     N(NATD_D_IP) ]
>     > sending packet: from 192.168.1.2[500] to 192.168.1.154[500]
>     > received packet: from 192.168.1.154[500] to 192.168.1.2[500]
>     > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
>     > N(MULT_AUTH) ]
>     > sending cert request for "C=UK, CN=nits"
>     > establishing CHILD_SA android
>     > generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr
>     CP(DNS)
>     > SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>     > sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]
>     > received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]
>     > parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
>     > received end entity cert "C=UK, CN=nits"
>     >   using certificate "C=UK, CN=nits"
>     >   using trusted ca certificate "C=UK, CN=nits"
>     >   reached self-signed root ca with a path length of 0
>     > authentication of '192.168.1.154' with RSA signature successful
>     > server requested EAP_MSCHAPV2 authentication (id 0x75)
>     > no EAP key found for hosts '192.168.1.154' - '192.168.1.2'
>     > EAP_MSCHAPV2 method failed
>     >
>     >
>     > Output of logcat:
>     >
>     > I/charon  (  469): 00[CFG] loading ca certificates from
>     > '/system/etc/ipsec.d/cacerts'
>     > I/charon  (  469): 00[CFG]   loaded ca certificate "C=UK, CN=nits"
>     from
>     > '/system/etc/ipsec.d/cacerts/strongswanCert.pem'
>     > I/charon  (  469): 00[CFG] loading aa certificates from
>     > '/system/etc/ipsec.d/aacerts'
>     > I/charon  (  469): 00[LIB] opening directory
>     > '/system/etc/ipsec.d/aacerts' failed: No such file or directory
>     > I/charon  (  469): 00[CFG]   reading directory failed
>     > I/charon  (  469): 00[CFG] loading ocsp signer certificates from
>     > '/system/etc/ipsec.d/ocspcerts'
>     > I/charon  (  469): 00[LIB] opening directory
>     > '/system/etc/ipsec.d/ocspcerts' failed: No such file or directory
>     > I/charon  (  469): 00[CFG]   reading directory failed
>     > I/charon  (  469): 00[CFG] loading attribute certificates from
>     > '/system/etc/ipsec.d/acerts'
>     > I/charon  (  469): 00[LIB] opening directory
>     > '/system/etc/ipsec.d/acerts' failed: No such file or directory
>     > I/charon  (  469): 00[CFG]   reading directory failed
>     > I/charon  (  469): 00[CFG] loading crls from
>     '/system/etc/ipsec.d/crls'
>     > I/charon  (  469): 00[LIB] opening directory
>     '/system/etc/ipsec.d/crls'
>     > failed: No such file or directory
>     > I/charon  (  469): 00[CFG]   reading directory failed
>     > I/charon  (  469): 00[CFG] loading secrets from
>     '/system/etc/ipsec.secrets'
>     > I/charon  (  469): 00[CFG]   loaded EAP secret for deepika
>     > I/charon  (  469): 00[DMN] loaded plugins: openssl fips-prf random
>     > pubkey pkcs1 pem xcbc hmac kernel-netlink socket-default android
>     stroke
>     > eap-identity eap-mschapv2 eap-md5
>     > I/charon  (  469): 00[JOB] spawning 16 worker threads
>     > I/charon  (  469): 11[CFG] received stroke: add connection 'android'
>     > I/charon  (  469): 11[CFG] added configuration 'android'
>     >
>     > I/charon  (  469): 12[CFG] received stroke: initiate 'android'
>     > I/charon  (  469): 14[IKE] initiating IKE_SA android[1] to
>     192.168.1.154
>     > I/charon  (  469): 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No
>     > N(NATD_S_IP) N(NATD_D_IP) ]
>     > I/charon  (  469): 14[NET] sending packet: from 192.168.1.2[500] to
>     > 192.168.1.154[500]
>     > D/GpsLocationProvider(  107): NTP server returned: 1321866231250 (Mon
>     > Nov 21 09:03:51 GMT+00:00 2011) reference: 318100 certainty: 337
>     system
>     > time offset: -20070741
>     > I/charon  (  469): 15[IKE] retransmit 1 of request with message ID 0
>     > I/charon  (  469): 15[NET] sending packet: from 192.168.1.2[500] to
>     > 192.168.1.154[500]
>     > I/charon  (  469): 03[IKE] retransmit 2 of request with message ID 0
>     > I/charon  (  469): 03[NET] sending packet: from 192.168.1.2[500] to
>     > 192.168.1.154[500]
>     > I/charon  (  469): 16[IKE] retransmit 3 of request with message ID 0
