[strongSwan] Fwd: problem with setup for android connecting in

Lewis Robson robsonl at conscious.co.uk
Mon Sep 27 12:54:57 CEST 2021 

Hello all,

still having the same problem with this one.

this morning i set up another site to site from another external node to 
make sure that the server im working on can talk out, the connection set 
up and worked fine.


back to the drawing board, using the below config or playing about with 
other ones, I cant get users in via android device even using just EAP 
authentication, ive just tried the config from 
https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Roadwarrior-scenario 
and had no luck.

has anyone got any links, configs, advice etc on setting up so that my 
mobile client can connect in properly?


thankyou



-------- Forwarded Message --------
Subject: 	[strongSwan] problem with setup for android connecting in
Date: 	Fri, 24 Sep 2021 16:43:14 +0100
From: 	Lewis Robson <robsonl at conscious.co.uk>
To: 	users at lists.strongswan.org <users at lists.strongswan.org>



Hi all,

trying to re create our strongswan setup on a new server, we had a 
working proof of concept but the old server was scrapped.
We had some files copied for the config that unfortunately arent working 
for some reason now.

also, with charon debug we are not receiving logs for some reason, 
nothing in journalctl to help either?


the scenario

server with an external facing IP hosting strongswan (no firewall 
currently for testing setup)

clients connecting in via mobile strongswan with certificate and EAP so 
that they can be on the network, the plan is to have it so that any 
phone traffic routes through here and any other traffic doesnt.


we have done the local server as the ca for testing, and copied the ca 
cert to the phone, however it wont connect, as theres no logs server 
side this doesnt help (but a tcpdump when trying to connect shows:

isakmp: isakmp: parent_sa ikev2_init[I]

admin prohibited filter, length 556

phone logs show: unable to terminate ike_sa, peer not responding

I

here is the config file that i named "android working" from the old 
server that isnt working now. (there are duplicate entries of right send 
cert, should this be never?, aso for the right auth, what should i be 
expecting my .secrets file to look like?)


config setup
     charondebug="ike 1, knl 1, cfg 0"
     uniqueids=no

conn ikev2-vpn
     auto=add
     compress=no
     type=tunnel
     keyexchange=ikev2
     fragmentation=yes
     forceencaps=yes
     dpdaction=clear
     dpddelay=300s
     rekey=no
     left=%any
     leftid=my-servers-external-ip
     leftcert=the-server-cert
     leftsendcert=always
     leftsubnet=0.0.0.0/0
     right=%any
     rightid=%any
     rightsendcert=always
     rightauth=pubkey
     authby=pubkey
     #rightauth=eap-mschapv2
     rightsourceip=10.10.10.0/24
     rightdns=8.8.8.8,8.8.4.4
     rightsendcert=never
     eap_identity=%identity
ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!

any help much appreciated

thankyou kindly



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210927/93867810/attachment.html>

More information about the Users mailing list