I think I know this one, I had the same problem. Found the solution in the mailing list itself:
strongSwan requires the peer ID to be contained in the certificate (either the complete DN, or as a subjectAltName, a matching CN= is insufficient). In my case the peer ID turned out to be the IP address itself..... Federico Fra: users-bounces+federico.mancini=ffi...@lists.strongswan.org [mailto:users-bounces+federico.mancini=ffi...@lists.strongswan.org] På vegne av zhen chen Sendt: 21. november 2011 04:22 Til: Andreas Steffen Kopi: users@lists.strongswan.org Emne: Re: [strongSwan] Android/Stongswan Integration Hi Andreas, I loaded the strongswan.conf to the android emulator,the Android is able to load the CA cert successfully. Thanks! Now I started from the Android emulator and tried to add the IKEv2 IPSec tunnel. I entered the name, address of the GW, then tried to connect. I entered the username/password. The login failed. I checked the ipsec.conf and followed Tobias instruction on wiki. Couldn't find out what I did wrong. I used zhen as the user name in the Android side. Thanks in advance! -Zhen The following is the main error on the GW side: Nov 20 19:57:26 localhost charon: 11[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan CA" Nov 20 19:57:26 localhost charon: 11[CFG] looking for peer configs matching 192.168.121.102[192.168.121.102]...192.168.121.104[zhen] Nov 20 19:57:26 localhost charon: 11[CFG] no matching peer config found The GW cert DN is: C=CH, O=zhen, CN=emac which I used as the left side id for the gw's ipsec.conf file. The CA cert DN is: C=CH, O=strongSwan, CN=strongSwan CA /etc/ipsec.secrets: ": RSA peerKey.der zhen : EAP "password" " ipsec.conf file in the GW side (note android is the conn to the android phone): "conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn rw right=%any rightid=@192.168.121.101 rightsourceip=%dhcp leftfirewall=yes left=192.168.121.102 leftsubnet=192.168.2.0/24 leftid=@192.168.121.102 auto=add conn android leftsubnet=0.0.0.0/0 leftcert=peerCert1.der leftauth=pubkey leftid="C=CH, O=zhen, CN=emac" right=%any rightsourceip=%dhcp rightauth=eap-mschapv2 rightsendcert=never keyexchange=ikev2 eap_identity=%any auto=add " Gateway log: Nov 20 19:51:30 localhost charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-raw socket-default updown eap-identity eap-md5 farp gtp Nov 20 19:51:30 localhost charon: 00[JOB] spawning 16 worker threads Nov 20 19:51:30 localhost charon: 06[CFG] received stroke: add connection 'rw' Nov 20 19:51:30 localhost charon: 06[CFG] added configuration 'rw' Nov 20 19:51:30 localhost charon: 08[CFG] received stroke: add connection 'android' Nov 20 19:51:30 localhost charon: 08[CFG] left nor right host is our side, assuming left=local Nov 20 19:51:30 localhost charon: 08[CFG] loaded certificate "C=CH, O=zhen, CN=emac" from 'peerCert1.der' Nov 20 19:51:30 localhost charon: 08[CFG] added configuration 'android' Nov 20 19:57:25 localhost charon: 10[NET] received packet: from 192.168.121.104[60653] to 192.168.121.102[500] Nov 20 19:57:25 localhost charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Nov 20 19:57:25 localhost charon: 10[IKE] 192.168.121.104 is initiating an IKE_SA Nov 20 19:57:25 localhost charon: 10[IKE] remote host is behind NAT Nov 20 19:57:25 localhost charon: 10[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA" Nov 20 19:57:25 localhost charon: 10[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA" Nov 20 19:57:25 localhost charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Nov 20 19:57:25 localhost charon: 10[NET] sending packet: from 192.168.121.102[500] to 192.168.121.104[60653] Nov 20 19:57:26 localhost charon: 11[NET] received packet: from 192.168.121.104[34320] to 192.168.121.102[4500] Nov 20 19:57:26 localhost charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Nov 20 19:57:26 localhost charon: 11[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan CA" Nov 20 19:57:26 localhost charon: 11[CFG] looking for peer configs matching 192.168.121.102[192.168.121.102]...192.168.121.104[zhen] Nov 20 19:57:26 localhost charon: 11[CFG] no matching peer config found Nov 20 19:57:26 localhost charon: 11[IKE] peer supports MOBIKE Nov 20 19:57:26 localhost charon: 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Nov 20 19:57:26 localhost charon: 11[NET] sending packet: from 192.168.121.102[4500] to 192.168.121.104[34320] Android adb logcat: I/SProxy_charon( 351): Start VPN daemon: charon D/SProxy_charon( 351): charon is running after 0 msec D/SProxy_charon( 351): service not yet listen()ing; try again I/charon ( 800): 00[DMN] loaded plugins: openssl fips-prf random pubkey pkcs1 pem xcbc hmac kernel-netlink socket-default android eap-identity eap-mschapv2 eap-md5 I/charon ( 800): 00[DMN] removing pidfile '/data/misc/vpn/charon.pid', process not running I/charon ( 800): 00[JOB] spawning 16 worker threads I/keystore( 37): uid: 1016 action: g -> 1 state: 1 -> 1 retry: 4 I/charon ( 800): 06[CFG] using CA certificate, gateway identitiy '192.168.121.102' I/charon ( 800): 06[CFG] status of Android plugin changed: 4 I/SProxy_charon( 351): got data from control socket: 4 I/charon ( 800): 06[IKE] initiating IKE_SA android[1] to 192.168.121.102 I/charon ( 800): 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] I/charon ( 800): 06[NET] sending packet: from 10.0.2.15[500] to 192.168.121.102[500] I/charon ( 800): 07[NET] received packet: from 192.168.121.102[500] to 10.0.2.15[500] I/charon ( 800): 07[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] I/charon ( 800): 07[IKE] local host is behind NAT, sending keep alives I/charon ( 800): 07[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan CA" I/charon ( 800): 07[IKE] received 1 cert requests for an unknown ca I/charon ( 800): 07[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA" I/charon ( 800): 07[IKE] establishing CHILD_SA android I/charon ( 800): 07[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] I/charon ( 800): 07[NET] sending packet: from 10.0.2.15[4500] to 192.168.121.102[4500] I/charon ( 800): 08[NET] received packet: from 192.168.121.102[4500] to 10.0.2.15[4500] I/charon ( 800): 08[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] I/charon ( 800): 08[IKE] received AUTHENTICATION_FAILED notify error ________________________________ From: Andreas Steffen <andreas.stef...