Hi Tobias, Thanks for the response. Answers below.
Mike >-----Original Message----- >From: Tobias Brunner [mailto:[email protected]] >Sent: Tuesday, April 02, 2013 6:33 AM >To: Peck, Michael A >Cc: [email protected] >Subject: Re: [strongSwan-dev] Problem with Android VPN Client on Motorola >DROID RAZR running Android 4.1.2 > >Hi Michael, > >> I compiled from source and had the same problem --- but I had been using >> a previous version of strongSwan with no issues. > >Are you referring to the app or the strongSwan version on the gateway? Sorry, I am referring to the Android app. > >> i.e. if I checkout master and run “git revert >> 21dd4c4beab5b3e61dba28eedbc7aad375bdf0a3”, then build, the app works >fine. >> >> Any thoughts on the problem? > >Could you check which of the two changes in the patch causes the issue? The first change is the one that causes the issue with the Android app. In src/libcharon/sa/ike_sa.c: This code segment works: /* update our address in any case */ if (!me->equals(me, this->my_host)) { set_my_host(this, me->clone(me)); update = TRUE; } This code segment doesn't work: /* update our address in any case */ if (force && !me->equals(me, this->my_host)) { set_my_host(this, me->clone(me)); update = TRUE; } >What is your NAT situation? Is the gateway behind a NAT? Are any of >the two Android devices? Could you send your gateway config? (In >particular do you have mobike=no in your config?) The gateway is an Amazon EC2 VM (strongSwan 4.5.2 running on Ubuntu 12.04.2 LTS). Its Internet-facing IP is not the same as the IP assigned to its eth0 interface. The Android devices are behind a NAT. I've tested on both my home Wi-Fi and over cellular. I have mobike=yes in the gateway config. Here is the gateway config: # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup strictcrlpolicy=no plutostart=no charonstart=yes # Add connections here. conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=secret keyexchange=ikev2 conn mytest left=%any leftsubnet=0.0.0.0/0 mobike=yes right=%any auto=add authby=pubkey leftcert=ec2cert.pem rightid=%any leftid=%any rightsourceip=192.168.100.0/24 esp=aes256-sha384 ike=aes256-sha384-modp2048 Here's the Charon.log from the Android app. 10.184.214.218 is the external interface (cellular data). Notice the "sending packet: from 192.168.157.1[38661]" - that is not the external interface. I think it's one of the USB interfaces. 10.184.214.218 is the external interface on the Android phone. Could that be part of the problem? 54.242.XXX.YY is the internet-facing IP of the gateway, but the gateway sees its own address as 10.214.xxx.yy. Apr 3 16:31:34 00[DMN] Starting IKE charon daemon (strongSwan 5.0.3rc1, Linux 3.0.8-gbacb1cf, armv7l) Apr 3 16:31:35 00[DMN] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey pkcs1 pkcs8 pem xcbc hmac socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc Apr 3 16:31:35 00[JOB] spawning 16 worker threads Apr 3 16:31:35 16[CFG] loaded user certificate 'C=US, O=REMOVED, CN=REMOVED' and private key Apr 3 16:31:35 16[CFG] loaded CA certificate 'C=US, O=REMOVED, CN=REMOVED-ROOT-CA' Apr 3 16:31:36 16[IKE] initiating IKE_SA android[1] to 54.242.XXX.YY Apr 3 16:31:36 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Apr 3 16:31:36 16[NET] sending packet: from 192.168.157.1[38661] to 54.242.XXX.YY[500] (648 bytes) Apr 3 16:31:36 13[NET] received packet: from 54.242.XXX.YY[500] to 10.184.214.218[38661] (465 bytes) Apr 3 16:31:36 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Apr 3 16:31:36 13[IKE] local host is behind NAT, sending keep alives Apr 3 16:31:36 13[IKE] remote host is behind NAT Apr 3 16:31:36 13[IKE] received cert request for "C=US, O=REMOVED, CN=REMOVED-ROOT-CA" Apr 3 16:31:36 13[IKE] sending cert request for "C=US, O=REMOVED, CN=REMOVED-ROOT-CA" Apr 3 16:31:36 13[IKE] authentication of 'C=US, O=REMOVED, CN=REMOVED' (myself) with RSA signature successful Apr 3 16:31:36 13[IKE] sending end entity cert "C=US, O=REMOVED, CN=REMOVED" Apr 3 16:31:36 13[IKE] establishing CHILD_SA android Apr 3 16:31:36 13[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CP(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Apr 3 16:31:36 13[NET] sending packet: from 10.184.214.218[54393] to 54.242.XXX.YY[4500] (1560 bytes) Apr 3 16:31:37 10[NET] received packet: from 54.242.XXX.YY[4500] to 10.184.214.218[54393] (1432 bytes) Apr 3 16:31:37 10[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CP(ADDR DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ] Apr 3 16:31:37 10[IKE] received end entity cert "C=US, O=REMOVED, CN=removed.com" Apr 3 16:31:37 10[CFG] using certificate "C=US, O=REMOVED, CN=removed.com" Apr 3 16:31:37 10[CFG] using trusted ca certificate "C=US, O=REMOVED, CN=REMOVED-ROOT-CA" Apr 3 16:31:37 10[CFG] reached self-signed root ca with a path length of 0 Apr 3 16:31:37 10[IKE] authentication of 'C=US, O=REMOVED, CN=removed.com' with RSA signature successful Apr 3 16:31:37 10[IKE] IKE_SA android[1] established between 10.184.214.218[C=US, O=REMOVED, CN=REMOVED]...54.242.XXX.YY[C=US, O=REMOVED, CN=removed.com] Apr 3 16:31:37 10[IKE] scheduling rekeying in 35588s Apr 3 16:31:37 10[IKE] maximum IKE_SA lifetime 36188s Apr 3 16:31:37 10[IKE] installing new virtual IP 192.168.100.1 Apr 3 16:31:37 10[IKE] CHILD_SA android{1} established with SPIs 50d2eb02_i cb7893c3_o and TS 192.168.100.1/32 === 0.0.0.0/0 Apr 3 16:31:37 10[DMN] setting up TUN device for CHILD_SA android{1} Apr 3 16:31:37 10[DMN] successfully created TUN device Apr 3 16:31:37 10[IKE] received AUTH_LIFETIME of 3280s, scheduling reauthentication in 2680s Apr 3 16:31:37 10[IKE] peer supports MOBIKE Apr 3 16:31:58 02[IKE] sending keep alive to 54.242.XXX.YY[4500] _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
