Hello, I am new to the world of ipsec. I would like to set up a secure communication (IKEv2) between my android's phone and my PC. Both tools use the strongswan application. My computer supplies the ad hoc network with the wifi and my phone connects in it.
I'm using version 4.0.3 of android on an HTC (Access root) strongSwan 5.0.2dr4 The application ZT-180 Adhoc Switch allows me to connect with my PC. The OS of the computer is version 11.04 of Ubunutu. strongswan 4.5.0 I put below all steps I followed, and application logs proposed by strongswan on my phone. Can you tell me what I need to change for this to work. Once it works, these documents will be used to make a tutorial for IPSec communication between a computer and an android phone. Thank you in advance for your participation. gedit /etc/ssl/openssl.conf #--------------------------------------------------------------start of openssl.conf----------------------------------------------------------------------- [ ca ] default_ca = CA_default # The default ca section [ CA_default ] dir = /etc/ipsec.d # Where everything is kept certs = $dir/certs # Where the issued certs are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacerts/strongswanCert.pem # The CA certificate serial = $dir/serial # The current serial number private_key = $dir/private/strongswanKey.pem # The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert default_days = 365 # how long to certify for default_md = sha1 # which md to use. preserve = no # keep passed DN ordering policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = FR countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = France localityName = Locality Name (eg, city) localityName_default = Angers 0.organizationName = Organization Name (eg, company) 0.organizationName_default = myCompany organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = myUnit commonName = Common Name (eg, YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ usr_cert ] basicConstraints = CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment #---------------------------------------------------------------end of openssl.conf------------------------------------------------------------------------ cd /etc/ipsec.d #I create my CA openssl req -x509 -days 365 -newkey rsa:2048 -keyout private/strongswanKey.pem -out cacerts/strongswanCert.pem #Enter PEM pass phrase: 1234 #Verifying - Enter PEM pass phrase: 1234 #Country Name (2 letter code) [FR]:FR #State or Province Name (full name) [France]:France #Locality Name (eg, city) [Angers]:Angers #Organization Name (eg, company) [myCompany]:myCompany #Organization Unit Name (eg, section) [myUnit]:myUnit #Common Name (eg, YOUR name) []:example.com #Email Address []:[email protected] cp cacerts/strongswanCert.pem certs/ mkdir newcerts #If Dir not exist touch index.txt echo "00" > serial #I generate a user certificate openssl req -newkey rsa:1024 -keyout private/hostKey.pem -out reqs/hostReq.pem #Country Name (2 letter code) [FR]:FR #State or Province Name (full name) [France]:France #Locality Name (eg, city) [Angers]:Angers #Organization Name (eg, company) [myCompany]:myCompany #Organization Unit Name (eg, section) [myUnit]:myUnit #Common Name (eg, YOUR name) []:user.com #Email Address []:[email protected] #A challenge password: hello #An optional company name[]: gedit index.txt.attr #--------------------------------------------------------------start of index.txt.attr----------------------------------------------------------------------- unique_subject = no #---------------------------------------------------------------end of index.txt.attr------------------------------------------------------------------------ #I sign it for two years openssl ca -in reqs/hostReq.pem -days 730 -out certs/hostCert.pem -notext #I put its private key, its host certificate and the CA certificate into a PKCS#12 file openssl pkcs12 -export -inkey private/hostKey.pem -in certs/hostCert.pem -name "host" -certfile cacerts/strongswanCert.pem -caname "strongSwan Root CA" -out host.p12 gedit /etc/ipsec.secrets #--------------------------------------------------------------start