[strongSwan] Android natvie IKEv1 cannot connect

Anthony Alba ascanio.alba7 at gmail.com
Tue May 19 18:05:15 CEST 2015


I meant for Android/ IKEv1 I have to fill in the "Forwarding routes"
section of the VPN profile, even though the server is sending SPLIT_INC. If
not the client will tunnel all traffic.
On May 20, 2015 12:01 AM, "Noel Kuntze" <noel at familie-kuntze.de> wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi,
>
> What do you mean with that?
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 19.05.2015 um 18:00 schrieb Anthony Alba:
> >
> > That was it - thank you!
> >
> > It works with split tunneling though on the Android side I have to
> manually key in the "forwarding routes".
> >
> > Android doesn't seem to listen to SPLIT_INC.
> >
> > On May 19, 2015 11:55 PM, "Noel Kuntze" <noel at familie-kuntze.de <mailto:
> noel at familie-kuntze.de>> wrote:
> >
> >
> > Hello,
> >
> > Please try modeconfig=pull.
> >
> > Mit freundlichen Grüßen/Kind Regards,
> > Noel Kuntze
> >
> > GPG Key ID: 0x63EC6658
> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >
> > Am 07.05.2015 um 10:31 schrieb Anthony Alba:
> > > Hi list,
> >
> > > I cannot get an Android native VPN client (IKEv1) to successfully
> > > negotiate the IPsec SA after the IKE SA.
> >
> > > I am using the RSA Hybrid scheme with virtual IP  following the
> > > exemplary configs here:
> > > http://www.strongswan.org/uml/testresults/ikev1/xauth-id-rsa-hybrid
> >
> > > My daemon.log looks almost exactly like the example but then I always
> hit
> > > no matching CHILD_SA config found.
> >
> > > Can you see anything wrong here?
> >
> > > I replaced strongswan with libreswan, and the connection goes through
> > > only if leftsubnet is 0.0.0.0/0 <http://0.0.0.0/0>.
> > > If I set the leftsubnet to a narrower slice 10.0.0.0/8 <
> http://10.0.0.0/8> I will also get
> > > no matching CHILD_SA as the
> > > "peer  proposed 0.0.0.0/0 <http://0.0.0.0/0>".
> >
> > > 1. On StrongSwan when I change the leftsubnet to 0.0.0.0/0 <
> http://0.0.0.0/0> it still
> > > does not connect.
> > > 2. I use leftsubnet=10.0.0.0/8 <http://10.0.0.0/8> and
> attr.conf:split-include=10.0.0.0/8 <http://10.0.0.0/8>
> > > 3. If I use leftsubnet=0.0.0.0/0 <http://0.0.0.0/0> and have no
> split-include directive,
> > > the same situation happens.
> > > 4. Everything looks good, until QUICK_MODE request comes in...
> >
> >
> >
> > > 09[ENC] parsed QUICK_MODE request 3520511125 [ HASH SA No ID ID ]
> > > 09[IKE] Hash(1) => 32 bytes @ 0x7f57680076b0
> > > 09[IKE]    0: 49 95 20 8A 91 CB EE C3 84 BE DC 45 98 B1 79 00  I.
> > > ........E..y.
> > > 09[IKE]   16: BB DD C4 76 69 4B 01 9B D4 C8 05 0D DE 31 CC 7F
> > > ...viK.......1..
> > > 09[IKE] next IV for MID 3520511125 => 16 bytes @ 0x7f57680079a0
> > > 09[IKE]    0: 9D A5 AF D2 65 A6 83 81 18 A6 7D 9C ED 2A A1 9D
> > > ....e.....}..*..
