[strongSwan] New Android update option - how to best exploit?

Karl Denninger karl at denninger.net
Fri Jul 7 18:35:16 CEST 2017


Having found that I can use a 224-bit EC key and that gets my Android
negotiation down to no-fragments.  Since this is approximately equal to
a 2048-bit RSA key, which "for today" is considered "good enough" for
most web apps, this looks reasonable.

However, I can't use it when I use EAP-TLS exchange, at least not on the
build I have -- or do I have it built wrong? :-)

Jul  7 11:28:35 IpGw charon: 16[NET] received packet: from
208.54.70.197[20099] to 68.1.57.197[500] (624 bytes)
Jul  7 11:28:35 IpGw charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Jul  7 11:28:35 IpGw charon: 16[IKE] received MS NT5 ISAKMPOAKLEY v9
vendor ID
Jul  7 11:28:35 IpGw charon: 16[IKE] received MS-Negotiation Discovery
Capable vendor ID
Jul  7 11:28:35 IpGw charon: 16[IKE] received Vid-Initial-Contact vendor ID
Jul  7 11:28:35 IpGw charon: 16[ENC] received unknown vendor ID:
01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Jul  7 11:28:35 IpGw charon: 16[IKE] 208.54.70.197 is initiating an IKE_SA
Jul  7 11:28:35 IpGw charon: 16[IKE] remote host is behind NAT
Jul  7 11:28:35 IpGw charon: 16[IKE] sending cert request for "C=US,
ST=Florida, L=Niceville, O=Cuda Systems LLC, CN=Cuda Systems LLC CA,
E=Cuda Systems LLC CA"
Jul  7 11:28:35 IpGw charon: 16[ENC] generating IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jul  7 11:28:35 IpGw charon: 16[NET] sending packet: from
68.1.57.197[500] to 208.54.70.197[20099] (465 bytes)
Jul  7 11:28:36 IpGw charon: 16[NET] received packet: from
208.54.70.197[38246] to 68.1.57.197[4500] (1436 bytes)
Jul  7 11:28:36 IpGw charon: 16[ENC] parsed IKE_AUTH request 1 [ IDi
CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Jul  7 11:28:36 IpGw charon: 16[IKE] received cert request for "C=US,
ST=Florida, L=Niceville, O=Cuda Systems LLC, CN=Cuda Systems LLC CA,
E=Cuda Systems LLC CA"
Jul  7 11:28:36 IpGw charon: 16[IKE] received 56 cert requests for an
unknown ca
Jul  7 11:28:36 IpGw charon: 16[CFG] looking for peer configs matching
68.1.57.197[%any]...208.54.70.197[192.168.43.165]
Jul  7 11:28:36 IpGw charon: 16[CFG] selected peer config 'StrongSwan'
Jul  7 11:28:36 IpGw charon: 16[IKE] peer requested EAP, config inacceptable
Jul  7 11:28:36 IpGw charon: 16[CFG] switching to peer config 'WinUserCert'
Jul  7 11:28:36 IpGw charon: 16[IKE] initiating EAP_IDENTITY method (id
0x00)
Jul  7 11:28:36 IpGw charon: 16[IKE] peer supports MOBIKE
Jul  7 11:28:36 IpGw charon: 16[IKE] 224 bit ECDSA private key size not
supported
Jul  7 11:28:36 IpGw charon: 16[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]
Jul  7 11:28:36 IpGw charon: 16[NET] sending packet: from
68.1.57.197[4500] to 208.54.70.197[38246] (76 bytes)

If I can get /that /to work when I can probably get my Windows machines
to /also /not need a frag-clean initial connection...... it appears the
problem is that I'm using EAP_IDENTITY (and have to); the same key and
certificate work fine with the Android client and the "Strongswan" config.

-- 
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170707/2da8081d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2993 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170707/2da8081d/attachment.bin>


More information about the Users mailing list