[strongSwan] Android client not connecting with ECDSA certificate authentication

Ettore Tagarelli tagahect at gmail.com
Tue Apr 26 00:39:37 CEST 2022 

Managed to make connection with ECDSA certificate work with Linux and
Windows 10, no way with Android that works good only with RSA certificate.
I'm using 2.3.3 client on android 9. I'm using the same certs that work
with Linux and Windows. Tried to solve managing encryption parameters as a
did with windows 10 through powershell but with android I had no luck.
(authencesn module is loaded on both machines).

this is server ipsec.conf file:
# ipsec.conf - strongSwan IPsec configuration file

config setup

  charondebug="cfg 2, dmn 2, ike 4, net 2"

conn %default
  auto=start
  closeaction=restart
  keyexchange=ikev2
  dpdaction=clear
  dpddelay=300s
  dpdtimeout = 5s
  keyingtries=5
  rekey=yes
  left=%any
  leftfirewall=yes
  leftid=aa.bb.cc.dd
  leftsubnet=0.0.0.0/0
  leftcert=aaaa.aaa.aaaaaaa.crt
  mobike=yes
  right=%any
  rightdns=192.168.1.1,8.8.8.8
  rightsourceip=192.168.2.0/24
  type=tunnel

this is server log:
Apr 25 23:49:52 woppami charon: 02[NET] received packet: from
ee.ff.gg.hh[46875] to 192.168.1.8[500]
Apr 25 23:49:52 woppami charon: 02[NET] waiting for data on sockets
Apr 25 23:49:52 woppami charon: 12[NET] received packet: from
ee.ff.gg.hh[46875] to 192.168.1.8[500] (272 bytes)
Apr 25 23:49:52 woppami charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA
KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr 25 23:49:52 woppami charon: 12[CFG] looking for an ike config for
192.168.1.8...ee.ff.gg.hh
Apr 25 23:49:52 woppami charon: 12[CFG]   candidate: %any...%any, prio 28
Apr 25 23:49:52 woppami charon: 12[CFG] found matching ike config:
%any...%any with prio 28
Apr 25 23:49:52 woppami charon: 12[IKE] ee.ff.gg.hh is initiating an IKE_SA
Apr 25 23:49:52 woppami charon: 12[IKE] IKE_SA (unnamed)[123] state change:
CREATED => CONNECTING
Apr 25 23:49:52 woppami charon: 12[CFG] selecting proposal:
Apr 25 23:49:52 woppami charon: 12[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Apr 25 23:49:52 woppami charon: 12[CFG] selecting proposal:
Apr 25 23:49:52 woppami charon: 12[CFG]   proposal matches
Apr 25 23:49:52 woppami charon: 12[CFG] received proposals:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Apr 25 23:49:52 woppami charon: 12[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_MD5_96/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024,
IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024
Apr 25 23:49:52 woppami charon: 12[CFG] selected proposal:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Apr 25 23:49:52 woppami charon: 12[IKE] local host is behind NAT, sending
keep alives
Apr 25 23:49:52 woppami charon: 12[IKE] remote host is behind NAT
Apr 25 23:49:52 woppami charon: 12[IKE] sending cert request for "C=IT,
O=Aaaa CA, CN=aaaa.aaa.aaaaaaa"
Apr 25 23:49:52 woppami charon: 12[ENC] generating IKE_SA_INIT response 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG)
N(MULT_AUTH) ]
Apr 25 23:49:52 woppami charon: 12[NET] sending packet: from
192.168.1.8[500] to ee.ff.gg.hh[46875] (297 bytes)
Apr 25 23:49:52 woppami charon: 03[NET] sending packet: from
192.168.1.8[500] to ee.ff.gg.hh[46875]
Apr 25 23:49:52 woppami charon: 02[NET] received packet: from
ee.ff.gg.hh[41973] to 192.168.1.8[4500]
Apr 25 23:49:52 woppami charon: 02[NET] waiting for data on sockets
Apr 25 23:49:52 woppami charon: 08[NET] received packet: from
ee.ff.gg.hh[41973] to 192.168.1.8[4500] (1008 bytes)
Apr 25 23:49:52 woppami charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi
CERT N(INIT_CONTACT) IDr AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA
TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY)
N(MSG_ID_SYN_SUP) ]
Apr 25 23:49:52 woppami charon: 08[IKE] received end entity cert "C=IT,
O=Bbbbb, CN=bbbbb.aaaa.aaaaaaa"
Apr 25 23:49:52 woppami charon: 08[CFG] looking for peer configs matching
192.168.1.8[aaaa.aaa.aaaaaaa]...ee.ff.gg.hh[bbbbb.aaaa.aaaaaaa]
Apr 25 23:49:52 woppami charon: 08[CFG] no matching peer config found
Apr 25 23:49:52 woppami charon: 08[IKE] processing INTERNAL_IP4_ADDRESS
attribute
Apr 25 23:49:52 woppami charon: 08[IKE] processing INTERNAL_IP6_ADDRESS
attribute
Apr 25 23:49:52 woppami charon: 08[IKE] processing INTERNAL_IP4_DNS
attribute
Apr 25 23:49:52 woppami charon: 08[IKE] processing INTERNAL_IP6_DNS
attribute
Apr 25 23:49:52 woppami charon: 08[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr 25 23:49:52 woppami charon: 08[IKE] peer supports MOBIKE
Apr 25 23:49:52 woppami charon: 08[ENC] generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]
Apr 25 23:49:52 woppami charon: 08[NET] sending packet: from
192.168.1.8[4500] to ee.ff.gg.hh[41973] (80 bytes)
Apr 25 23:49:52 woppami charon: 08[IKE] IKE_SA (unnamed)[123] state change:
CONNECTING => DESTROYING
Apr 25 23:49:52 woppami charon: 03[NET] sending packet: from
192.168.1.8[4500] to ee.ff.gg.hh[41973]

Looking for help
Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220426/fd6813cc/attachment.html>

More information about the Users mailing list