[strongSwan] Android native VPN client to Strongswan problem

kemeris kemeris2000 at gmail.com
Thu Apr 10 16:07:45 CEST 2014 

Hi everyone,
i've been banging my heads against this issue for several days and i 
cannot establish connection with VPN server (Centos/Strongswan v5.1.2) 
from my Android phone using IPSec Xauth RSA (ikev1) connection type. I 
tried various tutorials but the problem remains the same. Have no 
problem connecting from iPhone (ikev1) and Android (ikev2).

I am getting "invalid HASH_V1 payload length, decryption failed?" error
This is the configuration for the strongswan connection

ipsec.conf:
conn %default
     ikelifetime=60m
     keylife=20m
     rekeymargin=3m
     keyingtries=1


conn android_IPSec_ikev1
     keyexchange=ikev1
     left=%defaultroute
     leftsubnet=0.0.0.0/0
     leftcert=serverCert.pem
     leftfirewall=yes
     right=%any
     rightsourceip=10.255.0.0/24
     rightdns=212.59.1.1
     rightauth=pubkey
     rightauth2=xauth
     auto=add


ipsec.secret
: RSA serverKey.pem
kemeris : XAUTH "pass1"


error.log
Apr  8 11:31:32 s1 charon: 11[NET] received packet: from 10.0.0.11[500] 
to 78.60.3.52[500] (476 bytes)
Apr  8 11:31:32 s1 charon: 11[ENC] parsed ID_PROT request 0 [ SA V V V V 
V V V V ]
Apr  8 11:31:32 s1 charon: 11[IKE] received NAT-T (RFC 3947) vendor ID
Apr  8 11:31:32 s1 charon: 11[IKE] received 
draft-ietf-ipsec-nat-t-ike-02 vendor ID
Apr  8 11:31:32 s1 charon: 11[IKE] received 
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr  8 11:31:32 s1 charon: 11[IKE] received 
draft-ietf-ipsec-nat-t-ike-00 vendor ID
Apr  8 11:31:32 s1 charon: 11[IKE] received XAuth vendor ID
Apr  8 11:31:32 s1 charon: 11[IKE] received Cisco Unity vendor ID
Apr  8 11:31:32 s1 charon: 11[IKE] received FRAGMENTATION vendor ID
Apr  8 11:31:32 s1 charon: 11[IKE] received DPD vendor ID
Apr  8 11:31:32 s1 charon: 11[IKE] 10.0.0.11 is initiating a Main Mode 
IKE_SA
Apr  8 11:31:32 s1 charon: 11[ENC] generating ID_PROT response 0 [ SA V 
V V ]
Apr  8 11:31:32 s1 charon: 11[NET] sending packet: from 78.60.3.52[500] 
to 10.0.0.11[500] (136 bytes)
Apr  8 11:31:32 s1 charon: 10[NET] received packet: from 10.0.0.11[500] 
to 78.60.3.52[500] (228 bytes)
Apr  8 11:31:32 s1 charon: 10[ENC] parsed ID_PROT request 0 [ KE No 
NAT-D NAT-D ]
Apr  8 11:31:32 s1 charon: 10[IKE] sending cert request for "C=LT, 
S=Vilniaus m., L=Vilnius, O=Zeusman MB, CN=vpn.zeusman.lt"
Apr  8 11:31:32 s1 charon: 10[ENC] generating ID_PROT response 0 [ KE No 
CERTREQ NAT-D NAT-D ]
Apr  8 11:31:32 s1 charon: 10[NET] sending packet: from 78.60.3.52[500] 
to 10.0.0.11[500] (350 bytes)
Apr  8 11:31:32 s1 charon: 12[NET] received packet: from 10.0.0.11[500] 
to 78.60.3.52[500] (1228 bytes)
Apr  8 11:31:32 s1 charon: 12[ENC] parsed ID_PROT request 0 [ ID CERT 
SIG ]
