Re: [strongSwan] can not establish MSCHAPv2 tunnel using ipsec.conf/ipsec.secrets in strongswan 4.6.1 release on Android Gingerbread

Mon, 21 Nov 2011 02:49:58 -0800 

Hello Nitin,

your ubuntu server does not initiate EAP-Identity. Therefore
the EAP-MSCHAPv2 authentication requested is for IKEv2 user
identity 192.168.1.2 and not for EAP identity deepika.

You should change the ubuntu server entry to

eap_identity=%any

and make sure that you enabled, built and loaded the eap_identity
plugin.

Regards

Andreas

On 21.11.2011 10:56, Nitin Verma wrote:
> Hi,
> I have been able to successfully establish IPSec IKEv2 tunnel between
> Nexus S (running 2.3.5_r1) and a ubuntu server. However, the latest
> 4.6.1 release supports starter and stroke executables at Android and I
> am trying to establish the same connection using ipsec.conf and
> ipsec.secrets.
> 
> My server side configuration is:
> ======================
> 
> server IP: /192.168.1.154/
> 
> ipsec.conf:
> 
> config setup
>         crlcheckinterval=180
>         strictcrlpolicy=no
>         plutostart=no
>         charondebug="knl 3, cfg 2, ike 2, chd 2, mgr 2, dmn 2"
> 
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         keyexchange=ikev2
>         # leftcert=moonCert.pem
> 
> # Add connections here.
> 
> conn android
>     left=192.168.1.154
>     leftid=192.168.1.154
>     leftcert=moonCert.pem
>     leftauth=pubkey
>     right=%any
>     rightsourceip=10.0.5.0/24 <http://10.0.5.0/24>
>     rightauth=eap-mschapv2
>     rightsendcert=never
>     eap_identity=deepika
>     auto=add
> 
> ipsec.secrets:
> 
> : RSA moonKey.pem
> 
> deepika : EAP "deepika"
> 
> Configuration at Nexus S (Android 2.3.5_r1):
> ================================
> 
> I manually created "ipsec.d" directory in /system/etc/ and put my ca
> certificate in cacerts there, and then created ipsec.conf and
> ipsec.secrets in /system/etc/
> 
> /system/etc/ipsec.conf
> 
> config setup
>     plutostart=no
>     charondebug="knl 3, cfg 2, ike 2, chd 2, mgr 2, dmn 2"
> 
> conn %default
>     ikelifetime=60m
>     keylife=20m
>     rekeymargin=3m
>     keyingtries=1
>     keyexchange=ikev2
> 
> # Add connections here.
> 
> # Sample VPN connections
> 
> conn android
>     left=192.168.1.2
>     leftauth=eap
>     eap_identity=deepika
>     right=192.168.1.154
>     rightid=192.168.1.154
>     rightauth=pubkey
>     auto=add
> 
> /system/etc/ipsec.secrets
> 
> deepika : EAP "deepika"
> 
> 
> 
> But when I start the connection I am getting the following error:
> 
> # ipsec stroke up android
> uname: not found
> uname: not found
> [: not found
> initiating IKE_SA android[2] to 192.168.1.154
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 192.168.1.2[500] to 192.168.1.154[500]
> received packet: from 192.168.1.154[500] to 192.168.1.2[500]
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(MULT_AUTH) ]
> sending cert request for "C=UK, CN=nits"
> establishing CHILD_SA android
> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CP(DNS)
> SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> sending packet: from 192.168.1.2[4500] to 192.168.1.154[4500]
> received packet: from 192.168.1.154[4500] to 192.168.1.2[4500]
> parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
> received end entity cert "C=UK, CN=nits"
>   using certificate "C=UK, CN=nits"
>   using trusted ca certificate "C=UK, CN=nits"
>   reached self-signed root ca with a path length of 0
> authentication of '192.168.1.154' with RSA signature successful
> server requested EAP_MSCHAPV2 authentication (id 0x75)
> no EAP key found for hosts '192.168.1.154' - '192.168.1.2'
> EAP_MSCHAPV2 method failed
> 
> 
> Output of logcat:
> 
> I/charon  (  469): 00[CFG] loading ca certificates from
> '/system/etc/ipsec.d/cacerts'
> I/charon  (  469): 00[CFG]   loaded ca certificate "C=UK, CN=nits" from
> '/system/etc/ipsec.d/cacerts/strongswanCert.pem'
> I/charon  (  469): 00[CFG] loading aa certificates from
> '/system/etc/ipsec.d/aacerts'
> I/charon  (  469): 00[LIB] opening directory
> '/system/etc/ipsec.d/aacerts' failed: No such file or directory
> I/charon  (  469): 00[CFG]   reading directory failed
> I/charon  (  469): 00[CFG] loading ocsp signer certificates from
> '/system/etc/ipsec.d/ocspcerts'
> I/charon  (  469): 00[LIB] opening directory
> '/system/etc/ipsec.d/ocspcerts' failed: No such file or directory
> I/charon  (  469): 00[CFG]   reading directory failed
> I/charon  (  469): 00[CFG] loading attribute certificates from
> '/system/etc/ipsec.d/acerts'
> I/charon  (  469): 00[LIB] opening directory
> '/system/etc/ipsec.d/acerts' failed: No such file or directory
> I/charon  (  469): 00[CFG]   reading directory failed
> I/charon  (  469): 00[CFG] loading crls from '/system/etc/ipsec.d/crls'
> I/charon  (  469): 00[LIB] opening directory '/system/etc/ipsec.d/crls'
> failed: No such file or directory
> I/charon  (  469): 00[CFG]   reading directory failed