> > > 09[IKE] no matching CHILD_SA config found
> > > 09[IKE] queueing INFORMATIONAL task
> >
> >
> >
> >
> > > [NET] received packet: from 1.2.3.4[9087] to 5.6.7.8[500] (720 bytes)
> > > [ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
> > > [IKE] received NAT-T (RFC 3947) vendor ID
> > > [IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
> > > [IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> > > [IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
> > > [IKE] received XAuth vendor ID
> > > [IKE] received Cisco Unity vendor ID
> > > [IKE] received FRAGMENTATION vendor ID
> > > [IKE] received DPD vendor ID
> > > [IKE] 1.2.3.4 is initiating a Main Mode IKE_SA
> > > [IKE] 1.2.3.4 is initiating a Main Mode IKE_SA
> > > [IKE] IKE_SA (unnamed)[5] state change: CREATED => CONNECTING
> > > [IKE] sending XAuth vendor ID
> > > [IKE] sending DPD vendor ID
> > > [IKE] sending FRAGMENTATION vendor ID
> > > [IKE] sending NAT-T (RFC 3947) vendor ID
> > > [ENC] generating ID_PROT response 0 [ SA V V V V ]
> > > [NET] sending packet: from 5.6.7.8[500] to 1.2.3.4[9087] (160 bytes)
> > > [NET] received packet: from 1.2.3.4[9087] to 5.6.7.8[500] (252 bytes)
> > > [ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
> > > [IKE] remote host is behind NAT
> > > [ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
> > > [NET] sending packet: from 5.6.7.8[500] to 1.2.3.4[9087] (268 bytes)
> > > [NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (108 bytes)
> > > [ENC] parsed ID_PROT request 0 [ ID HASH ]
> > > [CFG] looking for HybridInitRSA peer configs matching
> > > 5.6.7.8...1.2.3.4[10.238.244.235]
> > > [CFG] selected peer config "rw"
> > > [IKE] authentication of 'moon.example.com <http://moon.example.com>'
> (myself) successful
> > > [IKE] queueing XAUTH task
> > > [IKE] sending end entity cert "CN=moon.example.com <
> http://moon.example.com>"
> > > [IKE] sending issuer cert "CN=moon.example.com <
> http://moon.example.com>"
> > > [ENC] generating ID_PROT response 0 [ ID CERT CERT SIG ]
> > > [ENC] splitting IKE message with length of 2204 bytes into 3 fragments
> > > [ENC] generating ID_PROT response 0 [ FRAG ]
> > > [ENC] generating ID_PROT response 0 [ FRAG ]
> > > [ENC] generating ID_PROT response 0 [ FRAG ]
> > > [NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (992 bytes)
> > > [NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (992 bytes)
> > > [NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (328 bytes)
> > > [IKE] activating new tasks
> > > [IKE]   activating XAUTH task
> > > [ENC] generating TRANSACTION request 3278894355 [ HASH CPRQ(X_USER
> X_PWD) ]
> > > [NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (92 bytes)
> > > [NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (124 bytes)
> > > [ENC] parsed INFORMATIONAL_V1 request 3893196496 [ HASH
> N(INITIAL_CONTACT) ]
> > > [NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (124 bytes)
> > > [ENC] parsed TRANSACTION response 3278894355 [ HASH CPRP(X_USER X_PWD)
> ]
> > > [IKE] XAuth authentication of 'carol' successful
> > > [IKE] reinitiating already active tasks
> > > [IKE]   XAUTH task
> > > [ENC] generating TRANSACTION request 2774228260 [ HASH CPS(X_STATUS) ]
> > > [NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (92 bytes)
> > > [NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (108 bytes)
> > > [ENC] parsed TRANSACTION response 2774228260 [ HASH CPA(X_STATUS) ]
> > > [IKE] IKE_SA rw[5] established between
> > > 5.6.7.8[moon.example.com <http://moon.example.com
> >]...1.2.3.4[10.238.244.235]
