[strongSwan] can not establish MSCHAPv2 tunnel using ipsec.conf/ipsec.secrets in strongswan 4.6.1 release on Android Gingerbread

Nitin Verma nitin.jndm at gmail.com
Tue Nov 22 09:50:59 CET 2011


Yes Andreas, that worked straightaway. Thanks.

However, I am further facing two problems. First, in my configuration, I
get a dynamic IP for my android client and whereas in my ipsec.conf at
android, I am giving a fix ip address in the "left" field. When I use
"left=%defaultroute", I get the following error:

# ipsec starter
uname: not found
uname: not found
[: not found
Starting strongSwan 4.6.1 IPsec [starter]...
removing pidfile '/data/misc/vpn/charon.pid', process not running
%defaultroute not supported, fallback to %any
modprobe: not found
modprobe: not found
modprobe: not found
modprobe: not found
modprobe: not found
removing pidfile '/data/misc/vpn/starter.pid', process not running
#
#
#
# ipsec stroke up android
uname: not found
uname: not found
[: not found
initiating IKE_SA android[1] to 192.168.1.154
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.5[500] to 192.168.1.154[500]
received packet: from 192.168.1.154[500] to 192.168.1.5[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(MULT_AUTH) ]
sending cert request for "C=UK, CN=nits"
establishing CHILD_SA android
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(ADDR
DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.1.5[4500] to 192.168.1.154[4500]
received packet: from 192.168.1.154[500] to 192.168.1.5[500]
parsed IKE_AUTH response 1 [ N(INVAL_SYN) ]
received INVALID_SYNTAX notify error

LOGCAT::
======
I/charon  (  466): 00[CFG] loading ca certificates from
'/system/etc/ipsec.d/cacerts'
I/charon  (  466): 00[CFG]   loaded ca certificate "C=UK, CN=nits" from
'/system/etc/ipsec.d/cacerts/strongswanCert.pem'
I/charon  (  466): 00[CFG] loading aa certificates from
'/system/etc/ipsec.d/aacerts'
I/charon  (  466): 00[LIB] opening directory '/system/etc/ipsec.d/aacerts'
failed: No such file or directory
I/charon  (  466): 00[CFG]   reading directory failed
I/charon  (  466): 00[CFG] loading ocsp signer certificates from
'/system/etc/ipsec.d/ocspcerts'
I/charon  (  466): 00[LIB] opening directory
'/system/etc/ipsec.d/ocspcerts' failed: No such file or directory
I/charon  (  466): 00[CFG]   reading directory failed
I/charon  (  466): 00[CFG] loading attribute certificates from
'/system/etc/ipsec.d/acerts'
I/charon  (  466): 00[LIB] opening directory '/system/etc/ipsec.d/acerts'
failed: No such file or directory
I/charon  (  466): 00[CFG]   reading directory failed
I/charon  (  466): 00[CFG] loading crls from '/system/etc/ipsec.d/crls'
I/charon  (  466): 00[LIB] opening directory '/system/etc/ipsec.d/crls'
failed: No such file or directory
I/charon  (  466): 00[CFG]   reading directory failed
I/charon  (  466): 00[CFG] loading secrets from '/system/etc/ipsec.secrets'
I/charon  (  466): 00[CFG]   loaded EAP secret for deepika
I/charon  (  466): 00[DMN] loaded plugins: openssl fips-prf random pubkey
pkcs1 pem xcbc hmac kernel-netlink socket-default android stroke
eap-identity eap-mschapv2 eap-md5
I/charon  (  466): 00[JOB] spawning 16 worker threads
I/charon  (  466): 10[CFG] received stroke: add connection 'android'
I/charon  (  466): 10[CFG] left nor right host is our side, assuming
left=local
I/charon  (  466): 10[CFG] added configuration 'android'
I/charon  (  466): 03[CFG] received stroke: initiate 'android'
I/charon  (  466): 13[IKE] initiating IKE_SA android[1] to 192.168.1.154
I/charon  (  466): 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]
I/charon  (  466): 13[NET] sending packet: from 192.168.1.5[500] to
192.168.1.154[500]
I/charon  (  466): 14[NET] received packet: from 192.168.1.154[500] to
192.168.1.5[500]
I/charon  (  466): 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
I/charon  (  466): 14[IKE] sending cert request for "C=UK, CN=nits"
I/charon  (  466): 14[IKE] establishing CHILD_SA android
I/charon  (  466): 14[ENC] generating IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) CERTREQ IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP)
N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
I/charon  (  466): 14[NET] sending packet: from 192.168.1.5[4500] to
192.168.1.154[4500]
I/charon  (  466): 15[NET] received packet: from 192.168.1.154[500] to
192.168.1.5[500]
I/charon  (  466): 15[ENC] parsed IKE_AUTH response 1 [ N(INVAL_SYN) ]
I/charon  (  466): 15[IKE] received INVALID_SYNTAX notify error

