[strongSwan] Android natvie IKEv1 cannot connect

Anthony Alba ascanio.alba7 at gmail.com
Thu May 7 10:31:59 CEST 2015 

Hi list,

I cannot get an Android native VPN client (IKEv1) to successfully
negotiate the IPsec SA after the IKE SA.

I am using the RSA Hybrid scheme with virtual IP  following the
exemplary configs here:
http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-hybrid

My daemon.log looks almost exactly like the example but then I always hit
no matching CHILD_SA config found.

Can you see anything wrong here?

I replaced strongswan with libreswan, and the connection goes through
only if leftsubnet is 0.0.0.0/0.
If I set the leftsubnet to a narrower slice 10.0.0.0/8 I will also get
no matching CHILD_SA as the
"peer  proposed 0.0.0.0/0".

1. On StrongSwan when I change the leftsubnet to 0.0.0.0/0 it still
does not connect.
2. I use leftsubnet=10.0.0.0/8 and attr.conf:split-include=10.0.0.0/8
3. If I use leftsubnet=0.0.0.0/0 and have no split-include directive,
the same situation happens.
4. Everything looks good, until QUICK_MODE request comes in...



09[ENC] parsed QUICK_MODE request 3520511125 [ HASH SA No ID ID ]
09[IKE] Hash(1) => 32 bytes @ 0x7f57680076b0
09[IKE]    0: 49 95 20 8A 91 CB EE C3 84 BE DC 45 98 B1 79 00  I.
........E..y.
09[IKE]   16: BB DD C4 76 69 4B 01 9B D4 C8 05 0D DE 31 CC 7F
...viK.......1..
09[IKE] next IV for MID 3520511125 => 16 bytes @ 0x7f57680079a0
09[IKE]    0: 9D A5 AF D2 65 A6 83 81 18 A6 7D 9C ED 2A A1 9D
....e.....}..*..
09[IKE] no matching CHILD_SA config found
09[IKE] queueing INFORMATIONAL task




