[strongSwan] Issue in VPN connection (IKEv1) with XAUTHPSK using android (ICS vpn client) with Strongswan 4.5.0 server

Kushagra Bhatnagar kbhatnagar at sta.samsung.com
Thu May 3 19:40:13 CEST 2012


Hello All,

I am trying to setup the IKEv1 VPN connection with type as IPSEC XAUTH PSK on android ICS with strongswan server.

Below is my /etc/ipsec.conf

conn android
        authby=xauthpsk
        xauth=server
        left=192.168.43.62
        leftsubnet=0.0.0.0/0
        leftnexthop=%defaultroute
        leftsourceip=10.0.0.2
        right=%any
        rightsubnet=0.0.0.0/0
        rightnexthop=%defaultroute
        rightsourceip=10.0.0.3
        pfs=no
        auto=add

below is the snapshot of ipsec.secrets

192.168.43.62 192.168.43.212  %any : PSK "whatyouseeiswhatyouget"

: RSA serverKey.pem
ipsecvpn : XAUTH 0x7365637265743230313200

include /var/lib/strongswan/ipsec.secrets.inc

Note:
Above in ipsec.secrets file, I already provided xauth password in binary format with NULL terminated for taking care of Android 4 implementation.

Configured the same settings on client with the same PSK and xauth password.

After the above settings, when I tried to enable VPN on client, from the wireshark logs of server, I observe that client is keep on sending Identity protection (main mode) message to the server but the server is not replying back.
Upon checking the server logs, I observe following error - "packet from 192.168.43.62:500: initial Main Mode message received on 192.168.43.212:500 but no connection has been authorized with policy=XAUTHPSK+XAUTHSERVER".

Below are the log snippets.

May  3 13:11:48 Linux pluto[2209]: | preparse_isakmp_policy: peer requests XAUTHPSK+XAUTHSERVER authentication 
May  3 13:11:48 Linux pluto[2209]: packet from 192.168.43.62:500: initial Main Mode message received on 192.168.43.212:500 but no connection has been authorized with policy=XAUTHPSK+XAUTHSERVER 
May  3 13:11:48 Linux pluto[2209]: | next event EVENT_REINIT_SECRET in 2635 seconds

Can somebody please provide some update on the above error.

Thanks,
-Kushagra





More information about the Users mailing list