> I/charon  (  469): 00[CFG] loading secrets from '/system/etc/ipsec.secrets'
> I/charon  (  469): 00[CFG]   loaded EAP secret for deepika
> I/charon  (  469): 00[DMN] loaded plugins: openssl fips-prf random
> pubkey pkcs1 pem xcbc hmac kernel-netlink socket-default android stroke
> eap-identity eap-mschapv2 eap-md5
> I/charon  (  469): 00[JOB] spawning 16 worker threads
> I/charon  (  469): 11[CFG] received stroke: add connection 'android'
> I/charon  (  469): 11[CFG] added configuration 'android'
> 
> I/charon  (  469): 12[CFG] received stroke: initiate 'android'
> I/charon  (  469): 14[IKE] initiating IKE_SA android[1] to 192.168.1.154
> I/charon  (  469): 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) ]
> I/charon  (  469): 14[NET] sending packet: from 192.168.1.2[500] to
> 192.168.1.154[500]
> D/GpsLocationProvider(  107): NTP server returned: 1321866231250 (Mon
> Nov 21 09:03:51 GMT+00:00 2011) reference: 318100 certainty: 337 system
> time offset: -20070741
> I/charon  (  469): 15[IKE] retransmit 1 of request with message ID 0
> I/charon  (  469): 15[NET] sending packet: from 192.168.1.2[500] to
> 192.168.1.154[500]
> I/charon  (  469): 03[IKE] retransmit 2 of request with message ID 0
> I/charon  (  469): 03[NET] sending packet: from 192.168.1.2[500] to
> 192.168.1.154[500]
> I/charon  (  469): 16[IKE] retransmit 3 of request with message ID 0
> I/charon  (  469): 16[NET] sending packet: from 192.168.1.2[500] to
> 192.168.1.154[500]
> I/charon  (  469): 02[NET] received packet: from 192.168.1.154[500] to
> 192.168.1.2[500]
> I/charon  (  469): 02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> I/charon  (  469): 02[IKE] sending cert request for "C=UK, CN=nits"
> I/charon  (  469): 02[IKE] establishing CHILD_SA android
> I/charon  (  469): 02[ENC] generating IKE_AUTH request 1 [ IDi
> N(INIT_CONTACT) CERTREQ IDr CP(DNS) SA TSi TSr N(MOBIKE_SUP)
> N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> I/charon  (  469): 02[NET] sending packet: from 192.168.1.2[4500] to
> 192.168.1.154[4500]
> I/charon  (  469): 01[NET] received packet: from 192.168.1.154[4500] to
> 192.168.1.2[4500]
> I/charon  (  469): 01[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH
> EAP/REQ/MSCHAPV2 ]
> I/charon  (  469): 01[IKE] received end entity cert "C=UK, CN=nits"
> I/charon  (  469): 01[CFG]   using certificate "C=UK, CN=nits"
> I/charon  (  469): 01[CFG]   using trusted ca certificate "C=UK, CN=nits"
> I/charon  (  469): 01[CFG]   reached self-signed root ca with a path
> length of 0
> I/charon  (  469): 01[IKE] authentication of '192.168.1.154' with RSA
> signature successful
> I/charon  (  469): 01[IKE] server requested EAP_MSCHAPV2 authentication
> (id 0xFD)
> I/charon  (  469): 01[IKE] no EAP key found for hosts '192.168.1.154' -
> '192.168.1.2'
> I/charon  (  469): 01[IKE] EAP_MSCHAPV2 method failed
> I/dalvikvm(  164): Total arena pages for JIT: 11
> I/charon  (  469): 11[CFG] received stroke: initiate 'android'
> I/charon  (  469): 14[IKE] initiating IKE_SA android[2] to 192.168.1.154
> I/charon  (  469): 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) ]
> I/charon  (  469): 14[NET] sending packet: from 192.168.1.2[500] to
> 192.168.1.154[500]
> I/charon  (  469): 15[NET] received packet: from 192.168.1.154[500] to
> 192.168.1.2[500]
> I/charon  (  469): 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> I/charon  (  469): 15[IKE] sending cert request for "C=UK, CN=nits"
> I/charon  (  469): 15[IKE] establishing CHILD_SA android
> I/charon  (  469): 15[ENC] generating IKE_AUTH request 1 [ IDi
> N(INIT_CONTACT) CERTREQ IDr CP(DNS) SA TSi TSr N(MOBIKE_SUP)
> N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
> I/charon  (  469): 15[NET] sending packet: from 192.168.1.2[4500] to
> 192.168.1.154[4500]
> I/charon  (  469): 03[NET] received packet: from 192.168.1.154[4500] to
> 192.168.1.2[4500]
> I/charon  (  469): 03[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH
> EAP/REQ/MSCHAPV2 ]
> I/charon  (  469): 03[IKE] received end entity cert "C=UK, CN=nits"
> I/charon  (  469): 03[CFG]   using certificate "C=UK, CN=nits"
> I/charon  (  469): 03[CFG]   using trusted ca certificate "C=UK, CN=nits"
> I/charon  (  469): 03[CFG]   reached self-signed root ca with a path
> length of 0
> I/charon  (  469): 03[IKE] authentication of '192.168.1.154' with RSA
> signature successful
> I/charon  (  469): 03[IKE] server requested EAP_MSCHAPV2 authentication
> (id 0x75)
> I/charon  (  469): 03[IKE] no EAP key found for hosts '192.168.1.154' -
> '192.168.1.2'
> I/charon  (  469): 03[IKE] EAP_MSCHAPV2 method failed
> 
> Am I missing something or there are some issues with the release?
> 
> Thanks in advance.
> Regards,

======================================================================
Andreas Steffen                         [email protected]
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to