SYSLOG at server:
==============

Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[MGR] checkout IKE_SA by
message

Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[MGR] created IKE_SA
(unnamed)[4]

Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[NET] received packet: from
192.168.1.5[500] to 192.168.1.154[500]

Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[ENC] parsed IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]

Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[CFG] looking for an ike
config for 192.168.1.154...192.168.1.5

Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[CFG]   candidate:
192.168.1.154...%any, prio 5

Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[CFG] found matching ike
config: 192.168.1.154...%any with prio 5

Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[IKE] 192.168.1.5 is
initiating an IKE_SA

Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[IKE] 192.168.1.5 is
initiating an IKE_SA

Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[IKE] IKE_SA (unnamed)[4]
state change: CREATED => CONNECTING

Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[CFG] selecting proposal:

Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[CFG]   proposal matches

Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[CFG] received proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/AES_XCBC_96/HMAC_SHA1_96/HMAC_MD5_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160

Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/AES_XCBC_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_MD5_96/HMAC_SHA2_384_192/HMAC_SHA2_512_256/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA1/PRF_HMAC_MD5/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160

Nov 22 13:32:08 ubuntu1-OptiPlex-160L charon: 10[CFG] selected proposal:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048

Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 10[ENC] generating
IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]

Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 10[NET] sending packet: from
192.168.1.154[500] to 192.168.1.5[500]

Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 10[MGR] checkin IKE_SA
(unnamed)[4]

Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 10[MGR] check-in of IKE_SA
successful.

Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[MGR] checkout IKE_SA by
message

Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[MGR] IKE_SA (unnamed)[4]
successfully checked out

Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[NET] received packet: from
192.168.1.5[4500] to 192.168.1.154[4500]

Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[ENC] received ID with
reserved type 0

Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[ENC] ID_INITIATOR
verification failed

Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[ENC] could not decrypt
payloads

Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[IKE] message verification
failed

Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[ENC] generating IKE_AUTH
response 1 [ N(INVAL_SYN) ]

Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[NET] sending packet: from
192.168.1.154[500] to 192.168.1.5[500]

Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[IKE] IKE_AUTH request with
message ID 1 processing failed

Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[MGR] checkin IKE_SA
(unnamed)[4]

Nov 22 13:32:09 ubuntu1-OptiPlex-160L charon: 16[MGR] check-in of IKE_SA
successful.

Nov 22 13:32:38 ubuntu1-OptiPlex-160L charon: 04[MGR] checkout IKE_SA

Nov 22 13:32:38 ubuntu1-OptiPlex-160L charon: 04[MGR] IKE_SA (unnamed)[4]
successfully checked out

Nov 22 13:32:38 ubuntu1-OptiPlex-160L charon: 04[JOB] deleting half open
IKE_SA after timeout

Nov 22 13:32:38 ubuntu1-OptiPlex-160L charon: 04[MGR] checkin and destroy
IKE_SA (unnamed)[4]

Nov 22 13:32:38 ubuntu1-OptiPlex-160L charon: 04[IKE] IKE_SA (unnamed)[4]
state change: CONNECTING => DESTROYING

Nov 22 13:32:38 ubuntu1-OptiPlex-160L charon: 04[MGR] check-in and destroy
of IKE_SA successful

Does that mean "defaultroute" does not work at Android? Everytime I get a
different IP from gateway, do I have to modify the ipsec.conf?

My second problem is that since ipsec stop command does not work directly,
I have to restart the phone everytime I make changes in ipsec.conf. Is
there any way to avoid the restart in Android?

My appologies for bothering you with so many questions.

