[strongSwan] How to, ad hoc network betwen linux and android IPSec IKEV2

mfhproject camaja mfhproject at gmail.com
Fri Feb 1 14:29:43 CET 2013


Hello,

I am new to the world of ipsec. I would like to set up a secure
communication (IKEv2) between my android's phone and my PC. Both tools use
the strongswan application. My computer supplies the ad hoc network with
the wifi and my phone connects in it.

I'm using version 4.0.3 of android on an HTC (Access root) strongSwan
5.0.2dr4
The application ZT-180 Adhoc Switch allows me to connect with my PC.
The OS of the computer is version 11.04 of Ubunutu. strongswan 4.5.0

I put below all steps I followed, and application logs proposed by
strongswan on my phone.

Can you tell me what I need to change for this to work.
Once it works, these documents will be used to make a tutorial for IPSec
communication between a computer and an android phone.

Thank you in advance for your participation.



gedit /etc/ssl/openssl.conf

#--------------------------------------------------------------start of
openssl.conf-----------------------------------------------------------------------
[ ca ]
default_ca    = CA_default        # The default ca section

[ CA_default ]
dir        = /etc/ipsec.d        # Where everything is kept
certs        = $dir/certs        # Where the issued certs are kept
database    = $dir/index.txt    # database index file.
new_certs_dir    = $dir/newcerts        # default place for new certs.
certificate    = $dir/cacerts/strongswanCert.pem     # The CA certificate
serial        = $dir/serial         # The current serial number
private_key    = $dir/private/strongswanKey.pem    # The private key
RANDFILE    = $dir/private/.rand    # private random number file

x509_extensions    = usr_cert            # The extentions to add to the cert

default_days    = 365                # how long to certify for
default_md    = sha1                # which md to use.
preserve    = no                # keep passed DN ordering
policy        = policy_match

[ policy_match ]
countryName        = match
stateOrProvinceName    = match
organizationName    = match
organizationalUnitName    = optional
commonName        = supplied
emailAddress        = optional

[ req ]
default_bits        = 1024
default_keyfile     = privkey.pem
distinguished_name    = req_distinguished_name
attributes        = req_attributes
x509_extensions        = v3_ca

[ req_distinguished_name ]
countryName            = Country Name (2 letter code)
countryName_default        = FR
countryName_min            = 2
countryName_max            = 2

stateOrProvinceName        = State or Province Name (full name)
stateOrProvinceName_default    = France

localityName            = Locality Name (eg, city)
localityName_default        = Angers

0.organizationName        = Organization Name (eg, company)
0.organizationName_default    = myCompany

organizationalUnitName        = Organizational Unit Name (eg, section)
organizationalUnitName_default     = myUnit

commonName        = Common Name (eg, YOUR name)
commonName_max        = 64

emailAddress        = Email Address
emailAddress_max    = 64

[ req_attributes ]
challengePassword    = A challenge password
challengePassword_min    = 4
challengePassword_max    = 20
unstructuredName    = An optional company name

[ usr_cert ]
basicConstraints    = CA:FALSE
nsComment        = "OpenSSL Generated Certificate"
subjectKeyIdentifier    = hash
authorityKeyIdentifier    = keyid,issuer

[ v3_ca ]
subjectKeyIdentifier    = hash
authorityKeyIdentifier    = keyid:always,issuer:always
basicConstraints    = CA:true

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

#---------------------------------------------------------------end of
openssl.conf------------------------------------------------------------------------


cd /etc/ipsec.d

#I create my CA
openssl req -x509 -days 365 -newkey rsa:2048 -keyout
private/strongswanKey.pem -out cacerts/strongswanCert.pem

#Enter PEM pass phrase: 1234
#Verifying - Enter PEM pass phrase: 1234
#Country Name (2 letter code) [FR]:FR
#State or Province Name (full name) [France]:France
#Locality Name (eg, city) [Angers]:Angers
#Organization Name (eg, company) [myCompany]:myCompany
#Organization Unit Name (eg, section) [myUnit]:myUnit
#Common Name (eg, YOUR name) []:example.com
#Email Address []:root at example.com

cp cacerts/strongswanCert.pem certs/


mkdir newcerts    #If Dir not exist
touch index.txt
echo "00" > serial

#I generate a user certificate
openssl req -newkey rsa:1024 -keyout private/hostKey.pem -out
reqs/hostReq.pem

#Country Name (2 letter code) [FR]:FR
#State or Province Name (full name) [France]:France
#Locality Name (eg, city) [Angers]:Angers
#Organization Name (eg, company) [myCompany]:myCompany
#Organization Unit Name (eg, section) [myUnit]:myUnit
#Common Name (eg, YOUR name) []:user.com
#Email Address []:root at user.com
#A challenge password: hello
#An optional company name[]:

gedit index.txt.attr
#--------------------------------------------------------------start of
index.txt.attr-----------------------------------------------------------------------
unique_subject = no
#---------------------------------------------------------------end of
index.txt.attr------------------------------------------------------------------------

#I sign it for two years
openssl ca -in reqs/hostReq.pem -days 730 -out certs/hostCert.pem -notext