> > > [IKE] IKE_SA rw[5] established between
> > > 5.6.7.8[moon.example.com <http://moon.example.com
> >]...1.2.3.4[10.238.244.235]
> > > [IKE] IKE_SA rw[5] state change: CONNECTING => ESTABLISHED
> > > [IKE] scheduling reauthentication in 3370s
> > > [IKE] maximum IKE_SA lifetime 3550s
> > > [IKE] activating new tasks
> > > [IKE] nothing to initiate
> > > [NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (140 bytes)
> > > [ENC] parsed TRANSACTION request 3288002991 [ HASH CPRQ(ADDR MASK DNS
> > > NBNS U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN VER) ]
> > > [IKE] processing INTERNAL_IP4_ADDRESS attribute
> > > [IKE] processing INTERNAL_IP4_NETMASK attribute
> > > [IKE] processing INTERNAL_IP4_DNS attribute
> > > [IKE] processing INTERNAL_IP4_NBNS attribute
> > > [IKE] processing UNITY_BANNER attribute
> > > [IKE] processing UNITY_DEF_DOMAIN attribute
> > > [IKE] processing UNITY_SPLITDNS_NAME attribute
> > > [IKE] processing UNITY_SPLIT_INCLUDE attribute
> > > [IKE] processing UNITY_LOCAL_LAN attribute
> > > [IKE] processing APPLICATION_VERSION attribute
> > > [IKE] peer requested virtual IP %any
> > > [CFG] reassigning offline lease to 'carol'
> > > [IKE] assigning virtual IP 10.81.0.5 to peer 'carol'
> > > [ENC] generating TRANSACTION response 3288002991 [ HASH CPRP(ADDR DNS
> > > U_BANNER U_SPLITINC) ]
> > > [NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (124 bytes)
> > > [IKE] queueing MODE_CONFIG task
> > > [IKE] activating new tasks
> > > [IKE]   activating MODE_CONFIG task
> > > [CFG] assigning new lease to 'carol'
> > > [IKE] assigning virtual IP 10.81.0.6 to peer 'carol'
> > > [ENC] generating TRANSACTION request 3071700790 [ HASH CPS(ADDR DNS
> > > U_BANNER U_SPLITINC) ]
> > > [NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (124 bytes)
> > > [IKE] delaying task initiation, TRANSACTION exchange in progress
> > > [IKE] IKE_SA rw[4] state change: ESTABLISHED => DELETING
> > > [IKE] IKE_SA rw[4] state change: DELETING => DELETING
> > > [IKE] IKE_SA rw[4] state change: DELETING => DESTROYING
> > > [CFG] lease 10.81.0.5 by 'carol' went offline
> > > [NET] received packet: from 1.2.3.4[9087] to 5.6.7.8[500] (720 bytes)
> > > [ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
> > > [IKE] received NAT-T (RFC 3947) vendor ID
> > > [IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
> > > [IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> > > [IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
> > > [IKE] received XAuth vendor ID
> > > [IKE] received Cisco Unity vendor ID
> > > [IKE] received FRAGMENTATION vendor ID
> > > [IKE] received DPD vendor ID
> > > [IKE] 1.2.3.4 is initiating a Main Mode IKE_SA
> > > [IKE] IKE_SA (unnamed)[5] state change: CREATED => CONNECTING
> > > [IKE] sending XAuth vendor ID
> > > [IKE] sending DPD vendor ID
> > > [IKE] sending FRAGMENTATION vendor ID
> > > [IKE] sending NAT-T (RFC 3947) vendor ID
> > > [ENC] generating ID_PROT response 0 [ SA V V V V ]
> > > [NET] sending packet: from 5.6.7.8[500] to 1.2.3.4[9087] (160 bytes)
> > > [NET] received packet: from 1.2.3.4[9087] to 5.6.7.8[500] (252 bytes)
> > > [ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
> > > [IKE] remote host is behind NAT
> > > [ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
> > > [NET] sending packet: from 5.6.7.8[500] to 1.2.3.4[9087] (268 bytes)
> > > [NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (108 bytes)
> > > [ENC] parsed ID_PROT request 0 [ ID HASH ]
> > > [CFG] looking for HybridInitRSA peer configs matching
