Hi, I am facing problems trying to setup a tunnel between an android smartphone and the gateway.
Configuration should be fairly simple. I only want to use simple eap authentication (just username and password, no certificates). Here is gateway ipsec.conf: [root@zircon strongswan]# cat ipsec.conf # /etc/ipsec.conf - strongSwan IPsec configuration file config setup charondebug="cfg 2, dmn 2, ike 2, net 2" conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 conn server authby=secret left=192.168.1.20 leftsubnet=192.168.1.0/24 leftfirewall=yes right=%any rightsourceip=10.3.0.0/28 rightauth=eap-mschapv2 eap_identity=%any auto=add Here is gateway ipsec.secrets (secrets are hidden): [root@zircon strongswan]# cat ipsec.secrets <username> : EAP “<password>” The smartphone is configured using Strongswan android app client. Here are the relevant iptables rules: ACCEPT udp -- anywhere anywhere udp dpt:isakmp ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t I’ve also added the following rules: iptables -t nat -A POSTROUTING -s 10.3.0.0/28 -o eno16777984 -m policy --dir out --pol ipsec -j ACCEPT iptables -t nat -A POSTROUTING -s 10.3.0.0/28 -o eno16777984 -j MASQUERADE Here is the gateway status: [root@zircon strongswan]# strongswan statusall Status of IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-957.1.3.el7.x86_64, x86_64): uptime: 49 minutes, since Aug 12 14:49:34 2019 malloc: sbrk 1724416, mmap 0, used 576960, free 1147456 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters Virtual IP pools (size/online/offline): 10.3.0.0/28: 14/0/0 Listening IP addresses: 192.168.1.20 10.8.0.1 Connections: server: 192.168.1.20...%any IKEv2 server: local: [192.168.1.20] uses public key authentication server: remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any' server: child: 192.168.1.0/24 === dynamic TUNNEL Security Associations (0 up, 0 connecting): none The first problem that I see is that, even though I set "authby=secret” authentication method, the statusall command reports that the gateway uses public key authentication (which I don’t want): server: local: [192.168.1.20] uses public key authentication When I try to connect, I can see that connection requests are received by the server, but the server does not answer: [root@zircon strongswan]# tcpdump -i eno16777984 host 5.90.170.158 and udp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eno16777984, link-type EN10MB (Ethernet), capture size 262144 bytes 15:44:00.761866 IP mob-5-90-170-158.net.vodafone.it.36365 > zircon.imbrauglio.local.isakmp: isakmp: parent_sa ikev2_init[I] 15:44:02.795942 IP mob-5-90-170-158.net.vodafone.it.36365 > zircon.imbrauglio.local.isakmp: isakmp: parent_sa ikev2_init[I] 15:44:05.616891 IP mob-5-90-170-158.net.vodafone.it.36365 > zircon.imbrauglio.local.isakmp: isakmp: parent_sa ikev2_init[I] 15:44:09.494909 IP mob-5-90-170-158.net.vodafone.it.36365 > zircon.imbrauglio.local.isakmp: isakmp: parent_sa ikev2_init[I] 15:44:14.993817 IP mob-5-90-170-158.net.vodafone.it.36365 > zircon.imbrauglio.local.isakmp: isakmp: parent_sa ikev2_init[I] What am I missing? What’s wrong with my configuration? Any help would be greatly appreciated. Thank you very much in advance. Regards, Costantino Imbrauglio