>     > I/charon  (  469): 16[NET] sending packet: from 192.168.1.2[500] to
>     > 192.168.1.154[500]
>     > I/charon  (  469): 02[NET] received packet: from 192.168.1.154[500] to
>     > 192.168.1.2[500]
>     > I/charon  (  469): 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No
>     > N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
>     > I/charon  (  469): 02[IKE] sending cert request for "C=UK, CN=nits"
>     > I/charon  (  469): 02[IKE] establishing CHILD_SA android
>     > I/charon  (  469): 02[ENC] generating IKE_AUTH request 1 [ IDi
>     > N(INIT_CONTACT) CERTREQ IDr CP(DNS) SA TSi TSr N(MOBIKE_SUP)
>     > N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>     > I/charon  (  469): 02[NET] sending packet: from 192.168.1.2[4500] to
>     > 192.168.1.154[4500]
>     > I/charon  (  469): 01[NET] received packet: from
>     192.168.1.154[4500] to
>     > 192.168.1.2[4500]
>     > I/charon  (  469): 01[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH
>     > EAP/REQ/MSCHAPV2 ]
>     > I/charon  (  469): 01[IKE] received end entity cert "C=UK, CN=nits"
>     > I/charon  (  469): 01[CFG]   using certificate "C=UK, CN=nits"
>     > I/charon  (  469): 01[CFG]   using trusted ca certificate "C=UK,
>     CN=nits"
>     > I/charon  (  469): 01[CFG]   reached self-signed root ca with a path
>     > length of 0
>     > I/charon  (  469): 01[IKE] authentication of '192.168.1.154' with RSA
>     > signature successful
>     > I/charon  (  469): 01[IKE] server requested EAP_MSCHAPV2
>     authentication
>     > (id 0xFD)
>     > I/charon  (  469): 01[IKE] no EAP key found for hosts
>     '192.168.1.154' -
>     > '192.168.1.2'
>     > I/charon  (  469): 01[IKE] EAP_MSCHAPV2 method failed
>     > I/dalvikvm(  164): Total arena pages for JIT: 11
>     > I/charon  (  469): 11[CFG] received stroke: initiate 'android'
>     > I/charon  (  469): 14[IKE] initiating IKE_SA android[2] to
>     192.168.1.154
>     > I/charon  (  469): 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No
>     > N(NATD_S_IP) N(NATD_D_IP) ]
>     > I/charon  (  469): 14[NET] sending packet: from 192.168.1.2[500] to
>     > 192.168.1.154[500]
>     > I/charon  (  469): 15[NET] received packet: from 192.168.1.154[500] to
>     > 192.168.1.2[500]
>     > I/charon  (  469): 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No
>     > N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
>     > I/charon  (  469): 15[IKE] sending cert request for "C=UK, CN=nits"
>     > I/charon  (  469): 15[IKE] establishing CHILD_SA android
>     > I/charon  (  469): 15[ENC] generating IKE_AUTH request 1 [ IDi
>     > N(INIT_CONTACT) CERTREQ IDr CP(DNS) SA TSi TSr N(MOBIKE_SUP)
>     > N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
>     > I/charon  (  469): 15[NET] sending packet: from 192.168.1.2[4500] to
>     > 192.168.1.154[4500]
>     > I/charon  (  469): 03[NET] received packet: from
>     192.168.1.154[4500] to
>     > 192.168.1.2[4500]
>     > I/charon  (  469): 03[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH
>     > EAP/REQ/MSCHAPV2 ]
>     > I/charon  (  469): 03[IKE] received end entity cert "C=UK, CN=nits"
>     > I/charon  (  469): 03[CFG]   using certificate "C=UK, CN=nits"
>     > I/charon  (  469): 03[CFG]   using trusted ca certificate "C=UK,
>     CN=nits"
>     > I/charon  (  469): 03[CFG]   reached self-signed root ca with a path
>     > length of 0
>     > I/charon  (  469): 03[IKE] authentication of '192.168.1.154' with RSA
>     > signature successful
>     > I/charon  (  469): 03[IKE] server requested EAP_MSCHAPV2
>     authentication
>     > (id 0x75)
>     > I/charon  (  469): 03[IKE] no EAP key found for hosts
>     '192.168.1.154' -
>     > '192.168.1.2'
>     > I/charon  (  469): 03[IKE] EAP_MSCHAPV2 method failed
>     >
>     > Am I missing something or there are some issues with the release?
>     >
>     > Thanks in advance.
>     > Regards,

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4489 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111121/d75f9492/attachment.bin>


More information about the Users mailing list