Regards,
Nitin




On Mon, Nov 21, 2011 at 5:51 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hi Nitin,
>
> on the Androis side add
>
>  leftsourceip=%config
>
> to the connection definition in ipsec.conf.
>
> Regards
>
> Andreas
>
> On 21.11.2011 12:38, Nitin Verma wrote:
> > Hi Andreas,
> > Thanks for the quick reply. It solve the problem.
> > Now at the Android:
> >
> > # ipsec stroke status
> > uname: not found
> > uname: not found
> > [: not found
> > Security Associations (1 up, 0 connecting):
> >      android[2]: ESTABLISHED 6 minutes ago,
> > 192.168.1.2[192.168.1.2]...192.168.1.154[192.168.1.154]
> >      android{1}:  INSTALLED, TUNNEL, ESP SPIs: c5974d0b_i c8a59239_o
> >      android{1}:   192.168.1.2/32 <http://192.168.1.2/32> ===
> > 192.168.1.154/32 <http://192.168.1.154/32>
> > #
> >
> > # ipsec stroke up android
> > uname: not found
> > uname: not found
> > [: not found
> > initiating IKE_SA android[2] to 192.168.1.154
> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> > sending packet: from 192.168.1.2[500] to 192.168.1.154[500]
> > received packet: from 192.168.1.154[500] to 192.168.1.2[500]
> > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> > N(MULT_AUTH) ]
> > sending cert request for "C=UK, CN=nits"
> > establishing CHILD_SA android
> > generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(DNS)
> > SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> > sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]
> > received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]
> > parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
> > received end entity cert "C=UK, CN=nits"
> >   using certificate "C=UK, CN=nits"
> >   using trusted ca certificate "C=UK, CN=nits"
> >   reached self-signed root ca with a path length of 0
> > authentication of '192.168.1.154' with RSA signature successful
> > server requested EAP_IDENTITY (id 0x00), sending 'deepika'
> > generating IKE_AUTH request 2 [ EAP/RES/ID ]
> > sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]
> > received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]
> > parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
> > server requested EAP_MSCHAPV2 authentication (id 0x79)
> > generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
> > sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]
> > received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]
> > parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
> > EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
> > generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
> > sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]
> > received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]
> > parsed IKE_AUTH response 4 [ EAP/SUCC ]
> > EAP method EAP_MSCHAPV2 succeeded, MSK established
> > authentication of '192.168.1.2' (myself) with EAP
> > generating IKE_AUTH request 5 [ AUTH ]
> > sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]
> > received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]
> > parsed IKE_AUTH response 5 [ AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP)
> > N(NO_ADD_ADDR) ]
> > authentication of '192.168.1.154' with EAP successful
> > IKE_SA android[2] established between
> > 192.168.1.2[192.168.1.2]...192.168.1.154[192.168.1.154]
> > scheduling reauthentication in 3362s
> > maximum IKE_SA lifetime 3542s
> >
> > I noticed that it doesn't request for virtual ip as it asked when I used
> > the front-end related changes. Is that possible to request for the
> > virtual ip also?
> >
> > Thanks again.
> > Regards,
> > Nitin
> >
> >
> > On Mon, Nov 21, 2011 at 4:19 PM, Andreas Steffen
> > <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> > wrote:
> >
> >     Hello Nitin,
> >
> >     your ubuntu server does not initiate EAP-Identity. Therefore
> >     the EAP-MSCHAPv2 authentication requested is for IKEv2 user
> >     identity 192.168.1.2 and not for EAP identity deepika.
