[strongSwan] Issue with establishing VPN Connection using strongSwan App on Android device

Chinmaya Dwibedy ckdwibedy at yahoo.com
Wed Apr 27 12:40:36 CEST 2016



Hi,

 I am usingstrongSwan VPN Client google app in an android device (VPN Client) and runningstrongswan-5.4.0 on Linux device (VPN Server on Virtual Machine). I am tryingto establish an IKEv2/IPsec tunnel using EAP authentication based onusername/password (EAP-MD5) on client and pubkey on server. Since For EAP-based authentication, Andorid needs to have just thecorrect CA certificate installed. Ipsec pki  is used togenerate all certificates. All certificates are imported to Android and installed.Opted that specific certificate (CA) that was imported.  


 
The error (in Charon log)  on Android device says that, “no issuercertificate found for “C=NL, O-Example Company, CN=vpn.example.org”

No trusted RSA public key found for “C=NL,O-Example Company, CN=vpn.example.org”.


 
Charon log on VPN Server


 
15[CFG] selected peer config'vpn_server-vpn_client'

15[IKE] initiating EAP_IDENTITY method (id 0x00)

15[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED,not using ESPv3 TFC padding

15[IKE] peer supports MOBIKE

15[IKE] authentication of 'C=NL, O=ExampleCompany, CN=vpn.example.org' (myself) with RSA_EMSA_PKCS1_SHA384 successful

15[IKE] sending end entity cert "C=NL,O=Example Company, CN=vpn.example.org"

15[ENC] generating IKE_AUTH response 1 [ IDr CERTAUTH EAP/REQ/ID ]

15[NET] sending packet: from 10.0.131.40[4500] to192.168.10.59[52848] (2128 bytes)

14[NET] received packet: from192.168.10.59[52848] to 10.0.131.40[4500] (80 bytes)

14[ENC] parsed INFORMATIONAL request 2 [N(AUTH_FAILED) ]

14[ENC] generating INFORMATIONAL response 2 [N(AUTH_FAILED) ]

14[NET] sending packet: from 10.0.131.40[4500] to192.168.10.59[52848] (80 bytes)


 
I generated certificate as stated below


 
ipsec pki--gen --type rsa --size 4096 --outform pem > private/strongswanKey.pem

ipsec pki--self --ca --lifetime 3650 --in private/strongswanKey.pem --type rsa --dn"C=NL, O=Example Company, CN=strongSwan Root CA" --outform pem >cacerts/strongswanCert.pem

ipsec pki--gen --type rsa --size 4096 --outform pem > private/vpnHostKey.pem

ipsec pki--pub --in private/vpnHostKey.pem --type rsa | ipsec pki --issue --lifetime 730--cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn"C=NL, O=Example Company, CN=vpn.example.org" --san vpn.example.com--san vpn.example.net --san 172.19.134.4 --san @172.19.134.4 --flag serverAuth --flag ikeIntermediate --outformpem > certs/vpnHostCert.pem

opensslpkcs12 -in certs/vpnHostCert.pem -inkey private/vpnHostKey.pem -certfilecacerts/strongswanCert.pem -export -out peer.p12

 

ipsec.secrets (at VPN Server)


 
: RSA /etc/ipsec.d/private/vpnHostKey.pem

user : EAP "strongSwan"


 

 
conn %default

       ikelifetime=60m

       keylife=20m

       rekeymargin=3m

       keyingtries=1


 
ipsec.conf (at VPN Server)


 
conn vpn_server-vpn_client


 
       left=10.0.131.40

       leftfirewall=yes

       leftsubnet = %any

       leftprotoport=1

       rightprotoport=1

       right=%any       

       rightauth=eap-md5

        rightsendcert=never        

       leftcert=vpnHostCert.pem

leftauth=pubkey

       eap_identity=%any

       leftsubnet=0.0.0.0/0

       rightsourceip = 10.0.3.15/32

       type=tunnel

       keyexchange=ikev2

       esp=aes128-sha1

       rekey=no

       reauth=no


 
Regards,

Chinmaya

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160427/aeaca4a3/attachment-0001.html>


More information about the Users mailing list