[strongSwan] xauth-pam fails with android client

Carl Hörberg carl.hoerberg at gmail.com
Sat Jun 28 23:30:03 CEST 2014 

Have xauth-pam working great with a OS X Maverick client, but when connecting from Android 4.4.2 with the same shared key and credentials it fails. If I configure strongswan to use xauth-generic and the same password but as a secret in ipsec.secret then it works, it's only xauth-pam that fails on Android. This is the log from a Android connection attempt: 

charon: 13[NET] received packet: from 77.218.255.139[1067] to 37.139.4.179[500] (720 bytes)
charon: 13[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
charon: 13[IKE] received NAT-T (RFC 3947) vendor ID
charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
charon: 13[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
charon: 13[IKE] received XAuth vendor ID
charon: 13[IKE] received Cisco Unity vendor ID
charon: 13[IKE] received FRAGMENTATION vendor ID
charon: 13[IKE] received DPD vendor ID
charon: 13[IKE] 77.218.255.139 is initiating a Main Mode IKE_SA
charon: 13[ENC] generating ID_PROT response 0 [ SA V V V V ]
charon: 13[NET] sending packet: from 37.139.4.179[500] to 77.218.255.139[1067] (160 bytes)
charon: 14[NET] received packet: from 77.218.255.139[1067] to 37.139.4.179[500] (252 bytes)
charon: 14[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
charon: 14[IKE] remote host is behind NAT
charon: 14[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
charon: 14[NET] sending packet: from 37.139.4.179[500] to 77.218.255.139[1067] (268 bytes)
charon: 15[NET] received packet: from 77.218.255.139[1071] to 37.139.4.179[4500] (108 bytes)
charon: 15[ENC] parsed ID_PROT request 0 [ ID HASH ]
charon: 15[CFG] looking for XAuthInitPSK peer configs matching 37.139.4.179...77.218.255.139[100.74.223.139]
charon: 15[CFG] selected peer config "psk-pam"
charon: 15[ENC] generating ID_PROT response 0 [ ID HASH ]
charon: 15[NET] sending packet: from 37.139.4.179[4500] to 77.218.255.139[1071] (92 bytes)
charon: 15[ENC] generating TRANSACTION request 4035148199 [ HASH CPRQ(X_USER X_PWD) ]
charon: 15[NET] sending packet: from 37.139.4.179[4500] to 77.218.255.139[1071] (92 bytes)
charon: 16[NET] received packet: from 77.218.255.139[1071] to 37.139.4.179[4500] (124 bytes)
charon: 16[ENC] parsed INFORMATIONAL_V1 request 3508586429 [ HASH N(INITIAL_CONTACT) ]
charon: 04[NET] received packet: from 77.218.255.139[1071] to 37.139.4.179[4500] (140 bytes)
charon: 04[ENC] parsed TRANSACTION response 4035148199 [ HASH CPRP(X_USER X_PWD) ]
charon: 04[IKE] XAuth pam_authenticate for 'carl' failed: Authentication failure
charon: 04[IKE] XAuth authentication of 'carl' failed
charon: 04[ENC] generating TRANSACTION request 1756209894 [ HASH CPS(X_STATUS) ]
charon: 04[NET] sending packet: from 37.139.4.179[4500] to 77.218.255.139[1071] (92 bytes)
charon: 02[NET] received packet: from 77.218.255.139[1071] to 37.139.4.179[4500] (108 bytes)
charon: 02[ENC] parsed TRANSACTION response 1756209894 [ HASH CPA(X_STATUS) ]
charon: 02[IKE] destroying IKE_SA after failed XAuth authentication


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140628/0c7470c6/attachment.html>

More information about the Users mailing list