[strongSwan] Upgraded from 4.5.2 and now Motorola Droid Pro is broken

Dmitry Korzhevin dmitry.korzhevin at stidia.com
Fri Oct 26 00:54:57 CEST 2012 

Hi,

Try add next profile to yours /etc/ipsec.conf :

conn android
         aggressive=no
         compress=no
         dpdaction=clear
         forceencaps=yes
         rekey=no
         reauth=no
         ikelifetime=24h
         authby=xauthpsk
         xauth=server
         left=YOURS_SERVER_IP
         leftsubnet=0.0.0.0/0
         leftfirewall=yes
         right=%any
         rightsubnet=0.0.0.0/0
         rightsourceip=10.2.0.0/24
         auto=add

This is PSK-based profile, it need similar settings in /etc/ipsec.secrets :

%any YOURS_SERVER_IP : PSK "YOURS_PSK"
  : PSK YOURS_PSK

user : XAUTH "userpass"



25.10.2012 18:59, Clarence пишет:
> Hi All...
>
>     I've been banging my head against the wall for about a week now and
> I cant get my Motorola Droid Pro phone to connect to the StrongSwan 5.0.1.
>
>   This is the deal...  It worked with StrongSwan v4.5.2 but as soon as I
> upgraded to 5.0.1 it broke.  I
>
>
> **  **
>
>   I think it maybe failing to connect because of the following 3 lines:
>    -- Oct 24 16:49:36 16[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED,
> not using ESPv3 TFC padding
>   -- Oct 24 16:49:36 16[CFG] received proposals:
> ESP:AES_GCM_16_256/NO_EXT_SEQ
>   --Oct 24 16:49:36 16[CFG] configured proposals:  ... <see below>
>
>   I also tried several different settings for the "esp=" and the "ike="
> options. We also changed the
>   templates file that Authentec uses to setup new VPN connections.  I
> have even created a template that
>   matches the settings that are suggested in the charon.log
> file("configured proposals:" line.) and it still fails to connect.
>
>    Is the new StrongSwan incompatible with Android Froyo phones (
> Motorola Droid Pro)???
>
> ** **
>
>
>
> --------------------   ipsec.conf  -------------------
>
> config setup
>        # plutodebug=all
>        # crlcheckinterval=600
>        # strictcrlpolicy=yes
>        # strictcrlpolicy=no
>        # cachecrls=yes
>        # nat_traversal=yes
>        # charonstart=yes
>        # plutostart=no
>
> conn MOTOROLA
>        left=1.1.1.51 #outside source ip
>        leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
>        leftcert=MOTOROLA.pem
>        right=%any
>        rightsourceip=192.168.151.128/25 <http://192.168.151.128/25>
>        keyexchange=ikev2
>        auto=add
>        forceencaps=yes
>        # esp=aes256gcm16,aes128gcm16!
>        # AES_GCM_16_256
>        # ike=aes128-sha384-modp2048,aes256-sha384-modp2048!
>        leftfirewall=no
>
>
>
>
>   --------------------------------------  charon.log
> -------------------------------------------
>
> Oct 24 16:49:36 03[NET] received packet: from 1.1.1.58[60500] to
> 1.1.1.51[500]
> Oct 24 16:49:36 03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) V ]
> Oct 24 16:49:36 03[ENC] received unknown vendor ID:
> ff:44:ff:26:68:75:0f:03:b0:8d:f6:eb:e1:d0:04:03
> Oct 24 16:49:36 03[IKE] 1.1.1.58 is initiating an IKE_SA
> Oct 24 16:49:36 03[IKE] faking NAT situation to enforce UDP encapsulation
> Oct 24 16:49:36 03[IKE] sending cert request for "C=US, ST=Florida,
> L=TimBuck2, O=ABC123, OU=ABC, CN=crap-cacert-2048-GD"
> Oct 24 16:49:36 03[ENC] generating IKE_SA_INIT response 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> Oct 24 16:49:36 03[NET] sending packet: from 1.1.1.51[500] to
> 1.1.1.58[60500]
> Oct 24 16:49:36 16[NET] received packet: from 1.1.1.58[64500] to
> 1.1.1.51[4500]
> Oct 24 16:49:36 16[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ
> AUTH CP(MASK ADDR DNS) SA TSi TSr N(HTTP_CERT_LOOK) N(INIT_CONTACT)
> N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
> Oct 24 16:49:36 16[IKE] received cert request for "C=US, ST=Florida,
> L=TimBuck2, O=ABC123, OU=ABC, CN=crap-cacert-2048-GD"
> Oct 24 16:49:36 16[IKE] received end entity cert "C=US, ST=Florida,
> L=TimBuck2, O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA"
> Oct 24 16:49:36 16[CFG] looking for peer configs matching
> 1.1.1.51[%any]...1.1.1.58[C=US, ST=Florida, L=TimBuck2, O=ABC123,
> OU=ABC, CN=0128-1024-MOTOROLA]
> Oct 24 16:49:36 16[CFG] selected peer config 'MOTOROLA'
> Oct 24 16:49:36 16[CFG]   using certificate "C=US, ST=Florida,
> L=TimBuck2, O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA"
> Oct 24 16:49:36 16[CFG]   using trusted ca certificate "C=US,
> ST=Florida, L=TimBuck2, O=ABC123, OU=ABC, CN=crap-cacert-2048-GD"
> Oct 24 16:49:36 16[CFG] checking certificate status of "C=US,