> >
> >     You should change the ubuntu server entry to
> >
> >     eap_identity=%any
> >
> >     and make sure that you enabled, built and loaded the eap_identity
> >     plugin.
> >
> >     Regards
> >
> >     Andreas
> >
> >     On 21.11.2011 10:56, Nitin Verma wrote:
> >     > Hi,
> >     > I have been able to successfully establish IPSec IKEv2 tunnel
> between
> >     > Nexus S (running 2.3.5_r1) and a ubuntu server. However, the latest
> >     > 4.6.1 release supports starter and stroke executables at Android
> and I
> >     > am trying to establish the same connection using ipsec.conf and
> >     > ipsec.secrets.
> >     >
> >     > My server side configuration is:
> >     > ======================
> >     >
> >     > server IP: /192.168.1.154/ <http://192.168.1.154/>
> >     >
> >     > ipsec.conf:
> >     >
> >     > config setup
> >     >         crlcheckinterval=180
> >     >         strictcrlpolicy=no
> >     >         plutostart=no
> >     >         charondebug="knl 3, cfg 2, ike 2, chd 2, mgr 2, dmn 2"
> >     >
> >     > conn %default
> >     >         ikelifetime=60m
> >     >         keylife=20m
> >     >         rekeymargin=3m
> >     >         keyingtries=1
> >     >         keyexchange=ikev2
> >     >         # leftcert=moonCert.pem
> >     >
> >     > # Add connections here.
> >     >
> >     > conn android
> >     >     left=192.168.1.154
> >     >     leftid=192.168.1.154
> >     >     leftcert=moonCert.pem
> >     >     leftauth=pubkey
> >     >     right=%any
> >     >     rightsourceip=10.0.5.0/24 <http://10.0.5.0/24>
> >     <http://10.0.5.0/24>
> >     >     rightauth=eap-mschapv2
> >     >     rightsendcert=never
> >     >     eap_identity=deepika
> >     >     auto=add
> >     >
> >     > ipsec.secrets:
> >     >
> >     > : RSA moonKey.pem
> >     >
> >     > deepika : EAP "deepika"
> >     >
> >     > Configuration at Nexus S (Android 2.3.5_r1):
> >     > ================================
> >     >
> >     > I manually created "ipsec.d" directory in /system/etc/ and put my
> ca
> >     > certificate in cacerts there, and then created ipsec.conf and
> >     > ipsec.secrets in /system/etc/
> >     >
> >     > /system/etc/ipsec.conf
> >     >
> >     > config setup
> >     >     plutostart=no
> >     >     charondebug="knl 3, cfg 2, ike 2, chd 2, mgr 2, dmn 2"
> >     >
> >     > conn %default
> >     >     ikelifetime=60m
> >     >     keylife=20m
> >     >     rekeymargin=3m
> >     >     keyingtries=1
> >     >     keyexchange=ikev2
> >     >
> >     > # Add connections here.
> >     >
> >     > # Sample VPN connections
> >     >
> >     > conn android
> >     >     left=192.168.1.2
> >     >     leftauth=eap
> >     >     eap_identity=deepika
> >     >     right=192.168.1.154
> >     >     rightid=192.168.1.154
> >     >     rightauth=pubkey
> >     >     auto=add
> >     >
> >     > /system/etc/ipsec.secrets
> >     >
> >     > deepika : EAP "deepika"
> >     >
> >     >
> >     >
> >     > But when I start the connection I am getting the following error:
> >     >
> >     > # ipsec stroke up android
> >     > uname: not found
> >     > uname: not found
> >     > [: not found
> >     > initiating IKE_SA android[2] to 192.168.1.154
> >     > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
> >     N(NATD_D_IP) ]
> >     > sending packet: from 192.168.1.2[500] to 192.168.1.154[500]
> >     > received packet: from 192.168.1.154[500] to 192.168.1.2[500]
> >     > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> >     > N(MULT_AUTH) ]
> >     > sending cert request for "C=UK, CN=nits"
> >     > establishing CHILD_SA android
> >     > generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr
> >     CP(DNS)
> >     > SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> >     > sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]
> >     > received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]
