[strongSwan] Android as client: (IPsec) Working locally, but not remote

Markus Hoffmann markus.hoffmann at koeln.de
Tue Feb 7 18:16:39 CET 2012 

Hi,

 

I need some help with StrongSwan 4.5.2 and xl2tpd 1.3.1 (the latter is from
the Debian unstable repository, but I also tried 1.2.7 and 1.3.0):

 

I have setup an IPsec/L2TP connection for use with Android, following
various guides throughout the internet and reading the StrongSwan wiki.

However, this is only working when connecting locally over WiFi and in this
case the connection gets established within 3 to 4 seconds.

Connecting over EDGE/3G is the opposite as the connection is established
after about 40 seconds and gets disconnected by the Android device several
seconds later :/

 

Device overview:

Android device (EDGE/3G) ---- (Internet) ---- Router ---- Debian 6.0.4 as VM
with bridged Ethernet

 

The router is on a dynamic xDSL-line, has internal IP address of 192.168.2.1
and does NAT for the clients and the server behind it.

The virtual machine has 192.168.2.13 (fixed this on DHCP server) and
protocol 50 + 51 and ports 500, 1701 and 4500 are being forwarded to it.

 

Before adding "keyexchange=ikev1" the connection was established but got
dropped by the Android device in the local network, so adding this the
connection is now working locally.

This means that the connection gets established even not being secured by
IPsec (known Android bug I have read), so there must be an issue with my
IPsec connection when connection from EDGE/3G?!

 

Following are the outputs of "ipsec statusall" when connectiong remotely and
locally.

Btw., how can I achieve logging for pluto to a file? I just found
information regarding charon :/

 

As you may notice, there is no "ESP proposal: [.]" when connecting remotely,
how can this be?

So it seems that IPsec connection cannot be established and thus the Android
device disconnects when discovering this.

I tested xl2tpd standalone since Android does L2TP without IPsec, too. This
worked very well.

 

--- output of "ipsec statusall" connection from EDGE/3G ---

000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):

000 interface lo/lo ::1:500

000 interface lo/lo 127.0.0.1:4500

000 interface lo/lo 127.0.0.1:500

000 interface eth0/eth0 192.168.2.13:4500

000 interface eth0/eth0 192.168.2.13:500

000 %myid = '%any'

000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509
pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve

000 debug options: none

000

000 "Android-NAT":
192.168.2.13[192.168.2.13]:17/1701---192.168.2.1...%any[%any]:17/%any;
unrouted; eroute owner: #0

000 "Android-NAT":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3

000 "Android-NAT":   policy: PSK+ENCRYPT+DONTREKEY; prio: 32,32; interface:
eth0;

000 "Android-NAT":   newest ISAKMP SA: #0; newest IPsec SA: #0;

000 "Android-NAT"[2]:
192.168.2.13:4500[192.168.2.13]:17/1701---192.168.2.1...80.187.107.39:49552[
2.165.18.240]:17/%any; unrouted; eroute owner: #0

000 "Android-NAT"[2]:   ike_life: 10800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3

000 "Android-NAT"[2]:   policy: PSK+ENCRYPT+DONTREKEY; prio: 32,32;
interface: eth0;

000 "Android-NAT"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #0;

000 "Android-NAT"[2]:   IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_1024

000

000 #1: "Android-NAT"[2] 80.187.107.39:49552 STATE_MAIN_R3 (sent MR3, ISAKMP
SA established); EVENT_SA_EXPIRE in 28753s; newest ISAKMP

000

 

--- output of "ipsec statusall" connecting from within local network ---

000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):

000 interface lo/lo ::1:500

000 interface lo/lo 127.0.0.1:4500

000 interface lo/lo 127.0.0.1:500

000 interface eth0/eth0 192.168.2.13:4500

000 interface eth0/eth0 192.168.2.13:500

000 %myid = '%any'

000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509
pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve

000 debug options: none

000

000 "Android-NAT":
192.168.2.13[192.168.2.13]:17/1701---192.168.2.1...%any[%any]:17/%any;
unrouted; eroute owner: #0

000 "Android-NAT":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3

000 "Android-NAT":   policy: PSK+ENCRYPT+DONTREKEY; prio: 32,32; interface:
eth0;

000 "Android-NAT":   newest ISAKMP SA: #0; newest IPsec SA: #0;

000 "Android-NAT"[1]:
192.168.2.13[192.168.2.13]:17/1701---192.168.2.1...192.168.2.6[192.168.2.6]:
17/0; erouted; eroute owner: #2

000 "Android-NAT"[1]:   ike_life: 10800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 3

000 "Android-NAT"[1]:   policy: PSK+ENCRYPT+DONTREKEY; prio: 32,32;
interface: eth0;

000 "Android-NAT"[1]:   newest ISAKMP SA: #1; newest IPsec SA: #2;

000 "Android-NAT"[1]:   IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_1024

000 "Android-NAT"[1]:   ESP proposal: AES_CBC_128/HMAC_SHA1/<N/A>

000

000 #2: "Android-NAT"[1] 192.168.2.6 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 3323s; newest IPSEC; eroute owner

000 #2: "Android-NAT"[1] 192.168.2.6 esp.5b5e0e1 at 192.168.2.6 (635 bytes, 4s
ago) esp.c6145b0d at 192.168.2.13 (653 bytes, 4s ago); transport

000 #1: "Android-NAT"[1] 192.168.2.6 STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_EXPIRE in 28792s; newest ISAKMP

000

 

--- /etc/ipsec.conf ---

 

config setup

        # plutodebug=all

        # crlcheckinterval=600

        # strictcrlpolicy=yes

        # cachecrls=yes

        nat_traversal=yes

        charonstart=no

        plutostart=yes

       interfaces=eth0

 

conn Android-NAT

        keyexchange=ikev1

        authby=secret

        pfs=no

        auto=add

        keyingtries=3

        rekey=no

        type=transport

        left=192.168.2.13

        leftnexthop=192.168.2.1

        leftprotoport=udp/1701

        right=%any

        rightprotoport=udp/%any

        ike=aes128-sha!

        esp=aes128-sha1!

