[strongSwan] I need a working config for Android (4.0.3) -> StrongSwan (4.5.6)

Kimmo Koivisto koippa at gmail.com
Thu May 17 19:59:26 CEST 2012 

Hello

This is my config, works okay with 4.6.3 strongswan and Android 4.0.3 and 4.0.4:

conn android
    keyexchange=ikev1
    authby=xauthpsk
    xauth=server
    left=my.public.ip
    leftsubnet=0.0.0.0/0
    right=%any
    rightsourceip=192.168.101.0/24
    pfs=no
    modeconfig=push
    auto=add

ipsec.secrets:
%any my-public-ip : PSK "pre-shared-key"
user1 : XAUTH "user1-password"


Regards,
Kimmo

2012/5/16 Clarence <clarencehj at gmail.com>:
> I've been trying to get My android tablet to connect to the StrongSwan
> Server all day today... Does anyone have a working config for connecting an
> Android 4.0.3 devie to a StrongSwan server using the "IPSec Xauth PSK"
> setting?
>
>
> ** I think I need a working config to look at...  I'm Stumped!  ***
>
>
> This is the layout:
>
> [tablet - 192.168.51.125] ----> [ strongswan_left - 192.168.51.101 ]  ---- [
> strongswan_right - 192.168.61.101 ]  --->  192.168.61.0/24 network
>
> ipsec.secrets
> ----------------------
>
> 192.168.151.101  : PSK "password"
> user1 : XAUTH "password"   # <--- I'm not sure what this does.
> : XAUTH "password"            # <-- or this
>
> ipsec.conf
> ---------------
> config setup
>         # plutodebug=all
>         # crlcheckinterval=600
>         # strictcrlpolicy=yes
>         # cachecrls=yes
>         #  nat_traversal=yes
>         #  nat_traversal=no
>         charonstart=yes
>         plutostart=yes
>         plutodebug="control lifecycle dns oppo controlmore natt"
>
> # Add connections here.
> conn android
>           #authby=psk
>           authby=xauthpsk
>           xauth=server
>           keyexchange=ikev1
>           #type=tunnel
>           type=transport
>           left=192.168.51.101
>           #leftsubnet=0.0.0.0/0
>           leftnexthop=%defaultroute
>           right=%any
>           #rightsubnet=0.0.0.0/0
>           rightnexthop=%defaultroute
>           rightsourceip=192.168.61.5/25
>           pfs=no
>           auto=add
>
> On the tablet I put "password" in the pre-shared key field.
> and I put    user1 and password in the username and password field that pops
> up when it tries to connect.
>
>
> -----
>
> This is what happens... I use wireshark and I can see
>
>  6  -  Identity Protection packets (Main Mode) packets
>   1 - Transaction (Config Mode) packet
>   1 - Informational
>   3 - Transactional ( config Mode ) packets
>  1 -  Informational
>
> Then thats it.  Nothing else happens.  The packets have the encrypted flag
> set so I cant really see whats inside of them.
>
> -----------
>
> This is the end of the pluto.log file ..
>
> *received 108 bytes from 192.168.51.125:500 on eth0
> | ICOOKIE:  ca 4c 24 cc  11 19 d6 0b
> | RCOOKIE:  81 0a 06 3f  6a c5 df 16
> | peer:  c0 a8 97 7d
> | state hash entry 27
> | state object #4 found, in STATE_XAUTH_R1
> "android"[4] 192.168.51.125 #4: parsing XAUTH reply
> | processing XAUTH_USER_NAME attribute
> | processing XAUTH_USER_PASSWORD attribute
> | peer xauth user name is 'user1'
> "android"[4] 192.168.51.125 #4: extended authentication failed
> "android"[4] 192.168.51.125 #4: sending XAUTH status
> | building XAUTH_STATUS attribute
> | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #4
> | next event EVENT_RETRANSMIT in 10 seconds for #4
> |
> | *received 92 bytes from 192.168.51.125:500 on eth0
> | ICOOKIE:  ca 4c 24 cc  11 19 d6 0b
> | RCOOKIE:  81 0a 06 3f  6a c5 df 16
> | peer:  c0 a8 97 7d
> | state hash entry 27
> | state object #4 found, in STATE_XAUTH_R2
> "android"[4] 192.168.51.125 #4: parsing XAUTH ack
> | processing XAUTH_STATUS attribute
> | ICOOKIE:  ca 4c 24 cc  11 19 d6 0b
> | RCOOKIE:  81 0a 06 3f  6a c5 df 16
> | peer:  c0 a8 97 7d
> | state hash entry 27
> "android"[4] 192.168.51.125: deleting connection "android" instance with
> peer 192.168.51.125 {isakmp=#0/ipsec=#0}
> | certs and keys locked by 'delete_connection'
> | certs and keys unlocked by 'delete_connection'
> | next event EVENT_NAT_T_KEEPALIVE in 20 seconds
> |
> | *received 108 bytes from 192.168.51.125:500 on eth0
> | ICOOKIE:  ca 4c 24 cc  11 19 d6 0b
> | RCOOKIE:  81 0a 06 3f  6a c5 df 16
> | peer:  c0 a8 97 7d
> | state hash entry 27
> | state object not found
> packet from 192.168.51.125:500: Informational Exchange is for an unknown
> (expired?) SA
> | next event EVENT_NAT_T_KEEPALIVE in 20 seconds
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list