[strongSwan] Upgraded from 4.5.2 and now Motorola Droid Pro is broken
Dmitry Korzhevin
dmitry.korzhevin at stidia.com
Fri Oct 26 00:54:57 CEST 2012
Hi,
Try add next profile to yours /etc/ipsec.conf :
conn android
aggressive=no
compress=no
dpdaction=clear
forceencaps=yes
rekey=no
reauth=no
ikelifetime=24h
authby=xauthpsk
xauth=server
left=YOURS_SERVER_IP
leftsubnet=0.0.0.0/0
leftfirewall=yes
right=%any
rightsubnet=0.0.0.0/0
rightsourceip=10.2.0.0/24
auto=add
This is PSK-based profile, it need similar settings in /etc/ipsec.secrets :
%any YOURS_SERVER_IP : PSK "YOURS_PSK"
: PSK YOURS_PSK
user : XAUTH "userpass"
25.10.2012 18:59, Clarence пишет:
> Hi All...
>
> I've been banging my head against the wall for about a week now and
> I cant get my Motorola Droid Pro phone to connect to the StrongSwan 5.0.1.
>
> This is the deal... It worked with StrongSwan v4.5.2 but as soon as I
> upgraded to 5.0.1 it broke. I
>
>
> ** **
>
> I think it maybe failing to connect because of the following 3 lines:
> -- Oct 24 16:49:36 16[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED,
> not using ESPv3 TFC padding
> -- Oct 24 16:49:36 16[CFG] received proposals:
> ESP:AES_GCM_16_256/NO_EXT_SEQ
> --Oct 24 16:49:36 16[CFG] configured proposals: ... <see below>
>
> I also tried several different settings for the "esp=" and the "ike="
> options. We also changed the
> templates file that Authentec uses to setup new VPN connections. I
> have even created a template that
> matches the settings that are suggested in the charon.log
> file("configured proposals:" line.) and it still fails to connect.
>
> Is the new StrongSwan incompatible with Android Froyo phones (
> Motorola Droid Pro)???
>
> ** **
>
>
>
> -------------------- ipsec.conf -------------------
>
> config setup
> # plutodebug=all
> # crlcheckinterval=600
> # strictcrlpolicy=yes
> # strictcrlpolicy=no
> # cachecrls=yes
> # nat_traversal=yes
> # charonstart=yes
> # plutostart=no
>
> conn MOTOROLA
> left=1.1.1.51 #outside source ip
> leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> leftcert=MOTOROLA.pem
> right=%any
> rightsourceip=192.168.151.128/25 <http://192.168.151.128/25>
> keyexchange=ikev2
> auto=add
> forceencaps=yes
> # esp=aes256gcm16,aes128gcm16!
> # AES_GCM_16_256
> # ike=aes128-sha384-modp2048,aes256-sha384-modp2048!
> leftfirewall=no
>
>
>
>
> -------------------------------------- charon.log
> -------------------------------------------
>
> Oct 24 16:49:36 03[NET] received packet: from 1.1.1.58[60500] to
> 1.1.1.51[500]
> Oct 24 16:49:36 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) V ]
> Oct 24 16:49:36 03[ENC] received unknown vendor ID:
> ff:44:ff:26:68:75:0f:03:b0:8d:f6:eb:e1:d0:04:03
> Oct 24 16:49:36 03[IKE] 1.1.1.58 is initiating an IKE_SA
> Oct 24 16:49:36 03[IKE] faking NAT situation to enforce UDP encapsulation
> Oct 24 16:49:36 03[IKE] sending cert request for "C=US, ST=Florida,
> L=TimBuck2, O=ABC123, OU=ABC, CN=crap-cacert-2048-GD"
> Oct 24 16:49:36 03[ENC] generating IKE_SA_INIT response 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> Oct 24 16:49:36 03[NET] sending packet: from 1.1.1.51[500] to
> 1.1.1.58[60500]
> Oct 24 16:49:36 16[NET] received packet: from 1.1.1.58[64500] to
> 1.1.1.51[4500]
> Oct 24 16:49:36 16[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ
> AUTH CP(MASK ADDR DNS) SA TSi TSr N(HTTP_CERT_LOOK) N(INIT_CONTACT)
> N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
> Oct 24 16:49:36 16[IKE] received cert request for "C=US, ST=Florida,
> L=TimBuck2, O=ABC123, OU=ABC, CN=crap-cacert-2048-GD"
> Oct 24 16:49:36 16[IKE] received end entity cert "C=US, ST=Florida,
> L=TimBuck2, O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA"
> Oct 24 16:49:36 16[CFG] looking for peer configs matching
> 1.1.1.51[%any]...1.1.1.58[C=US, ST=Florida, L=TimBuck2, O=ABC123,
> OU=ABC, CN=0128-1024-MOTOROLA]
> Oct 24 16:49:36 16[CFG] selected peer config 'MOTOROLA'
> Oct 24 16:49:36 16[CFG] using certificate "C=US, ST=Florida,
> L=TimBuck2, O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA"
> Oct 24 16:49:36 16[CFG] using trusted ca certificate "C=US,
> ST=Florida, L=TimBuck2, O=ABC123, OU=ABC, CN=crap-cacert-2048-GD"
> Oct 24 16:49:36 16[CFG] checking certificate status of "C=US,
> ST=Florida, L=TimBuck2, O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA"
> Oct 24 16:49:36 16[CFG] certificate status is not available