> >     > parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
> >     > received end entity cert "C=UK, CN=nits"
> >     >   using certificate "C=UK, CN=nits"
> >     >   using trusted ca certificate "C=UK, CN=nits"
> >     >   reached self-signed root ca with a path length of 0
> >     > authentication of '192.168.1.154' with RSA signature successful
> >     > server requested EAP_MSCHAPV2 authentication (id 0x75)
> >     > no EAP key found for hosts '192.168.1.154' - '192.168.1.2'
> >     > EAP_MSCHAPV2 method failed
> >     >
> >     >
> >     > Output of logcat:
> >     >
> >     > I/charon  (  469): 00[CFG] loading ca certificates from
> >     > '/system/etc/ipsec.d/cacerts'
> >     > I/charon  (  469): 00[CFG]   loaded ca certificate "C=UK, CN=nits"
> >     from
> >     > '/system/etc/ipsec.d/cacerts/strongswanCert.pem'
> >     > I/charon  (  469): 00[CFG] loading aa certificates from
> >     > '/system/etc/ipsec.d/aacerts'
> >     > I/charon  (  469): 00[LIB] opening directory
> >     > '/system/etc/ipsec.d/aacerts' failed: No such file or directory
> >     > I/charon  (  469): 00[CFG]   reading directory failed
> >     > I/charon  (  469): 00[CFG] loading ocsp signer certificates from
> >     > '/system/etc/ipsec.d/ocspcerts'
> >     > I/charon  (  469): 00[LIB] opening directory
> >     > '/system/etc/ipsec.d/ocspcerts' failed: No such file or directory
> >     > I/charon  (  469): 00[CFG]   reading directory failed
> >     > I/charon  (  469): 00[CFG] loading attribute certificates from
> >     > '/system/etc/ipsec.d/acerts'
> >     > I/charon  (  469): 00[LIB] opening directory
> >     > '/system/etc/ipsec.d/acerts' failed: No such file or directory
> >     > I/charon  (  469): 00[CFG]   reading directory failed
> >     > I/charon  (  469): 00[CFG] loading crls from
> >     '/system/etc/ipsec.d/crls'
> >     > I/charon  (  469): 00[LIB] opening directory
> >     '/system/etc/ipsec.d/crls'
> >     > failed: No such file or directory
> >     > I/charon  (  469): 00[CFG]   reading directory failed
> >     > I/charon  (  469): 00[CFG] loading secrets from
> >     '/system/etc/ipsec.secrets'
> >     > I/charon  (  469): 00[CFG]   loaded EAP secret for deepika
> >     > I/charon  (  469): 00[DMN] loaded plugins: openssl fips-prf random
> >     > pubkey pkcs1 pem xcbc hmac kernel-netlink socket-default android
> >     stroke
> >     > eap-identity eap-mschapv2 eap-md5
> >     > I/charon  (  469): 00[JOB] spawning 16 worker threads
> >     > I/charon  (  469): 11[CFG] received stroke: add connection
> 'android'
> >     > I/charon  (  469): 11[CFG] added configuration 'android'
> >     >
> >     > I/charon  (  469): 12[CFG] received stroke: initiate 'android'
> >     > I/charon  (  469): 14[IKE] initiating IKE_SA android[1] to
> >     192.168.1.154
> >     > I/charon  (  469): 14[ENC] generating IKE_SA_INIT request 0 [ SA
> KE No
> >     > N(NATD_S_IP) N(NATD_D_IP) ]
> >     > I/charon  (  469): 14[NET] sending packet: from 192.168.1.2[500] to
> >     > 192.168.1.154[500]
> >     > D/GpsLocationProvider(  107): NTP server returned: 1321866231250
> (Mon
> >     > Nov 21 09:03:51 GMT+00:00 2011) reference: 318100 certainty: 337
> >     system
> >     > time offset: -20070741
> >     > I/charon  (  469): 15[IKE] retransmit 1 of request with message ID
> 0
> >     > I/charon  (  469): 15[NET] sending packet: from 192.168.1.2[500] to
> >     > 192.168.1.154[500]
> >     > I/charon  (  469): 03[IKE] retransmit 2 of request with message ID
> 0
> >     > I/charon  (  469): 03[NET] sending packet: from 192.168.1.2[500] to
> >     > 192.168.1.154[500]
> >     > I/charon  (  469): 16[IKE] retransmit 3 of request with message ID
> 0
> >     > I/charon  (  469): 16[NET] sending packet: from 192.168.1.2[500] to
> >     > 192.168.1.154[500]
> >     > I/charon  (  469): 02[NET] received packet: from
> 192.168.1.154[500] to
> >     > 192.168.1.2[500]
> >     > I/charon  (  469): 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No