[NET] received packet: from 1.2.3.4[9087] to 5.6.7.8[500] (720 bytes)
[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
[IKE] received NAT-T (RFC 3947) vendor ID
[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
[IKE] received XAuth vendor ID
[IKE] received Cisco Unity vendor ID
[IKE] received FRAGMENTATION vendor ID
[IKE] received DPD vendor ID
[IKE] 1.2.3.4 is initiating a Main Mode IKE_SA
[IKE] 1.2.3.4 is initiating a Main Mode IKE_SA
[IKE] IKE_SA (unnamed)[5] state change: CREATED => CONNECTING
[IKE] sending XAuth vendor ID
[IKE] sending DPD vendor ID
[IKE] sending FRAGMENTATION vendor ID
[IKE] sending NAT-T (RFC 3947) vendor ID
[ENC] generating ID_PROT response 0 [ SA V V V V ]
[NET] sending packet: from 5.6.7.8[500] to 1.2.3.4[9087] (160 bytes)
[NET] received packet: from 1.2.3.4[9087] to 5.6.7.8[500] (252 bytes)
[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
[IKE] remote host is behind NAT
[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
[NET] sending packet: from 5.6.7.8[500] to 1.2.3.4[9087] (268 bytes)
[NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (108 bytes)
[ENC] parsed ID_PROT request 0 [ ID HASH ]
[CFG] looking for HybridInitRSA peer configs matching
5.6.7.8...1.2.3.4[10.238.244.235]
[CFG] selected peer config "rw"
[IKE] authentication of 'moon.example.com' (myself) successful
[IKE] queueing XAUTH task
[IKE] sending end entity cert "CN=moon.example.com"
[IKE] sending issuer cert "CN=moon.example.com"
[ENC] generating ID_PROT response 0 [ ID CERT CERT SIG ]
[ENC] splitting IKE message with length of 2204 bytes into 3 fragments
[ENC] generating ID_PROT response 0 [ FRAG ]
[ENC] generating ID_PROT response 0 [ FRAG ]
[ENC] generating ID_PROT response 0 [ FRAG ]
[NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (992 bytes)
[NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (992 bytes)
[NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (328 bytes)
[IKE] activating new tasks
[IKE]   activating XAUTH task
[ENC] generating TRANSACTION request 3278894355 [ HASH CPRQ(X_USER X_PWD) ]
[NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (92 bytes)
[NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (124 bytes)
[ENC] parsed INFORMATIONAL_V1 request 3893196496 [ HASH N(INITIAL_CONTACT) ]
[NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (124 bytes)
[ENC] parsed TRANSACTION response 3278894355 [ HASH CPRP(X_USER X_PWD) ]
[IKE] XAuth authentication of 'carol' successful
[IKE] reinitiating already active tasks
[IKE]   XAUTH task
[ENC] generating TRANSACTION request 2774228260 [ HASH CPS(X_STATUS) ]
[NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (92 bytes)
[NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (108 bytes)
[ENC] parsed TRANSACTION response 2774228260 [ HASH CPA(X_STATUS) ]
[IKE] IKE_SA rw[5] established between
5.6.7.8[moon.example.com]...1.2.3.4[10.238.244.235]
[IKE] IKE_SA rw[5] established between
5.6.7.8[moon.example.com]...1.2.3.4[10.238.244.235]
[IKE] IKE_SA rw[5] state change: CONNECTING => ESTABLISHED
[IKE] scheduling reauthentication in 3370s
[IKE] maximum IKE_SA lifetime 3550s
[IKE] activating new tasks
[IKE] nothing to initiate
[NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (140 bytes)
[ENC] parsed TRANSACTION request 3288002991 [ HASH CPRQ(ADDR MASK DNS
NBNS U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN VER) ]
[IKE] processing INTERNAL_IP4_ADDRESS attribute
[IKE] processing INTERNAL_IP4_NETMASK attribute
[IKE] processing INTERNAL_IP4_DNS attribute
[IKE] processing INTERNAL_IP4_NBNS attribute
[IKE] processing UNITY_BANNER attribute
[IKE] processing UNITY_DEF_DOMAIN attribute
[IKE] processing UNITY_SPLITDNS_NAME attribute
[IKE] processing UNITY_SPLIT_INCLUDE attribute
[IKE] processing UNITY_LOCAL_LAN attribute
[IKE] processing APPLICATION_VERSION attribute
[IKE] peer requested virtual IP %any
[CFG] reassigning offline lease to 'carol'
[IKE] assigning virtual IP 10.81.0.5 to peer 'carol'
[ENC] generating TRANSACTION response 3288002991 [ HASH CPRP(ADDR DNS
U_BANNER U_SPLITINC) ]
[NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (124 bytes)
[IKE] queueing MODE_CONFIG task
[IKE] activating new tasks
[IKE]   activating MODE_CONFIG task
[CFG] assigning new lease to 'carol'
[IKE] assigning virtual IP 10.81.0.6 to peer 'carol'
[ENC] generating TRANSACTION request 3071700790 [ HASH CPS(ADDR DNS
U_BANNER U_SPLITINC) ]
[NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (124 bytes)
[IKE] delaying task initiation, TRANSACTION exchange in progress
[IKE] IKE_SA rw[4] state change: ESTABLISHED => DELETING
[IKE] IKE_SA rw[4] state change: DELETING => DELETING
[IKE] IKE_SA rw[4] state change: DELETING => DESTROYING
[CFG] lease 10.81.0.5 by 'carol' went offline
[NET] received packet: from 1.2.3.4[9087] to 5.6.7.8[500] (720 bytes)
[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
[IKE] received NAT-T (RFC 3947) vendor ID
[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
[IKE] received XAuth vendor ID
[IKE] received Cisco Unity vendor ID
[IKE] received FRAGMENTATION vendor ID
[IKE] received DPD vendor ID
[IKE] 1.2.3.4 is initiating a Main Mode IKE_SA
[IKE] IKE_SA (unnamed)[5] state change: CREATED => CONNECTING
[IKE] sending XAuth vendor ID
[IKE] sending DPD vendor ID
[IKE] sending FRAGMENTATION vendor ID
[IKE] sending NAT-T (RFC 3947) vendor ID
[ENC] generating ID_PROT response 0 [ SA V V V V ]
[NET] sending packet: from 5.6.7.8[500] to 1.2.3.4[9087] (160 bytes)
[NET] received packet: from 1.2.3.4[9087] to 5.6.7.8[500] (252 bytes)