 

--- /var/log/xl2tpd.log ---

using channel 30

Using interface ppp0

Connect: ppp0 <--> /dev/pts/1

sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MD5> <magic 0x1869efc1>]

rcvd [LCP ConfReq id=0x1 <mru 1400> <asyncmap 0x0> <magic 0x9c1a8f9> <pcomp>
<accomp>]

sent [LCP ConfRej id=0x1 <pcomp> <accomp>]

rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MD5> <magic 0x1869efc1>]

rcvd [LCP ConfReq id=0x2 <mru 1400> <asyncmap 0x0> <magic 0x9c1a8f9>]

sent [LCP ConfAck id=0x2 <mru 1400> <asyncmap 0x0> <magic 0x9c1a8f9>]

sent [LCP EchoReq id=0x0 magic=0x1869efc1]

sent [CHAP Challenge id=0x3f <fcf5c3beab039f8f0ea9557d30b5053817>, name =
"servee"]

rcvd [LCP EchoRep id=0x0 magic=0x9c1a8f9]

rcvd [CHAP Response id=0x3f <d5ddac046ad9a471f5055215593b2cd8>, name =
"markus"]

sent [CHAP Success id=0x3f "Access granted"]

sent [IPCP ConfReq id=0x1 <addr 192.168.2.99>]

rcvd [CCP ConfReq id=0x1 <deflate 15> <deflate(old#) 15> <bsd v1 15>]

Unsupported protocol 'Compression Control Protocol' (0x80fd) received

sent [LCP ProtRej id=0x2 80 fd 01 01 00 0f 1a 04 78 00 18 04 78 00 15 03 2f]

rcvd [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 0.0.0.0> <ms-dns1
0.0.0.0> <ms-dns2 0.0.0.0>]

sent [IPCP ConfRej id=0x1 <compress VJ 0f 01>]

rcvd [IPCP ConfAck id=0x1 <addr 192.168.2.99>]

rcvd [IPCP ConfReq id=0x2 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns2
0.0.0.0>]

sent [IPCP ConfNak id=0x2 <addr 192.168.2.100> <ms-dns1 192.168.2.1>
<ms-dns2 192.168.2.1>]

rcvd [IPCP ConfReq id=0x3 <addr 192.168.2.100> <ms-dns1 192.168.2.1>
<ms-dns2 192.168.2.1>]

sent [IPCP ConfAck id=0x3 <addr 192.168.2.100> <ms-dns1 192.168.2.1>
<ms-dns2 192.168.2.1>]

found interface eth0 for proxy arp

local  IP address 192.168.2.99

remote IP address 192.168.2.100

Script /etc/ppp/ip-up started (pid 5441)

Script /etc/ppp/ip-up finished (pid 5441), status = 0x0

sent [LCP EchoReq id=0x1 magic=0x1869efc1]

rcvd [LCP EchoRep id=0x1 magic=0x9c1a8f9]

sent [LCP EchoReq id=0x2 magic=0x1869efc1]

rcvd [LCP EchoRep id=0x2 magic=0x9c1a8f9]

sent [LCP EchoReq id=0x3 magic=0x1869efc1]

rcvd [LCP EchoRep id=0x3 magic=0x9c1a8f9]

sent [LCP EchoReq id=0x4 magic=0x1869efc1]

rcvd [LCP EchoRep id=0x4 magic=0x9c1a8f9]

sent [LCP EchoReq id=0x5 magic=0x1869efc1]

rcvd [LCP EchoRep id=0x5 magic=0x9c1a8f9]

sent [LCP EchoReq id=0x6 magic=0x1869efc1]

rcvd [LCP EchoRep id=0x6 magic=0x9c1a8f9]

sent [LCP EchoReq id=0x7 magic=0x1869efc1]

rcvd [LCP EchoRep id=0x7 magic=0x9c1a8f9]

sent [LCP EchoReq id=0x8 magic=0x1869efc1]

rcvd [LCP EchoRep id=0x8 magic=0x9c1a8f9]

sent [LCP EchoReq id=0x9 magic=0x1869efc1]

rcvd [LCP EchoRep id=0x9 magic=0x9c1a8f9]

sent [LCP EchoReq id=0xa magic=0x1869efc1]

rcvd [LCP EchoRep id=0xa magic=0x9c1a8f9]

sent [LCP EchoReq id=0xb magic=0x1869efc1]

rcvd [LCP EchoRep id=0xb magic=0x9c1a8f9]

rcvd [LCP TermReq id=0x3 "User request"]

LCP terminated by peer (User request)

Connect time 5.9 minutes.

Sent 0 bytes, received 3684 bytes.

Script /etc/ppp/ip-down started (pid 5504)

sent [LCP TermAck id=0x3]

Script /etc/ppp/ip-down finished (pid 5504), status = 0x0

Terminating on signal 15

Modem hangup

Connection terminated.

 

Sincerely and many thanks in advance,

 

Markus

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120207/6f6a17b4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4949 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120207/6f6a17b4/attachment.bin>

More information about the Users mailing list