Apr  8 11:31:32 s1 charon: 12[IKE] received end entity cert "C=GB, 
O=Zeusman MB, CN=Tadas Blinda"
Apr  8 11:31:32 s1 charon: 12[CFG] looking for XAuthInitRSA peer configs 
matching 78.60.3.52...10.0.0.11[C=GB, O=Zeusman MB, CN=Tadas Blinda]
Apr  8 11:31:32 s1 charon: 12[CFG] selected peer config 
"ios_IPSec_ikev1"
Apr  8 11:31:32 s1 charon: 12[CFG]   using trusted ca certificate "C=LT, 
S=Vilniaus m., L=Vilnius, O=Zeusman MB, CN=vpn.zeusman.lt"
Apr  8 11:31:32 s1 charon: 12[CFG] checking certificate status of "C=GB, 
O=Zeusman MB, CN=Tadas Blinda"
Apr  8 11:31:32 s1 charon: 12[CFG] certificate status is not available
Apr  8 11:31:32 s1 charon: 12[CFG]   reached self-signed root ca with a 
path length of 0
Apr  8 11:31:32 s1 charon: 12[CFG]   using trusted certificate "C=GB, 
O=Zeusman MB, CN=Tadas Blinda"
Apr  8 11:31:32 s1 charon: 12[IKE] authentication of 'C=GB, O=Zeusman 
MB, CN=Tadas Blinda' with RSA successful
Apr  8 11:31:32 s1 charon: 12[IKE] authentication of 'C=LT, S=Vilniaus 
m., L=Vilnius, O=Zeusman MB, CN=vpn.zeusman.lt' (myself) successful
Apr  8 11:31:32 s1 charon: 12[ENC] generating ID_PROT response 0 [ ID 
SIG ]
Apr  8 11:31:32 s1 charon: 12[NET] sending packet: from 78.60.3.52[500] 
to 10.0.0.11[500] (412 bytes)
Apr  8 11:31:32 s1 charon: 12[ENC] generating TRANSACTION request 
3632658472 [ HASH CPRQ(X_USER X_PWD) ]
Apr  8 11:31:32 s1 charon: 12[NET] sending packet: from 78.60.3.52[500] 
to 10.0.0.11[500] (76 bytes)
Apr  8 11:31:32 s1 charon: 13[NET] received packet: from 10.0.0.11[500] 
to 78.60.3.52[500] (92 bytes)
Apr  8 11:31:32 s1 charon: 13[ENC] invalid HASH_V1 payload length, 
decryption failed?
Apr  8 11:31:32 s1 charon: 13[ENC] could not decrypt payloads
Apr  8 11:31:32 s1 charon: 13[IKE] message parsing failed
Apr  8 11:31:32 s1 charon: 13[IKE] ignore malformed INFORMATIONAL 
request
Apr  8 11:31:32 s1 charon: 13[IKE] INFORMATIONAL_V1 request with message 
ID 2246676801 processing failed
Apr  8 11:31:35 s1 charon: 15[NET] received packet: from 10.0.0.11[500] 
to 78.60.3.52[500] (1228 bytes)
Apr  8 11:31:35 s1 charon: 15[IKE] received retransmit of request with 
ID 0, retransmitting response
Apr  8 11:31:35 s1 charon: 15[NET] sending packet: from 78.60.3.52[500] 
to 10.0.0.11[500] (412 bytes)
Apr  8 11:31:35 s1 charon: 05[NET] received packet: from 10.0.0.11[500] 
to 78.60.3.52[500] (92 bytes)
Apr  8 11:31:35 s1 charon: 05[ENC] invalid HASH_V1 payload length, 
decryption failed?
Apr  8 11:31:35 s1 charon: 05[ENC] could not decrypt payloads
Apr  8 11:31:35 s1 charon: 05[IKE] message parsing failed
Apr  8 11:31:35 s1 charon: 05[IKE] ignore malformed INFORMATIONAL 
request

Is there something I did wrong?
Please bear in mind that I am a newbie
:)
Thanks,kemeris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140410/9e714674/attachment.html>

More information about the Users mailing list