> > > 5.6.7.8...1.2.3.4[10.238.244.235]
> > > [CFG] selected peer config "rw"
> > > [IKE] authentication of 'moon.example.com <http://moon.example.com>'
> (myself) successful
> > > [IKE] queueing XAUTH task
> > > [IKE] sending end entity cert "CN=moon.example.com <
> http://moon.example.com>"
> > > [IKE] sending issuer cert "CN=moon.example.com <
> http://moon.example.com>"
> > > [ENC] generating ID_PROT response 0 [ ID CERT CERT SIG ]
> > > [ENC] splitting IKE message with length of 2204 bytes into 3 fragments
> > > [ENC] generating ID_PROT response 0 [ FRAG ]
> > > [ENC] generating ID_PROT response 0 [ FRAG ]
> > > [ENC] generating ID_PROT response 0 [ FRAG ]
> > > [NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (992 bytes)
> > > [NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (992 bytes)
> > > [NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (328 bytes)
> > > [IKE] activating new tasks
> > > [IKE]   activating XAUTH task
> > > [ENC] generating TRANSACTION request 3278894355 [ HASH CPRQ(X_USER
> X_PWD) ]
> > > [NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (92 bytes)
> > > [NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (124 bytes)
> > > [ENC] parsed INFORMATIONAL_V1 request 3893196496 [ HASH
> N(INITIAL_CONTACT) ]
> > > [NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (124 bytes)
> > > [ENC] parsed TRANSACTION response 3278894355 [ HASH CPRP(X_USER X_PWD)
> ]
> > > [IKE] XAuth authentication of 'carol' successful
> > > [IKE] reinitiating already active tasks
> > > [IKE]   XAUTH task
> > > [ENC] generating TRANSACTION request 2774228260 [ HASH CPS(X_STATUS) ]
> > > [NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (92 bytes)
> > > [NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (108 bytes)
> > > [ENC] parsed TRANSACTION response 2774228260 [ HASH CPA(X_STATUS) ]
> > > [IKE] IKE_SA rw[5] established between
> > > 5.6.7.8[moon.example.com <http://moon.example.com
> >]...1.2.3.4[10.238.244.235]
> > > [IKE] IKE_SA rw[5] state change: CONNECTING => ESTABLISHED
> > > [IKE] scheduling reauthentication in 3370s
> > > [IKE] maximum IKE_SA lifetime 3550s
> > > [IKE] activating new tasks
> > > [IKE] nothing to initiate
> > > [NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (140 bytes)
> > > [ENC] parsed TRANSACTION request 3288002991 [ HASH CPRQ(ADDR MASK DNS
> > > NBNS U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN VER) ]
> > > [IKE] processing INTERNAL_IP4_ADDRESS attribute
> > > [NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (92 bytes)
> > > [ENC] parsed TRANSACTION response 3071700790 [ HASH CP ]
> > > [IKE] activating new tasks
> > > [IKE] nothing to initiate
> > > [NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (140 bytes)
> > > [ENC] parsed TRANSACTION request 2547185180 [ HASH CPRQ(ADDR MASK DNS
> > > NBNS U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN VER) ]
> > > [IKE] processing INTERNAL_IP4_ADDRESS attribute
> > > [IKE] processing INTERNAL_IP4_NETMASK attribute
> > > [IKE] processing INTERNAL_IP4_DNS attribute
> > > [IKE] processing INTERNAL_IP4_NBNS attribute
> > > [IKE] processing UNITY_BANNER attribute
> > > [IKE] processing UNITY_DEF_DOMAIN attribute
> > > [IKE] processing UNITY_SPLITDNS_NAME attribute
> > > [IKE] processing UNITY_SPLIT_INCLUDE attribute
> > > [IKE] processing UNITY_LOCAL_LAN attribute
> > > [IKE] processing APPLICATION_VERSION attribute
> > > [IKE] peer requested virtual IP %any
> > > [CFG] assigning new lease to 'carol'
> > > [IKE] assigning virtual IP 10.81.0.7 to peer 'carol'
