[strongSwan] problem with setup for android connecting in

Lewis Robson robsonl at conscious.co.uk
Fri Sep 24 17:43:14 CEST 2021 

Hi all,

trying to re create our strongswan setup on a new server, we had a 
working proof of concept but the old server was scrapped.
We had some files copied for the config that unfortunately arent working 
for some reason now.

also, with charon debug we are not receiving logs for some reason, 
nothing in journalctl to help either?


the scenario

server with an external facing IP hosting strongswan (no firewall 
currently for testing setup)

clients connecting in via mobile strongswan with certificate and EAP so 
that they can be on the network, the plan is to have it so that any 
phone traffic routes through here and any other traffic doesnt.


we have done the local server as the ca for testing, and copied the ca 
cert to the phone, however it wont connect, as theres no logs server 
side this doesnt help (but a tcpdump when trying to connect shows:

isakmp: isakmp: parent_sa ikev2_init[I]

admin prohibited filter, length 556

phone logs show: unable to terminate ike_sa, peer not responding

I

here is the config file that i named "android working" from the old 
server that isnt working now. (there are duplicate entries of right send 
cert, should this be never?, aso for the right auth, what should i be 
expecting my .secrets file to look like?)


config setup
     charondebug="ike 1, knl 1, cfg 0"
     uniqueids=no

conn ikev2-vpn
     auto=add
     compress=no
     type=tunnel
     keyexchange=ikev2
     fragmentation=yes
     forceencaps=yes
     dpdaction=clear
     dpddelay=300s
     rekey=no
     left=%any
     leftid=my-servers-external-ip
     leftcert=the-server-cert
     leftsendcert=always
     leftsubnet=0.0.0.0/0
     right=%any
     rightid=%any
     rightsendcert=always
     rightauth=pubkey
     authby=pubkey
     #rightauth=eap-mschapv2
     rightsourceip=10.10.10.0/24
     rightdns=8.8.8.8,8.8.4.4
     rightsendcert=never
     eap_identity=%identity
ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!

any help much appreciated

thankyou kindly

More information about the Users mailing list