[strongSwan] Fwd: problem with setup for android connecting in

Lewis Robson robsonl at conscious.co.uk
Tue Sep 28 15:09:30 CEST 2021 

All,

got this sorted in the end

it turned out that even though we were using iptables, firewalld daemon 
was running in the background and was intefering :)


On 27/09/2021 11:54, Lewis Robson wrote:
>
> Hello all,
>
> still having the same problem with this one.
>
> this morning i set up another site to site from another external node 
> to make sure that the server im working on can talk out, the 
> connection set up and worked fine.
>
>
> back to the drawing board, using the below config or playing about 
> with other ones, I cant get users in via android device even using 
> just EAP authentication, ive just tried the config from 
> https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Roadwarrior-scenario 
> and had no luck.
>
> has anyone got any links, configs, advice etc on setting up so that my 
> mobile client can connect in properly?
>
>
> thankyou
>
>
>
> -------- Forwarded Message --------
> Subject: 	[strongSwan] problem with setup for android connecting in
> Date: 	Fri, 24 Sep 2021 16:43:14 +0100
> From: 	Lewis Robson <robsonl at conscious.co.uk>
> To: 	users at lists.strongswan.org <users at lists.strongswan.org>
>
>
>
> Hi all,
>
> trying to re create our strongswan setup on a new server, we had a 
> working proof of concept but the old server was scrapped.
> We had some files copied for the config that unfortunately arent 
> working for some reason now.
>
> also, with charon debug we are not receiving logs for some reason, 
> nothing in journalctl to help either?
>
>
> the scenario
>
> server with an external facing IP hosting strongswan (no firewall 
> currently for testing setup)
>
> clients connecting in via mobile strongswan with certificate and EAP 
> so that they can be on the network, the plan is to have it so that any 
> phone traffic routes through here and any other traffic doesnt.
>
>
> we have done the local server as the ca for testing, and copied the ca 
> cert to the phone, however it wont connect, as theres no logs server 
> side this doesnt help (but a tcpdump when trying to connect shows:
>
> isakmp: isakmp: parent_sa ikev2_init[I]
>
> admin prohibited filter, length 556
>
> phone logs show: unable to terminate ike_sa, peer not responding
>
> I
>
> here is the config file that i named "android working" from the old 
> server that isnt working now. (there are duplicate entries of right 
> send cert, should this be never?, aso for the right auth, what should 
> i be expecting my .secrets file to look like?)
>
>
> config setup
>     charondebug="ike 1, knl 1, cfg 0"
>     uniqueids=no
>
> conn ikev2-vpn
>     auto=add
>     compress=no
>     type=tunnel
>     keyexchange=ikev2
>     fragmentation=yes
>     forceencaps=yes
>     dpdaction=clear
>     dpddelay=300s
>     rekey=no
>     left=%any
>     leftid=my-servers-external-ip
>     leftcert=the-server-cert
>     leftsendcert=always
>     leftsubnet=0.0.0.0/0
>     right=%any
>     rightid=%any
>     rightsendcert=always
>     rightauth=pubkey
>     authby=pubkey
>     #rightauth=eap-mschapv2
>     rightsourceip=10.10.10.0/24
>     rightdns=8.8.8.8,8.8.4.4
>     rightsendcert=never
>     eap_identity=%identity
> ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
>
> any help much appreciated
>
> thankyou kindly
>
>
>
-- 
Lewis Robson
Systems Administrator
Conscious Solutions Limited

Tel: 0117 325 0200
Web: https://www.conscious.co.uk

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210928/b9c41aba/attachment.html>

More information about the Users mailing list