Re: [Swan] IKEv2 connection from Android drops after a few minutes

Wed, 11 Mar 2020 13:31:25 -0700 

On Wed, 11 Mar 2020, Beat Zahnd wrote:


Only one step more

Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[13] 178.197.x.x #10: 
STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a 
prf=HMAC_SHA2_512 group=MODP2048}
Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[13] 178.197.x.x #10: processing 
decrypted IKE_AUTH request: SK{IDi,CERT,N,CERTREQ,AUTH,CP,N,SA,TSi,TSr,N,N,N,N}
Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[13] 178.197.x.x #10: certificate 
verified OK: CN=bz
Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[13] 178.197.x.x #10: certificate 
subjectAltName extension does not match ID_IPV4_ADDR '178.197.x.x'
Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[13] 178.197.x.x #10: Peer CERT 
payload SubjectAltName does not match peer ID for this connection


You do not have a subjectAltName=178.197.x.x in our certificate as a valid ID.
The IKE ID has to match a subjectAltName= to prevent another certificate
that is valid, but or a different ID, to spood this IKE ID. Since many
people have generated bad certificates, we provide the override option.


Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[13] 178.197.x.x #10: switched from 
"ikev2-cp"[13] 178.197.x.x to "ikev2-cp"
Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[13] 178.197.x.x #10: X509: 
connection allows unmatched IKE ID and certificate SAN
Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[14] 178.197.x.x #10: deleting connection 
"ikev2-cp"[13] 178.197.x.x instance with peer 178.197.x.x {isakmp=#0/ipsec=#0}
Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[14] 178.197.x.x #10: IKEv2 mode 
peer ID is ID_DER_ASN1_DN: 'CN=bz'
Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[14] 178.197.x.x #10: No 
acceptable ECDSA/RSA-PSS ASN.1 signature hash proposal included for rsasig in I2 Auth 
Payload


What is your authby= line? Perhaps try authby=rsa-sha1 ? It looks like
it is trying rsa-sha1 but the remote peer does not support that and is
(against RFC 8472) trying to use rsa-sha1 with the RFC 7427 method.

Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to