[strongSwan] Problems connecting to Strongswan with WP8.1

[raceface]

Hi,












I am stuck in getting a connection from a Windows Phone 8.1 to strongswan
5.2.0 on a Ubuntu 12.04.












Here's my ipsec.conf












config setup









 uniqueids=never









 # charondebug="cfg -1, dmn 11, ike -1, net -1"












conn myVPN











 left=%any











 leftsubnet=0.0.0.0/0











 leftid=@took out the FQDN











 lefthostaccess=yes











 leftfirewall=yes











 leftcert=server.crt











 ike=aes256-sha1-modp1024!











 esp=aes256-sha1!











 rekey=no











 keyexchange=ikev2











 ikelifetime=8h











 keylife=1h











 right=%any











 rightsourceip=192.168.188.50











 rightauth=eap-mschapv2











 compress=yes











 dpdaction=clear











 dpddelay=300s











 rightsendcert=never











 eap_identity=%any











 auto=add












And this is the -nofork output












Starting strongSwan 5.2.0 IPsec [starter]...





no netkey IPsec stack detected





no KLIPS IPsec stack detected





no known IPsec stack detected, ignoring!





00[DMN] Starting IKE charon daemon (strongSwan 5.2.0, Linux
2.6.32-042stab092.3, i686)





00[KNL] unable to set IPSEC_POLICY on socket: Operation not permitted





00[NET] installing IKE bypass policy failed





00[KNL] unable to set IPSEC_POLICY on socket: Operation not permitted





00[NET] installing IKE bypass policy failed





00[KNL] unable to set IPSEC_POLICY on socket: Invalid argument





00[NET] installing IKE bypass policy failed





00[KNL] unable to set IPSEC_POLICY on socket: Invalid argument





00[NET] installing IKE bypass policy failed





00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'





00[CFG]

 loaded ca certificate "C=DE, ST=Some-State, O=Andreas Seiler, CN=took
out the FQDN" from '/etc/ipsec.d/cacerts/ca.crt'





00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'





00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'





00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'





00[CFG] loading crls from '/etc/ipsec.d/crls'





00[CFG] loading secrets from '/etc/ipsec.secrets'





00[CFG]

 loaded RSA private key from '/etc/ipsec.d/private/server.key'





00[CFG]

 loaded EAP secret for phone





00[LIB] loaded plugins: charon curl pkcs11 aes des rc2 sha1 sha2 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac attr kernel-netlink
resolve socket-default stroke updown eap-identity eap-mschapv2 eap-tls
eap-ttls xauth-generic





00[LIB] unable to load 3 plugin features (3 due to unmet dependencies)





00[JOB] spawning 16 worker threads





charon (22973) started after 20 ms





08[CFG] received stroke: add connection 'myVPN'





08[CFG] left nor right host is our side, assuming left=local





08[CFG] adding virtual IP address pool 192.168.188.50





08[CFG]

 loaded certificate "C=DE, ST=Some-State, O=Andreas Seiler, CN=took out
the FQDN" from 'server.crt'





08[CFG] added configuration 'myVPN'





10[NET] received packet: from 80.187.107.73[500] to the real IP[500] (616
bytes)





10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V
V V V ]





10[ENC] received unknown vendor ID:
1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09





10[ENC] received unknown vendor ID:
fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20





10[ENC] received unknown vendor ID:
26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19





10[ENC] received unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02





10[IKE] 80.187.107.73 is initiating an IKE_SA





10[IKE] remote host is behind NAT





10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]





10[NET] sending packet: from the real IP[500] to 80.187.107.73[500] (312
bytes)





11[NET] received packet: from 80.187.107.73[2869] to the real IP[4500] (1324
bytes)





11[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS
NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]





11[IKE] received cert request for "C=DE, ST=Some-State, O=Andreas
Seiler, CN=took out the FQDN"





11[IKE] received 48 cert requests for an unknown ca





11[CFG] looking for peer configs matching the real
IP[%any]...80.187.107.73[10.69.240.130]





11[CFG] selected peer config 'myVPN'





11[IKE] initiating EAP_IDENTITY method (id 0x00)





11[IKE] peer supports MOBIKE





11[IKE] authentication of 'took out the FQDN' (myself) with RSA signature
successful





11[IKE] sending end entity cert "C=DE, ST=Some-State, O=Andreas Seiler,
CN=took out the FQDN"





11[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]





11[NET] sending packet: from the real IP[4500] to 80.187.107.73[2869] (908
bytes)





12[NET] received packet: from 80.187.107.73[500] to the real IP[500] (616
bytes)





12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V
V V V ]





12[ENC] received unknown vendor ID:
1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09





12[ENC] received unknown vendor ID:
fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20





12[ENC] received unknown vendor ID:
26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19





12[ENC] received unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02





12[IKE] 80.187.107.73 is initiating an IKE_SA





12[IKE] remote host is behind NAT





12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]





12[NET] sending packet: from the real IP[500] to 80.187.107.73[500] (312
bytes)





13[NET] received packet: from 80.187.107.73[500] to the real IP[500] (616
bytes)





13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V
V V V ]





13[IKE] received retransmit of request with ID 0, retransmitting response





13[NET] sending packet: from the real IP[500] to 80.187.107.73[500] (312
bytes)





14[NET] received packet: from 80.187.107.73[500] to the real IP[500] (616
bytes)





14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V
V V V ]





14[IKE] received retransmit of request with ID 0, retransmitting response





14[NET] sending packet: from the real IP[500] to 80.187.107.73[500] (312
bytes)





15[JOB] deleting half open IKE_SA after timeout












Has anybody an idea what might be the problem?







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141018/88c46f8b/attachment.html>