Hi,
I am usingstrongSwan VPN Client google app in an android device (VPN Client) and runningstrongswan-5.4.0 on Linux device (VPN Server on Virtual Machine). I am tryingto establish an IKEv2/IPsec tunnel using EAP authentication based onusername/password (EAP-MD5) on client and pubkey on server. Since For EAP-based authentication, Andorid needs to have just thecorrect CA certificate installed. Ipsec pki is used togenerate all certificates. All certificates are imported to Android and installed.Opted that specific certificate (CA) that was imported. The error (in Charon log) on Android device says that, “no issuercertificate found for “C=NL, O-Example Company, CN=vpn.example.org” No trusted RSA public key found for “C=NL,O-Example Company, CN=vpn.example.org”. Charon log on VPN Server 15[CFG] selected peer config'vpn_server-vpn_client' 15[IKE] initiating EAP_IDENTITY method (id 0x00) 15[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED,not using ESPv3 TFC padding 15[IKE] peer supports MOBIKE 15[IKE] authentication of 'C=NL, O=ExampleCompany, CN=vpn.example.org' (myself) with RSA_EMSA_PKCS1_SHA384 successful 15[IKE] sending end entity cert "C=NL,O=Example Company, CN=vpn.example.org" 15[ENC] generating IKE_AUTH response 1 [ IDr CERTAUTH EAP/REQ/ID ] 15[NET] sending packet: from 10.0.131.40[4500] to192.168.10.59[52848] (2128 bytes) 14[NET] received packet: from192.168.10.59[52848] to 10.0.131.40[4500] (80 bytes) 14[ENC] parsed INFORMATIONAL request 2 [N(AUTH_FAILED) ] 14[ENC] generating INFORMATIONAL response 2 [N(AUTH_FAILED) ] 14[NET] sending packet: from 10.0.131.40[4500] to192.168.10.59[52848] (80 bytes) I generated certificate as stated below ipsec pki--gen --type rsa --size 4096 --outform pem > private/strongswanKey.pem ipsec pki--self --ca --lifetime 3650 --in private/strongswanKey.pem --type rsa --dn"C=NL, O=Example Company, CN=strongSwan Root CA" --outform pem >cacerts/strongswanCert.pem ipsec pki--gen --type rsa --size 4096 --outform pem > private/vpnHostKey.pem ipsec pki--pub --in private/vpnHostKey.pem --type rsa | ipsec pki --issue --lifetime 730--cacert cacerts/strongswanCert.pem --cakey private/strongswanKey.pem --dn"C=NL, O=Example Company, CN=vpn.example.org" --san vpn.example.com--san vpn.example.net --san 172.19.134.4 --san @172.19.134.4 --flag serverAuth --flag ikeIntermediate --outformpem > certs/vpnHostCert.pem opensslpkcs12 -in certs/vpnHostCert.pem -inkey private/vpnHostKey.pem -certfilecacerts/strongswanCert.pem -export -out peer.p12 ipsec.secrets (at VPN Server) : RSA /etc/ipsec.d/private/vpnHostKey.pem user : EAP "strongSwan" conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 ipsec.conf (at VPN Server) conn vpn_server-vpn_client left=10.0.131.40 leftfirewall=yes leftsubnet = %any leftprotoport=1 rightprotoport=1 right=%any rightauth=eap-md5 rightsendcert=never leftcert=vpnHostCert.pem leftauth=pubkey eap_identity=%any leftsubnet=0.0.0.0/0 rightsourceip = 10.0.3.15/32 type=tunnel keyexchange=ikev2 esp=aes128-sha1 rekey=no reauth=no Regards, Chinmaya
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