@strongswan.org> To: zhen chen <zchen2...@yahoo.com> Cc: Tobias Brunner <tob...@strongswan.org>; "users@lists.strongswan.org" <users@lists.strongswan.org> Sent: Sunday, November 20, 2011 7:36 AM Subject: Re: [strongSwan] Android/Stongswan Integration Hello Zhen, the actual error is I/charon ( 362): 07[LIB] found unsupported critical X.509 extension I/charon ( 362): 07[LIB] OpenSSL X.509 parsing failed if you have a strongswan.conf file on your Android platform please add the entry libstrongswan { x509 { enforce_critical = no } } You could also try to add the x509 plugin and add it in front of the openssl plugin in the libcharon load list. The x509 plugin$ might be able handle the unknown critical extension contained in your certificate. Regards Andreas On 11/20/2011 12:41 AM, zhen chen wrote: > Hi Tobias, > > I followed the procedure to create the CA certificate and imported it to > the Android emulator successfully. > Now after I configure the GW side ipsec.conf. I created a IKEV2 VPN in > the emulator. Then tried to connect to it: > > the logcat is giving me the foloowing errors: > > D/SProxy_charon( 351): stopping charon, success? true > D/VpnService( 351): Local IP: 10.0.2.15, if: eth0 > D/VpnService( 351): VPN UP: down > I/SProxy_charon( 351): Start VPN daemon: charon > D/SProxy_charon( 351): charon is running after 0 msec > D/SProxy_charon( 351): service not yet listen()ing; try again > I/charon ( 362): 00[DMN] loaded plugins: openssl fips-prf random > pubkey pkcs1 pem xcbc hmac kernel-netlink socket-default android > eap-identity eap-mschapv2 eap-md5 > I/charon ( 362): 00[DMN] removing pidfile '/data/misc/vpn/charon.pid', > process not running > I/charon ( 362): 00[JOB] spawning 16 worker threads > I/keystore( 37): uid: 1016 action: g -> 1 state: 1 -> 1 retry: 4 > I/charon ( 362): 07[LIB] found unsupported critical X.509 extension > I/charon ( 362): 07[LIB] OpenSSL X.509 parsing failed > I/charon ( 362): 07[LIB] building CRED_CERTIFICATE - X509 failed, > tried 2 builders > I/charon ( 362): 07[CFG] failed to load CA certificate > I/charon ( 362): 07[CFG] using CA certificate, gateway identitiy > '192.168.121.102' > I/charon ( 362): 07[CFG] status of Android plugin changed: 4 > > Now it seems like Android is not able to load the certificate I created > using ipsec pki. > Is that because the way I created the CA cert? or something is missing > in the Android charon? > > thanks! > -zhen > > > ------------------------------------------------------------------------ > *From:* Tobias Brunner <tob...@strongswan.org> > *To:* zhen chen <zchen2...@yahoo.com> > *Cc:* "users@lists.strongswan.org" <users@lists.strongswan.org> > *Sent:* Tuesday, November 15, 2011 9:52 AM > *Subject:* Re: [strongSwan] Android/Stongswan Integration > > Hello Zhen, > >> I have been trying to bring Strongswan 4.5.3 to Android > > If possible, you should update to 4.6.1 as there are several Android > related improvements included in that release. > >> 1. When I ran charon in adb shell, it started, but said: "android plugin >> failed to load, can't open android control socket". > > That's because the control socket is only available, if charon gets > started by the patched Android VPN GUI. With 4.6.1 it's possible to use > the plugin even if charon is not started by the GUI. > >> I did some search, the android plugin is something related to DNS. > > That's correct it installs DNS servers received from the gateway where > Android expects them to be (there is no resolv.conf on Android). > >> Question: do i have to to enable this plugin for VPN to work on the >> emulator? > > Only if you need DNS servers installed, or logging via logcat. These > are currently the only two functions provided by the plugin, which are > usable without GUI patch. > >> If so, i did some ./configure --enable-android, it failed >> because it couldn't find a requied lib. > > Running ./configure won't work. To enable/disable plugins you have to > edit the plugin list in the top Android.mk <http://Android.mk> within > the strongSwan source > tree. But the plugin is enabled anyway, by default, it just can't be > loaded without the control socket provided by the frontend in 4.5.3. > >> 2. In the frontend integration site, it says it needs CA assigned certs, >> quoted below. >> Question: Does the certificate have to be issued by CA? Would >> self-assigned certificate work? I am just playing with it and wouldn't >> want to spend $1500 to buy one from verisign. :( > > Don't worry :) You can absolutely build your own CA (e.g. with the > ipsec pki tool [1]). Just make sure you install the CA certificate in > the Android certificate store as described on the page you quoted. Then > use this CA to issue a certificate for the gateway you want to test against. > > With 4.6.1 you now have also the option to build starter and stroke > which allows you to use an ipsec.conf based configuration, instead of > using the frontend patch. > > Regards, > Tobias > > [1] http://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA > -- ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