> ST=Florida, L=TimBuck2, O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA"
> Oct 24 16:49:36 16[CFG] certificate status is not available
> Oct 24 16:49:36 16[CFG]   reached self-signed root ca with a path length
> of 0
> Oct 24 16:49:36 16[IKE] authentication of 'C=US, ST=Florida, L=TimBuck2,
> O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA' with RSA signature successful
> Oct 24 16:49:36 16[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not
> using ESPv3 TFC padding
> Oct 24 16:49:36 16[IKE] destroying duplicate IKE_SA for peer 'C=US,
> ST=Florida, L=TimBuck2, O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA',
> received INITIAL_CONTACT
> Oct 24 16:49:36 16[CFG] lease 192.168.151.129 by 'C=US, ST=Florida,
> L=TimBuck2, O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA' went offline
> Oct 24 16:49:36 16[IKE] authentication of 'C=US, ST=Florida, L=TimBuck2,
> O=ABC123, OU=ABC, CN=crap-cacert-2048-GD' (myself) with RSA signature
> successful
> Oct 24 16:49:36 16[IKE] IKE_SA MOTOROLA[15] established between
> 1.1.1.51[C=US, ST=Florida, L=TimBuck2, O=ABC123, OU=ABC,
> CN=crap-cacert-2048-GD]...1.1.1.58[C=US, ST=Florida, L=TimBuck2,
> O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA]
> Oct 24 16:49:36 16[IKE] scheduling reauthentication in 10160s
> Oct 24 16:49:36 16[IKE] maximum IKE_SA lifetime 10700s
> Oct 24 16:49:36 16[IKE] sending end entity cert "C=US, ST=Florida,
> L=TimBuck2, O=ABC123, OU=ABC, CN=crap-cacert-2048-GD"
> Oct 24 16:49:36 16[IKE] peer requested virtual IP %any
> Oct 24 16:49:36 16[CFG] reassigning offline lease to 'C=US, ST=Florida,
> L=TimBuck2, O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA'
> Oct 24 16:49:36 16[IKE] assigning virtual IP 192.168.151.129 to peer
> 'C=US, ST=Florida, L=TimBuck2, O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA'
> Oct 24 16:49:36 16[CFG] received proposals: ESP:AES_GCM_16_256/NO_EXT_SEQ
> Oct 24 16:49:36 16[CFG] configured proposals:
> ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ,
> ESP:3DES_CBC/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ,
> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> Oct 24 16:49:36 16[IKE] no acceptable proposal found
> Oct 24 16:49:36 16[IKE] failed to establish CHILD_SA, keeping IKE_SA
> Oct 24 16:49:36 16[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH
> CP(ADDR DNS) N(AUTH_LFT) N(NO_PROP) ]
> Oct 24 16:49:36 16[NET] sending packet: from 1.1.1.51[4500] to
> 1.1.1.58[64500]
> Oct 24 19:38:56 03[IKE] initiator did not reauthenticate as requested
> Oct 24 19:38:56 03[IKE] IKE_SA MOTOROLA[15] will timeout in 9 minutes
> Oct 24 19:47:56 05[IKE] deleting IKE_SA MOTOROLA[15] between
> 1.1.1.51[C=US, ST=Florida, L=TimBuck2, O=ABC123, OU=ABC,
> CN=crap-cacert-2048-GD]...1.1.1.58[C=US, ST=Florida, L=TimBuck2,
> O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA]
> Oct 24 19:47:56 05[IKE] sending DELETE for IKE_SA MOTOROLA[15]
> Oct 24 19:47:56 05[ENC] generating INFORMATIONAL request 0 [ D ]
> Oct 24 19:47:56 05[NET] sending packet: from 1.1.1.51[4500] to
> 1.1.1.58[64500]
> Oct 24 19:48:00 15[IKE] retransmit 1 of request with message ID 0
> Oct 24 19:48:00 15[NET] sending packet: from 1.1.1.51[4500] to
> 1.1.1.58[64500]
> Oct 24 19:48:07 01[IKE] retransmit 2 of request with message ID 0
> Oct 24 19:48:07 01[NET] sending packet: from 1.1.1.51[4500] to
> 1.1.1.58[64500]
> Oct 24 19:48:20 02[IKE] retransmit 3 of request with message ID 0
> Oct 24 19:48:20 02[NET] sending packet: from 1.1.1.51[4500] to
> 1.1.1.58[64500]
> Oct 24 19:48:44 04[IKE] retransmit 4 of request with message ID 0
> Oct 24 19:48:44 04[NET] sending packet: from 1.1.1.51[4500] to
> 1.1.1.58[64500]
> Oct 24 19:49:26 03[IKE] retransmit 5 of request with message ID 0
> Oct 24 19:49:26 03[NET] sending packet: from 1.1.1.51[4500] to
> 1.1.1.58[64500]
> Oct 24 19:50:41 16[IKE] giving up after 5 retransmits
> Oct 24 19:50:41 16[IKE] proper IKE_SA delete failed, peer not responding
> Oct 24 19:50:41 16[CFG lease 192.168.151.129 by 'C=US, ST=Florida,
> L=TimBuck2, O=ABC123, OU=ABC, CN=0128-1024-MOTOROLA' went offline
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>

Best Regards,
Dmitry

---
Dmitry KORZHEVIN
System Administrator
STIDIA S.A. - Luxembourg

e: dmitry.korzhevin at stidia.com
m: +38 093 874 5453
w: http://www.stidia.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4488 bytes
Desc: ���������������������������������� �������������� S/MIME
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121026/c701affc/attachment.bin>

More information about the Users mailing list