Testing IKEv2 with Android devices

C. L. Martinez Sun, 26 Nov 2017 12:03:32 -0800

Hi all,

 I am testing IKEv2 for Android roadwarriors clients ... I have done a very 
basic config:


ikev2 "roadwarriors" passive esp \
        from 0.0.0.0/0 to 172.22.55.0/27 \
        peer any \
        config name-server 172.22.55.1 \
        psk "stargazer"

 Launching "iked -dvv" returns me:

ikev2_recv: IKE_SA_INIT request from initiator 172.17.35.20:500 to 
172.17.35.9:500 policy 'roadwarriors' id 0, 652 bytes
ikev2_recv: ispi 0xe525d6e2b940fdb1 rspi 0x0000000000000000
ikev2_policy2id: srcid FQDN/lowlands.lab.uxdom.org length 26
ikev2_pld_parse: header ispi 0xe525d6e2b940fdb1 rspi 0x0000000000000000 
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 652 
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 244
ikev2_pld_sa: more than one proposal specified
ikev2_pld_sa: more 2 reserved 0 length 136 proposal #1 protoid IKE spisize 0 
xforms 15 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_512_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id <UNKNOWN:24>
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group <UNKNOWN:24> reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0xe525d6e2b940fdb1 0x0000000000000000 
172.17.35.20:500
ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP 
encapsulation
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0xe525d6e2b940fdb1 0x0000000000000000 
172.17.35.9:500
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 16
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_pld_notify: signature hash SHA1 (1)
ikev2_pld_notify: signature hash SHA2_256 (2)
ikev2_pld_notify: signature hash SHA2_384 (3)
ikev2_pld_notify: signature hash SHA2_512 (4)
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8
ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED
sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x0000, require 0x0000 
sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
ikev2_sa_keys: SKEYSEED with 32 bytes
ikev2_sa_keys: S with 80 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0xe525d6e2b940fdb1 0xc417a42f151005cb 
172.17.35.9:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0xe525d6e2b940fdb1 0xc417a42f151005cb 
172.17.35.20:500
ikev2_next_payload: length 28 nextpayload CERTREQ
ikev2_add_certreq: type RSA_KEY length 1
ikev2_next_payload: length 5 nextpayload NOTIFY
ikev2_next_payload: length 14 nextpayload NONE
ikev2_pld_parse: header ispi 0xe525d6e2b940fdb1 rspi 0xc417a42f151005cb 
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 451 
response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload CERTREQ nextpayload NOTIFY critical 0x00 length 5
ikev2_pld_certreq: type RSA_KEY length 0
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_msg_send: IKE_SA_INIT response from 172.17.35.9:500 to 172.17.35.20:500 
msgid 0, 451 bytes
config_free_proposals: free 0x1ccfc4952580

 According to this:

sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x0000, require 0x0000
sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )

 phase-1 is established, correct? but I am not sure because last message is:

ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_msg_send: IKE_SA_INIT response from 172.17.35.9:500 to 172.17.35.20:500 
msgid 0, 451 bytes
config_free_proposals: free 0x1ccfc4952580

 Android device is a Samsung Galaxy Edge S7 (Adnroid 7.0) and OpenBSD is 6.2 
with all patches ... What ma I doing wrong?

Thanks.

-- 
Greetings,
C. L. Martinez

Testing IKEv2 with Android devices

Reply via email to