> >     > N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> >     > I/charon  (  469): 02[IKE] sending cert request for "C=UK, CN=nits"
> >     > I/charon  (  469): 02[IKE] establishing CHILD_SA android
> >     > I/charon  (  469): 02[ENC] generating IKE_AUTH request 1 [ IDi
> >     > N(INIT_CONTACT) CERTREQ IDr CP(DNS) SA TSi TSr N(MOBIKE_SUP)
> >     > N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> >     > I/charon  (  469): 02[NET] sending packet: from 192.168.1.2[4500]
> to
> >     > 192.168.1.154[4500]
> >     > I/charon  (  469): 01[NET] received packet: from
> >     192.168.1.154[4500] to
> >     > 192.168.1.2[4500]
> >     > I/charon  (  469): 01[ENC] parsed IKE_AUTH response 1 [ IDr CERT
> AUTH
> >     > EAP/REQ/MSCHAPV2 ]
> >     > I/charon  (  469): 01[IKE] received end entity cert "C=UK, CN=nits"
> >     > I/charon  (  469): 01[CFG]   using certificate "C=UK, CN=nits"
> >     > I/charon  (  469): 01[CFG]   using trusted ca certificate "C=UK,
> >     CN=nits"
> >     > I/charon  (  469): 01[CFG]   reached self-signed root ca with a
> path
> >     > length of 0
> >     > I/charon  (  469): 01[IKE] authentication of '192.168.1.154' with
> RSA
> >     > signature successful
> >     > I/charon  (  469): 01[IKE] server requested EAP_MSCHAPV2
> >     authentication
> >     > (id 0xFD)
> >     > I/charon  (  469): 01[IKE] no EAP key found for hosts
> >     '192.168.1.154' -
> >     > '192.168.1.2'
> >     > I/charon  (  469): 01[IKE] EAP_MSCHAPV2 method failed
> >     > I/dalvikvm(  164): Total arena pages for JIT: 11
> >     > I/charon  (  469): 11[CFG] received stroke: initiate 'android'
> >     > I/charon  (  469): 14[IKE] initiating IKE_SA android[2] to
> >     192.168.1.154
> >     > I/charon  (  469): 14[ENC] generating IKE_SA_INIT request 0 [ SA
> KE No
> >     > N(NATD_S_IP) N(NATD_D_IP) ]
> >     > I/charon  (  469): 14[NET] sending packet: from 192.168.1.2[500] to
> >     > 192.168.1.154[500]
> >     > I/charon  (  469): 15[NET] received packet: from
> 192.168.1.154[500] to
> >     > 192.168.1.2[500]
> >     > I/charon  (  469): 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No
> >     > N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> >     > I/charon  (  469): 15[IKE] sending cert request for "C=UK, CN=nits"
> >     > I/charon  (  469): 15[IKE] establishing CHILD_SA android
> >     > I/charon  (  469): 15[ENC] generating IKE_AUTH request 1 [ IDi
> >     > N(INIT_CONTACT) CERTREQ IDr CP(DNS) SA TSi TSr N(MOBIKE_SUP)
> >     > N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> >     > I/charon  (  469): 15[NET] sending packet: from 192.168.1.2[4500]
> to
> >     > 192.168.1.154[4500]
> >     > I/charon  (  469): 03[NET] received packet: from
> >     192.168.1.154[4500] to
> >     > 192.168.1.2[4500]
> >     > I/charon  (  469): 03[ENC] parsed IKE_AUTH response 1 [ IDr CERT
> AUTH
> >     > EAP/REQ/MSCHAPV2 ]
> >     > I/charon  (  469): 03[IKE] received end entity cert "C=UK, CN=nits"
> >     > I/charon  (  469): 03[CFG]   using certificate "C=UK, CN=nits"
> >     > I/charon  (  469): 03[CFG]   using trusted ca certificate "C=UK,
> >     CN=nits"
> >     > I/charon  (  469): 03[CFG]   reached self-signed root ca with a
> path
> >     > length of 0
> >     > I/charon  (  469): 03[IKE] authentication of '192.168.1.154' with
> RSA
> >     > signature successful
> >     > I/charon  (  469): 03[IKE] server requested EAP_MSCHAPV2
> >     authentication
> >     > (id 0x75)
> >     > I/charon  (  469): 03[IKE] no EAP key found for hosts
> >     '192.168.1.154' -
> >     > '192.168.1.2'
> >     > I/charon  (  469): 03[IKE] EAP_MSCHAPV2 method failed
> >     >
> >     > Am I missing something or there are some issues with the release?
> >     >
> >     > Thanks in advance.
> >     > Regards,
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111122/ec20a2ef/attachment.html>


More information about the Users mailing list