> > > [ENC] generating TRANSACTION response 2547185180 [ HASH CPRP(ADDR DNS
> > > U_BANNER U_SPLITINC) ]
> > > [NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (124 bytes)
> > > [NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (556 bytes)
> > > [ENC] parsed QUICK_MODE request 2382903097 [ HASH SA No ID ID ]
> > > [IKE] no matching CHILD_SA config found
> > > [IKE] queueing INFORMATIONAL task
> > > [IKE] activating new tasks
> > > [IKE]   activating INFORMATIONAL task
> > > [ENC] generating INFORMATIONAL_V1 request 3189127054 [ HASH
> N(INVAL_ID) ]
> > > [NET] sending packet: from 5.6.7.8[4500] to 1.2.3.4[13338] (92 bytes)
> > > [IKE] activating new tasks
> > > [IKE] nothing to initiate
> > > [NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (556 bytes)
> > > [IKE] received retransmit of request with ID 2382903097, but no
> > > response to retransmit
> > > [NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (556 bytes)
> > > [IKE] received retransmit of request with ID 2382903097, but no
> > > response to retransmit
> > > [NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (556 bytes)
> > > [IKE] received retransmit of request with ID 2382903097, but no
> > > response to retransmit
> > > [NET] received packet: from 1.2.3.4[13338] to 5.6.7.8[4500] (124 bytes)
> > > [ENC] parsed INFORMATIONAL_V1 request 2219980363 [ HASH D ]
> > > [IKE] received DELETE for IKE_SA rw[5]
> > > [IKE] deleting IKE_SA rw[5] between
> > > 5.6.7.8[moon.example.com <http://moon.example.com
> >]...1.2.3.4[10.238.244.235]
> > > [IKE] deleting IKE_SA rw[5] between
> > > 5.6.7.8[moon.example.com <http://moon.example.com
> >]...1.2.3.4[10.238.244.235]
> > > [IKE] IKE_SA rw[5] state change: ESTABLISHED => DELETING
> > > [IKE] IKE_SA rw[5] state change: DELETING => DELETING
> > > [IKE] IKE_SA rw[5] state change: DELETING => DESTROYING
> > > [CFG] lease 10.81.0.7 by 'carol' went offline
> >
> >
> > > conn rw
> > >         modeconfig=push
> > >         fragmentation=yes
> > >         rightauth=xauth
> > >         auto=add
> > >         left=1.2.3.4
> > >         leftcert=betaCert.pem
> > >         leftsubnet=10.0.0.0/8 <http://10.0.0.0/8>
> > >         ##leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>
> > >         leftid=@example.com <http://example.com>
> > >         leftfirewall=yes
> > >         leftsendcert=always
> > >         leftauth=pubkey
> > >         leftsendcert=always
> > >         right=%any
> > >         rightsourceip=10.81.0.0/24 <http://10.81.0.0/24>
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> > > https://lists.strongswan.org/mailman/listinfo/users
> >
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVW15DAAoJEDg5KY9j7GZYJ0sP/1+6t5UCo3PAirs+YGNG0Lpm
> kfunE82qDNIx5MWVQcNA+ikUx7T5mkLOScFBEhA4hJLjkLjTBHpGD9HW4MYCQgVV
> k706l/ORACvlCMhux15Tz+s/xsRgWXtvaO3E41NCoJp5GZKgaCc8BBrIRuVt2Igb
> J7QqAVpC8pTfSm8VA33PsLPrtCv75GVcDO42s9GwlJ/el/lyeYVtaWATHqxjuYu/
> aLgv4mqHdDFe7BnC+6QEr7cxW765j2mxmxxiepICMpLdFI/3doK1QiedUV2cLxd4
> UdX3knYaTCVu5RoHEMYb6lfdWtU9/csq/EUqDrnBzA7SK+mvjmCE4xgkuU/uCw7Y
> OkrUM8fOa2M8v2zNKG5YdNsTpFHbLgKiV4Y5N3iYRVes0VPO9sEWHTsmS1r6LPZZ
> IrgxWo0nrfvUV/LhvR6u/uP4B+gC+CAw/OG4eWJlWdG+qzifhEelhuEa2qmnfj43
> OViIt0GkiVEVfSmZaFHcIupi//aI4uevNK9r6npHqoKBM7ekzK/ozzfbWVg8LSVj
> yQW/2eefTXey1T2DrTT6vcr1Amw5HGfQBbKKACulZ5yK57FUIJd/1A9P7dyFROH5
> 8ainuSh3HOKtE99e88XZktPqLVUhko3+TO+LBg4PyPhi/Oajfw0w0TEMFwnPAZhc
> RnNRA7CWfR132IGciv2m
> =IDdo
> -----END PGP SIGNATURE-----
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150520/e551d1c3/attachment-0001.html>


More information about the Users mailing list