[strongSwan] Issue with establishing VPN Connection using strongSwan App on Android device

Chinmaya Dwibedy ckdwibedy at yahoo.com
Wed Apr 27 12:40:36 CEST 2016


 I am usingstrongSwan VPN Client google app in an android device (VPN Client) and runningstrongswan-5.4.0 on Linux device (VPN Server on Virtual Machine). I am tryingto establish an IKEv2/IPsec tunnel using EAP authentication based onusername/password (EAP-MD5) on client and pubkey on server. Since For EAP-based authentication, Andorid needs to have just thecorrect CA certificate installed. Ipsec pki  is used togenerate all certificates. All certificates are imported to Android and installed.Opted that specific certificate (CA) that was imported.  

The error (in Charon log)  on Android device says that, “no issuercertificate found for “C=NL, O-Example Company, CN=vpn.example.org”

No trusted RSA public key found for “C=NL,O-Example Company, CN=vpn.example.org”.

Charon log on VPN Server

15[CFG] selected peer config'vpn_server-vpn_client'

15[IKE] initiating EAP_IDENTITY method (id 0x00)

15[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED,not using ESPv3 TFC padding

15[IKE] peer supports MOBIKE

15[IKE] authentication of 'C=NL, O=ExampleCompany, CN=vpn.example.org' (myself) with RSA_EMSA_PKCS1_SHA384 successful

15[IKE] sending end entity cert "C=NL,O=Example Company, CN=vpn.example.org"

15[ENC] generating IKE_AUTH response 1 [ IDr CERTAUTH EAP/REQ/ID ]

15[NET] sending packet: from[4500] to192.168.10.59[52848] (2128 bytes)

14[NET] received packet: from192.168.10.59[52848] to[4500] (80 bytes)

14[ENC] parsed INFORMATIONAL request 2 [N(AUTH_FAILED) ]

14[ENC] generating INFORMATIONAL response 2 [N(AUTH_FAILED) ]

14[NET] sending packet: from[4500] to192.168.10.59[52848] (80 bytes)

I generated certificate as stated below

ipsec pki--gen --type rsa --size 4096 --outform pem > private/strongswanKey.pem

ipsec pki--self --ca --lifetime 3650 --in private/strongswanKey.pem --type rsa --dn"C=NL, O=Example Company, CN=strongSwan Root CA" --outform pem >cacerts/strongswanCert.pem

ipsec pki--gen --type rsa --size 4096 --outform pem > private/vpnHostKey.pem

ipsec pki--pub --in private/vpnHostKey.pem --type rsa | ipsec pki --issue --lifetime 730--cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn"C=NL, O=Example Company, CN=vpn.example.org" --san vpn.example.com--san vpn.example.net --san --san @ --flag serverAuth --flag ikeIntermediate --outformpem > certs/vpnHostCert.pem

opensslpkcs12 -in certs/vpnHostCert.pem -inkey private/vpnHostKey.pem -certfilecacerts/strongswanCert.pem -export -out peer.p12


ipsec.secrets (at VPN Server)

: RSA /etc/ipsec.d/private/vpnHostKey.pem

user : EAP "strongSwan"


conn %default





ipsec.conf (at VPN Server)

conn vpn_server-vpn_client



       leftsubnet = %any










       rightsourceip =








-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160427/aeaca4a3/attachment-0001.html>

More information about the Users mailing list