#I put its private key, its host certificate and the CA certificate into a
PKCS#12 file
openssl pkcs12 -export -inkey private/hostKey.pem -in certs/hostCert.pem
-name "host" -certfile cacerts/strongswanCert.pem -caname "strongSwan Root
CA" -out host.p12

gedit /etc/ipsec.secrets
#--------------------------------------------------------------start of
ipsec.secrets-----------------------------------------------------------------------
:RSA strongswanKey.pem    "1234"
test:EAP "hello"
#---------------------------------------------------------------end of
ipsec.secrets------------------------------------------------------------------------

gedit /etc/ipsec.conf
#--------------------------------------------------------------start of
ipsec.conf-----------------------------------------------------------------------
# ipsec.conf - strongSwan IPsec configuration file

config setup
    charonstart=yes
    uniqueids=yes

conn %default
    authby=rsasig
    leftrsasigkey=%cert
    rightrsasigkey=%cert
    keyingtries=1
    keylife=20m
    ikelifetime=240m

conn android
    leftsubnet=0.0.0.0/0
    leftcert=strongswanCert.pem
    leftauth=pubkey
    leftid=@example.com
    right=%any
    rightauth=eap-mschapv2
    rightsendcert=never
    rightcert=hostCert.pem
    keyexchange=ikev2
    eap_identity=%any
    auto=route
#---------------------------------------------------------------end of
ipsec.conf------------------------------------------------------------------------

cp host.p12 certs/strongswanCert.pem /media/140B-B107 #The SDD card of the
android 4.0+ phone

ipsec start

#On the android phone i have the strongswan app configured like that:

    #Profile Name: test
    #Gateway: IP of the pc
    #Type IKEv2 EAP (Username/Password)
    #Username: test
    #Password: hello
    #CA certificate: myCompany example.com

######IT DOES NOT WORK!##########

Feb  1 10:24:19 00[DMN] Starting IKE charon daemon (strongSwan 5.0.2dr4,
Linux 3.0.16-g31a4fc7, armv7l)
Feb  1 10:24:19 00[DMN] loaded plugins: androidbridge charon android-log
openssl fips-prf random nonce pubkey pkcs1 pkcs8 pem xcbc hmac
socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc
Feb  1 10:24:19 00[JOB] spawning 16 worker threads
Feb  1 10:24:19 10[IKE] initiating IKE_SA android[4] to 10.42.43.1
Feb  1 10:24:19 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]
Feb  1 10:24:19 10[NET] sending packet: from 10.42.43.36[48460] to
10.42.43.1[500]
Feb  1 10:24:19 13[NET] received packet: from 10.42.43.1[500] to
10.42.43.36[48460]
Feb  1 10:24:19 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Feb  1 10:24:20 13[IKE] faking NAT situation to enforce UDP encapsulation
Feb  1 10:24:20 13[IKE] sending cert request for "C=FR, ST=France,
L=Angers, O=myCompany, OU=myUnit, CN=example.com, E=root at example.com"
Feb  1 10:24:20 13[IKE] establishing CHILD_SA android
Feb  1 10:24:20 13[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT)
CERTREQ CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH)
N(EAP_ONLY) ]
Feb  1 10:24:20 13[NET] sending packet: from 10.42.43.36[41241] to
10.42.43.1[4500]
Feb  1 10:24:20 03[NET] received packet: from 10.42.43.1[4500] to
10.42.43.36[41241]
Feb  1 10:24:20 03[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Feb  1 10:24:20 03[IKE] received AUTHENTICATION_FAILED notify error

#I also try with

    #On the android phone i have the strongswan app configured like that:
    #Profile Name: test
    #Gateway: IP of the pc
    #Type IKEv2 Certificate
    #User certificate: host CN=..., OU=..., ...
    #CA certificate: myCompany example.com

######IT DOES NOT WORK TOO!##########

Feb  1 10:15:06 00[DMN] Starting IKE charon daemon (strongSwan 5.0.2dr4,
Linux 3.0.16-g31a4fc7, armv7l)
Feb  1 10:15:06 00[DMN] loaded plugins: androidbridge charon android-log
openssl fips-prf random nonce pubkey pkcs1 pkcs8 pem xcbc hmac
socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc
Feb  1 10:15:06 00[JOB] spawning 16 worker threads
Feb  1 10:15:06 11[CFG] loaded user certificate 'C=FR, ST=France,
O=myCompany, OU=myUnit, CN=user.com, E=root at user.com' and private key
Feb  1 10:15:06 11[CFG] loaded CA certificate 'C=FR, ST=France, L=Angers,
O=myCompany, OU=myUnit, CN=example.com, E=root at example.com'
Feb  1 10:15:06 11[IKE] initiating IKE_SA android[1] to 10.42.43.1
Feb  1 10:15:07 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) ]
Feb  1 10:15:07 11[NET] sending packet: from 10.42.43.36[49549] to
10.42.43.1[500]
Feb  1 10:15:07 15[NET] received packet: from 10.42.43.1[500] to
10.42.43.36[49549]
Feb  1 10:15:07 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Feb  1 10:15:07 15[IKE] faking NAT situation to enforce UDP encapsulation
Feb  1 10:15:07 15[IKE] sending cert request for "C=FR, ST=France,
L=Angers, O=myCompany, OU=myUnit, CN=example.com, E=root at example.com"
Feb  1 10:15:07 15[IKE] authentication of 'C=FR, ST=France, O=myCompany,
OU=myUnit, CN=user.com, E=root at user.com' (myself) with RSA signature
successful
Feb  1 10:15:07 15[IKE] establishing CHILD_SA android
Feb  1 10:15:07 15[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT)
CERTREQ AUTH CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR)
N(MULT_AUTH) N(EAP_ONLY) ]
Feb  1 10:15:07 15[NET] sending packet: from 10.42.43.36[36844] to
10.42.43.1[4500]
Feb  1 10:15:07 12[NET] received packet: from 10.42.43.1[4500] to
10.42.43.36[36844]
Feb  1 10:15:07 12[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Feb  1 10:15:07 12[IKE] received AUTHENTICATION_FAILED notify error
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130201/67edaeda/attachment.html>


More information about the Users mailing list