[strongSwan] Ipsec Tunnel to android device not created even though there is and IPsec SA

Quentin Swain qswain at tresys.com
Wed Oct 31 16:10:00 CET 2012 

I'm trying to configure a vpn tunnel between an Android device running 4.1 and a fedora 17 linux box running strongswan 5.0. The device reports that it is connected and strongswan statusall returns that there is an ipsec-sa , but doesn't display a tunnel. I the instructions in the wiki for IOS 4 to generate certificates and configure strongswan. Since android uses a modified version of racoon this should work and since the connection is partly established? I think I am on the right track. I don't see any errors about not being able to create the tunnel. Could anyone advise as to what I might be missing or may have misconfigured? I posted this question on serverfault as well http://serverfault.com/questions/444053/ipsec-tunnel-to-android-device-not-created-even-though-there-is-and-ipsec-sa




This is the configuration for the strongswan connection

conn android2
    keyexchange=ikev1
    authby=xauthrsasig
    xauth=server
    left=96.244.142.28
    leftsubnet=0.0.0.0/0
    leftfirewall=yes
    leftcert=serverCert.pem
    right=%any
    rightsubnet=10.0.0.0/24
    rightsourceip=10.0.0.2
    rightcert=clientCert.pem
    ike=aes256-sha1-modp1024
    auto=add


This is the output of strongswan statusall

Status of IKE charon daemon (strongSwan 5.0.0, Linux 3.3.4-5.fc17.x86_64, x86_64):
uptime: 20 minutes, since Oct 31 10:27:31 2012
malloc: sbrk 270336, mmap 0, used 198144, free 72192
worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 7
loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints  pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
Virtual IP pools (size/online/offline):
  android-hybrid: 1/0/0
  android2: 1/1/0
Listening IP addresses:
  96.244.142.28
Connections:
    android-hybrid:  %any...%any  IKEv1
    android-hybrid:   local:  [C=CH, O=strongSwan, CN=vpn.strongswan.org] uses public key authentication
    android-hybrid:    cert:  "C=CH, O=strongSwan, CN=vpn.strongswan.org"
    android-hybrid:   remote: [%any] uses XAuth authentication: any
    android-hybrid:   child:  dynamic === dynamic TUNNEL
    android2:  96.244.142.28...%any  IKEv1
    android2:   local:  [C=CH, O=strongSwan, CN=vpn.strongswan.org] uses public key    authentication
    android2:    cert:  "C=CH, O=strongSwan, CN=vpn.strongswan.org"
    android2:   remote: [C=CH, O=strongSwan, CN=client] uses public key authentication
    android2:    cert:  "C=CH, O=strongSwan, CN=client"
    android2:   remote: [%any] uses XAuth authentication: any
    android2:   child:  0.0.0.0/0 === 10.0.0.0/24 TUNNEL
 Security Associations (1 up, 0 connecting):
    android2[3]: ESTABLISHED 10 seconds ago, 96.244.142.28[C=CH, O=strongSwan,    CN=vpn.strongswan.org]...208.54.35.241[C=CH, O=strongSwan, CN=client]
    android2[3]: Remote XAuth identity: android
    android2[3]: IKEv1 SPIs: 4151e371ad46b20d_i 59a56390d74792d2_r*, public key     reauthentication in 56 minutes
    android2[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024



Thanks,
Quentin

More information about the Users mailing list