> Oct 24 16:49:36 16[CFG] reached self-signed root ca with a path length
> of 0
> Oct 24 16:49:36 16[IKE] authentication of 'C=US, ST=Florida, L=TimBuck2,
> O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA' with RSA signature successful
> Oct 24 16:49:36 16[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not
> using ESPv3 TFC padding
> Oct 24 16:49:36 16[IKE] destroying duplicate IKE_SA for peer 'C=US,
> ST=Florida, L=TimBuck2, O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA',
> received INITIAL_CONTACT
> Oct 24 16:49:36 16[CFG] lease 192.168.151.129 by 'C=US, ST=Florida,
> L=TimBuck2, O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA' went offline
> Oct 24 16:49:36 16[IKE] authentication of 'C=US, ST=Florida, L=TimBuck2,
> O=ABC123, OU=ABC, CN=crap-cacert-2048-GD' (myself) with RSA signature
> successful
> Oct 24 16:49:36 16[IKE] IKE_SA MOTOROLA[15] established between
> 1.1.1.51[C=US, ST=Florida, L=TimBuck2, O=ABC123, OU=ABC,
> CN=crap-cacert-2048-GD]...1.1.1.58[C=US, ST=Florida, L=TimBuck2,
> O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA]
> Oct 24 16:49:36 16[IKE] scheduling reauthentication in 10160s
> Oct 24 16:49:36 16[IKE] maximum IKE_SA lifetime 10700s
> Oct 24 16:49:36 16[IKE] sending end entity cert "C=US, ST=Florida,
> L=TimBuck2, O=ABC123, OU=ABC, CN=crap-cacert-2048-GD"
> Oct 24 16:49:36 16[IKE] peer requested virtual IP %any
> Oct 24 16:49:36 16[CFG] reassigning offline lease to 'C=US, ST=Florida,
> L=TimBuck2, O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA'
> Oct 24 16:49:36 16[IKE] assigning virtual IP 192.168.151.129 to peer
> 'C=US, ST=Florida, L=TimBuck2, O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA'
> Oct 24 16:49:36 16[CFG] received proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ
> Oct 24 16:49:36 16[CFG] configured proposals:
> ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ,
> ESP:3DES_CBC/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ,
> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> Oct 24 16:49:36 16[IKE] no acceptable proposal found
> Oct 24 16:49:36 16[IKE] failed to establish CHILD_SA, keeping IKE_SA
> Oct 24 16:49:36 16[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH
> CP(ADDR DNS) N(AUTH_LFT) N(NO_PROP) ]
> Oct 24 16:49:36 16[NET] sending packet: from 1.1.1.51[4500] to
> 1.1.1.58[64500]
> Oct 24 19:38:56 03[IKE] initiator did not reauthenticate as requested
> Oct 24 19:38:56 03[IKE] IKE_SA MOTOROLA[15] will timeout in 9 minutes
> Oct 24 19:47:56 05[IKE] deleting IKE_SA MOTOROLA[15] between
> 1.1.1.51[C=US, ST=Florida, L=TimBuck2, O=ABC123, OU=ABC,
> CN=crap-cacert-2048-GD]...1.1.1.58[C=US, ST=Florida, L=TimBuck2,
> O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA]
> Oct 24 19:47:56 05[IKE] sending DELETE for IKE_SA MOTOROLA[15]
> Oct 24 19:47:56 05[ENC] generating INFORMATIONAL request 0 [ D ]
> Oct 24 19:47:56 05[NET] sending packet: from 1.1.1.51[4500] to
> 1.1.1.58[64500]
> Oct 24 19:48:00 15[IKE] retransmit 1 of request with message ID 0
> Oct 24 19:48:00 15[NET] sending packet: from 1.1.1.51[4500] to
> 1.1.1.58[64500]
> Oct 24 19:48:07 01[IKE] retransmit 2 of request with message ID 0
> Oct 24 19:48:07 01[NET] sending packet: from 1.1.1.51[4500] to
> 1.1.1.58[64500]
> Oct 24 19:48:20 02[IKE] retransmit 3 of request with message ID 0
> Oct 24 19:48:20 02[NET] sending packet: from 1.1.1.51[4500] to
> 1.1.1.58[64500]
> Oct 24 19:48:44 04[IKE] retransmit 4 of request with message ID 0
> Oct 24 19:48:44 04[NET] sending packet: from 1.1.1.51[4500] to
> 1.1.1.58[64500]
> Oct 24 19:49:26 03[IKE] retransmit 5 of request with message ID 0
> Oct 24 19:49:26 03[NET] sending packet: from 1.1.1.51[4500] to
> 1.1.1.58[64500]
> Oct 24 19:50:41 16[IKE] giving up after 5 retransmits
> Oct 24 19:50:41 16[IKE] proper IKE_SA delete failed, peer not responding
> Oct 24 19:50:41 16[CFG lease 192.168.151.129 by 'C=US, ST=Florida,
> L=TimBuck2, O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA' went offline
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
Best Regards,
Dmitry
---
Dmitry KORZHEVIN
System Administrator
STIDIA S.A. - Luxembourg
e: dmitry.korzhevin at stidia.com
m: +38 093 874 5453
w: http://www.stidia.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4488 bytes
Desc: ���������������������������������� �������������� S/MIME
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121026/c701affc/attachment.bin>
More information about the Users
mailing list