[strongSwan] Strongswan Android client could not log in (VPN otherwise working for Win7)

Lawrence Chiu Lawrence_Chiu_TX3 at yahoo.com
Sat Sep 21 23:59:56 CEST 2013 

I have a Strongswan VPN server configured for Windows 7 clients.  I 
followed the instructions in the Wiki.
http://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig
and it is working perfectly for Windows.  But my Android phone using the 
Strongswan Android app does not work.

My config files are nearly identical to the examples provided:

===== [ ipsec.conf ] =====

# diff ipsec.conf ipsec.conf.template
<     leftid=@<MY DYNDNS.ORG HOSTNAME>
---
 >     leftid=@vpn.strongswan.org

where "<MY DYNDNS.ORG HOSTNAME>" is my DynDNS hostname.

===== [ ipsec.secrets ] =====

Identical to the example.

===== [ strongswan.conf ] =====

# diff strongswan.conf strongswan.conf.template
<   dns1 = 192.168.0.1
<   nbns1 = 192.168.0.1
---
 >   dns1 = 62.2.17.60
 >   dns2 = 62.2.24.162
 >   nbns1 = 10.10.1.1
 >   nbns2 = 10.10.0.1

Below are the logs.  This configuration works fine for Windows 7 client 
PC's, and I am using the same win7.p12 certificate file in Android.

Thank you very much.

===== [ auth.log ] =====
Sep 21 16:23:43 barney charon: 16[IKE] 166.147.64.114 is initiating an 
IKE_SA
Sep 21 16:23:43 barney charon: 05[IKE] 166.147.64.114 is initiating an 
IKE_SA

===== [ syslog ] =====
Sep 21 16:23:43 barney charon: 16[NET] received packet: from 
166.147.64.114[55645] to 192.168.0.50[500]
Sep 21 16:23:43 barney charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA 
KE No N(NATD_S_IP) N(NATD_D_IP) ]
Sep 21 16:23:43 barney charon: 16[IKE] 166.147.64.114 is initiating an 
IKE_SA
Sep 21 16:23:43 barney charon: 16[IKE] local host is behind NAT, sending 
keep alives
Sep 21 16:23:43 barney charon: 16[IKE] remote host is behind NAT
Sep 21 16:23:43 barney charon: 16[IKE] DH group MODP_2048 inacceptable, 
requesting MODP_1024
Sep 21 16:23:43 barney charon: 16[ENC] generating IKE_SA_INIT response 0 
[ N(INVAL_KE) ]
Sep 21 16:23:43 barney charon: 16[NET] sending packet: from 
192.168.0.50[500] to 166.147.64.114[55645]
Sep 21 16:23:43 barney charon: 05[NET] received packet: from 
166.147.64.114[55645] to 192.168.0.50[500]
Sep 21 16:23:43 barney charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA 
KE No N(NATD_S_IP) N(NATD_D_IP) ]
Sep 21 16:23:43 barney charon: 05[IKE] 166.147.64.114 is initiating an 
IKE_SA
Sep 21 16:23:43 barney charon: 05[IKE] local host is behind NAT, sending 
keep alives
Sep 21 16:23:43 barney charon: 05[IKE] remote host is behind NAT
Sep 21 16:23:43 barney charon: 05[ENC] generating IKE_SA_INIT response 0 
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Sep 21 16:23:43 barney charon: 05[NET] sending packet: from 
192.168.0.50[500] to 166.147.64.114[55645]
Sep 21 16:23:43 barney charon: 04[NET] received packet: from 
166.147.64.114[60341] to 192.168.0.50[4500]
Sep 21 16:23:43 barney charon: 04[ENC] parsed IKE_AUTH request 1 [ IDi 
N(INIT_CONTACT) CERTREQ AUTH CP(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA 
TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) 
N(AUTH_FOLLOWS) ]
Sep 21 16:23:43 barney charon: 04[IKE] received cert request for "C=CH, 
O=strongSwan, CN=pkiCA"
Sep 21 16:23:43 barney charon: 04[CFG] looking for peer configs matching 
192.168.0.50[%any]...166.147.64.114[C=CH, O=strongSwan, 
CN=win7.mycompany.local]
Sep 21 16:23:43 barney charon: 04[CFG] selected peer config 'win7'
Sep 21 16:23:43 barney charon: 04[IKE] no trusted RSA public key found 
for 'C=CH, O=strongSwan, CN=win7.mycompany.local'
Sep 21 16:23:43 barney charon: 04[IKE] received 
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Sep 21 16:23:43 barney charon: 04[IKE] peer supports MOBIKE
Sep 21 16:23:43 barney charon: 04[ENC] generating IKE_AUTH response 1 [ 
N(AUTH_FAILED) ]
Sep 21 16:23:43 barney charon: 04[NET] sending packet: from 
192.168.0.50[4500] to 166.147.64.114[60341]