[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
[IKE] remote host is behind NAT
[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
[NET] sending packet: from 5.6.7.8[500] to 1.2.3.4[9087] (268 bytes)
[NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (108 bytes)
[ENC] parsed ID_PROT request 0 [ ID HASH ]
[CFG] looking for HybridInitRSA peer configs matching
5.6.7.8...1.2.3.4[10.238.244.235]
[CFG] selected peer config "rw"
[IKE] authentication of 'moon.example.com' (myself) successful
[IKE] queueing XAUTH task
[IKE] sending end entity cert "CN=moon.example.com"
[IKE] sending issuer cert "CN=moon.example.com"
[ENC] generating ID_PROT response 0 [ ID CERT CERT SIG ]
[ENC] splitting IKE message with length of 2204 bytes into 3 fragments
[ENC] generating ID_PROT response 0 [ FRAG ]
[ENC] generating ID_PROT response 0 [ FRAG ]
[ENC] generating ID_PROT response 0 [ FRAG ]
[NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (992 bytes)
[NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (992 bytes)
[NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (328 bytes)
[IKE] activating new tasks
[IKE]   activating XAUTH task
[ENC] generating TRANSACTION request 3278894355 [ HASH CPRQ(X_USER X_PWD) ]
[NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (92 bytes)
[NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (124 bytes)
[ENC] parsed INFORMATIONAL_V1 request 3893196496 [ HASH N(INITIAL_CONTACT) ]
[NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (124 bytes)
[ENC] parsed TRANSACTION response 3278894355 [ HASH CPRP(X_USER X_PWD) ]
[IKE] XAuth authentication of 'carol' successful
[IKE] reinitiating already active tasks
[IKE]   XAUTH task
[ENC] generating TRANSACTION request 2774228260 [ HASH CPS(X_STATUS) ]
[NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (92 bytes)
[NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (108 bytes)
[ENC] parsed TRANSACTION response 2774228260 [ HASH CPA(X_STATUS) ]
[IKE] IKE_SA rw[5] established between
5.6.7.8[moon.example.com]...1.2.3.4[10.238.244.235]
[IKE] IKE_SA rw[5] state change: CONNECTING => ESTABLISHED
[IKE] scheduling reauthentication in 3370s
[IKE] maximum IKE_SA lifetime 3550s
[IKE] activating new tasks
[IKE] nothing to initiate
[NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (140 bytes)
[ENC] parsed TRANSACTION request 3288002991 [ HASH CPRQ(ADDR MASK DNS
NBNS U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN VER) ]
[IKE] processing INTERNAL_IP4_ADDRESS attribute
[NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (92 bytes)
[ENC] parsed TRANSACTION response 3071700790 [ HASH CP ]
[IKE] activating new tasks
[IKE] nothing to initiate
[NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (140 bytes)
[ENC] parsed TRANSACTION request 2547185180 [ HASH CPRQ(ADDR MASK DNS
NBNS U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN VER) ]
[IKE] processing INTERNAL_IP4_ADDRESS attribute
[IKE] processing INTERNAL_IP4_NETMASK attribute
[IKE] processing INTERNAL_IP4_DNS attribute
[IKE] processing INTERNAL_IP4_NBNS attribute
[IKE] processing UNITY_BANNER attribute
[IKE] processing UNITY_DEF_DOMAIN attribute
[IKE] processing UNITY_SPLITDNS_NAME attribute
[IKE] processing UNITY_SPLIT_INCLUDE attribute
[IKE] processing UNITY_LOCAL_LAN attribute
[IKE] processing APPLICATION_VERSION attribute
[IKE] peer requested virtual IP %any
[CFG] assigning new lease to 'carol'
[IKE] assigning virtual IP 10.81.0.7 to peer 'carol'
[ENC] generating TRANSACTION response 2547185180 [ HASH CPRP(ADDR DNS
U_BANNER U_SPLITINC) ]
[NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (124 bytes)
[NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (556 bytes)
[ENC] parsed QUICK_MODE request 2382903097 [ HASH SA No ID ID ]
[IKE] no matching CHILD_SA config found
[IKE] queueing INFORMATIONAL task
[IKE] activating new tasks
[IKE]   activating INFORMATIONAL task
[ENC] generating INFORMATIONAL_V1 request 3189127054 [ HASH N(INVAL_ID) ]
[NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (92 bytes)
[IKE] activating new tasks
[IKE] nothing to initiate
[NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (556 bytes)
[IKE] received retransmit of request with ID 2382903097, but no
response to retransmit
[NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (556 bytes)
[IKE] received retransmit of request with ID 2382903097, but no
response to retransmit
[NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (556 bytes)
[IKE] received retransmit of request with ID 2382903097, but no
response to retransmit
[NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (124 bytes)
[ENC] parsed INFORMATIONAL_V1 request 2219980363 [ HASH D ]
[IKE] received DELETE for IKE_SA rw[5]
[IKE] deleting IKE_SA rw[5] between
5.6.7.8[moon.example.com]...1.2.3.4[10.238.244.235]
[IKE] deleting IKE_SA rw[5] between
5.6.7.8[moon.example.com]...1.2.3.4[10.238.244.235]
[IKE] IKE_SA rw[5] state change: ESTABLISHED => DELETING
[IKE] IKE_SA rw[5] state change: DELETING => DELETING
[IKE] IKE_SA rw[5] state change: DELETING => DESTROYING
[CFG] lease 10.81.0.7 by 'carol' went offline


conn rw
        modeconfig=push
        fragmentation=yes
        rightauth=xauth
        auto=add
        left=1.2.3.4
        leftcert=betaCert.pem
        leftsubnet=10.0.0.0/8
        ##leftsubnet=0.0.0.0/0
        leftid=@example.com
        leftfirewall=yes
        leftsendcert=always
        leftauth=pubkey
        leftsendcert=always
        right=%any
        rightsourceip=10.81.0.0/24

More information about the Users mailing list