=== ANDROID CLIENT
Sep 21 16:23:31 00[DMN] Starting IKE charon daemon (strongSwan 5.1.0dr2, 
Linux 3.0.31-578342, armv7l)
Sep 21 16:23:31 00[KNL] kernel-netlink plugin might require 
CAP_NET_ADMIN capability
Sep 21 16:23:31 00[LIB] loaded plugins: androidbridge charon android-log 
openssl fips-prf random nonce pubkey pkcs1 pkcs8 pem xcbc hmac 
socket-default kernel-netlink eap-identity eap-mschapv2 eap-md5 eap-gtc
Sep 21 16:23:31 00[LIB] unable to load 9 plugin features (9 due to unmet 
dependencies)
Sep 21 16:23:31 00[JOB] spawning 16 worker threads
Sep 21 16:23:31 07[CFG] loaded user certificate 'C=CH, O=strongSwan, 
CN=win7.mycompany.local' and private key
Sep 21 16:23:31 07[CFG] loaded CA certificate 'C=CH, O=strongSwan, CN=pkiCA'
Sep 21 16:23:31 07[IKE] initiating IKE_SA android[8] to 98.201.212.153
Sep 21 16:23:31 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No 
N(NATD_S_IP) N(NATD_D_IP) ]
Sep 21 16:23:31 07[NET] sending packet: from 10.250.66.171[54467] to 
98.201.212.153[500] (648 bytes)
Sep 21 16:23:32 10[NET] received packet: from 98.201.212.153[500] to 
10.250.66.171[54467] (38 bytes)
Sep 21 16:23:32 10[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Sep 21 16:23:32 10[IKE] peer didn't accept DH group MODP_2048, it 
requested MODP_1024
Sep 21 16:23:32 10[IKE] initiating IKE_SA android[8] to 98.201.212.153
Sep 21 16:23:32 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No 
N(NATD_S_IP) N(NATD_D_IP) ]
Sep 21 16:23:32 10[NET] sending packet: from 10.250.66.171[54467] to 
98.201.212.153[500] (520 bytes)
Sep 21 16:23:32 11[NET] received packet: from 98.201.212.153[500] to 
10.250.66.171[54467] (312 bytes)
Sep 21 16:23:32 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No 
N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Sep 21 16:23:32 11[IKE] local host is behind NAT, sending keep alives
Sep 21 16:23:32 11[IKE] remote host is behind NAT
Sep 21 16:23:32 11[IKE] sending cert request for "C=CH, O=strongSwan, 
CN=pkiCA"
Sep 21 16:23:32 11[IKE] authentication of 'C=CH, O=strongSwan, 
CN=win7.mycompany.local' (myself) with RSA signature successful
Sep 21 16:23:32 11[IKE] establishing CHILD_SA android
Sep 21 16:23:32 11[ENC] generating IKE_AUTH request 1 [ IDi 
N(INIT_CONTACT) CERTREQ AUTH CP(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA 
TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) 
N(AUTH_FOLLOWS) ]
Sep 21 16:23:32 11[NET] sending packet: from 10.250.66.171[55861] to 
98.201.212.153[4500] (860 bytes)
Sep 21 16:23:32 12[NET] received packet: from 98.201.212.153[4500] to 
10.250.66.171[55861] (76 bytes)
Sep 21 16:23:32 12[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sep 21 16:23:32 12[IKE] received AUTHENTICATION_FAILED notify error

More information about the Users mailing list