of ipsec.secrets----------------------------------------------------------------------- :RSA strongswanKey.pem "1234" test:EAP "hello" #---------------------------------------------------------------end of ipsec.secrets------------------------------------------------------------------------ gedit /etc/ipsec.conf #--------------------------------------------------------------start of ipsec.conf----------------------------------------------------------------------- # ipsec.conf - strongSwan IPsec configuration file config setup charonstart=yes uniqueids=yes conn %default authby=rsasig leftrsasigkey=%cert rightrsasigkey=%cert keyingtries=1 keylife=20m ikelifetime=240m conn android leftsubnet=0.0.0.0/0 leftcert=strongswanCert.pem leftauth=pubkey [email protected] right=%any rightauth=eap-mschapv2 rightsendcert=never rightcert=hostCert.pem keyexchange=ikev2 eap_identity=%any auto=route #---------------------------------------------------------------end of ipsec.conf------------------------------------------------------------------------ cp host.p12 certs/strongswanCert.pem /media/140B-B107 #The SDD card of the android 4.0+ phone ipsec start #On the android phone i have the strongswan app configured like that: #Profile Name: test #Gateway: IP of the pc #Type IKEv2 EAP (Username/Password) #Username: test #Password: hello #CA certificate: myCompany example.com ######IT DOES NOT WORK!########## Feb 1 10:24:19 00[DMN] Starting IKE charon daemon (strongSwan 5.0.2dr4, Linux 3.0.16-g31a4fc7, armv7l) Feb 1 10:24:19 00[DMN] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey pkcs1 pkcs8 pem xcbc hmac socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc Feb 1 10:24:19 00[JOB] spawning 16 worker threads Feb 1 10:24:19 10[IKE] initiating IKE_SA android[4] to 10.42.43.1 Feb 1 10:24:19 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Feb 1 10:24:19 10[NET] sending packet: from 10.42.43.36[48460] to 10.42.43.1[500] Feb 1 10:24:19 13[NET] received packet: from 10.42.43.1[500] to 10.42.43.36[48460] Feb 1 10:24:19 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] Feb 1 10:24:20 13[IKE] faking NAT situation to enforce UDP encapsulation Feb 1 10:24:20 13[IKE] sending cert request for "C=FR, ST=France, L=Angers, O=myCompany, OU=myUnit, CN=example.com, [email protected]" Feb 1 10:24:20 13[IKE] establishing CHILD_SA android Feb 1 10:24:20 13[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Feb 1 10:24:20 13[NET] sending packet: from 10.42.43.36[41241] to 10.42.43.1[4500] Feb 1 10:24:20 03[NET] received packet: from 10.42.43.1[4500] to 10.42.43.36[41241] Feb 1 10:24:20 03[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] Feb 1 10:24:20 03[IKE] received AUTHENTICATION_FAILED notify error #I also try with #On the android phone i have the strongswan app configured like that: #Profile Name: test #Gateway: IP of the pc #Type IKEv2 Certificate #User certificate: host CN=..., OU=..., ... #CA certificate: myCompany example.com ######IT DOES NOT WORK TOO!########## Feb 1 10:15:06 00[DMN] Starting IKE charon daemon (strongSwan 5.0.2dr4, Linux 3.0.16-g31a4fc7, armv7l) Feb 1 10:15:06 00[DMN] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey pkcs1 pkcs8 pem xcbc hmac socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc Feb 1 10:15:06 00[JOB] spawning 16 worker threads Feb 1 10:15:06 11[CFG] loaded user certificate 'C=FR, ST=France, O=myCompany, OU=myUnit, CN=user.com, [email protected]' and private key Feb 1 10:15:06 11[CFG] loaded CA certificate 'C=FR, ST=France, L=Angers, O=myCompany, OU=myUnit, CN=example.com, [email protected]' Feb 1 10:15:06 11[IKE] initiating IKE_SA android[1] to 10.42.43.1 Feb 1 10:15:07 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Feb 1 10:15:07 11[NET] sending packet: from 10.42.43.36[49549] to 10.42.43.1[500] Feb 1 10:15:07 15[NET] received packet: from 10.42.43.1[500] to 10.42.43.36[49549] Feb 1 10:15:07 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] Feb 1 10:15:07 15[IKE] faking NAT situation to enforce UDP encapsulation Feb 1 10:15:07 15[IKE] sending cert request for "C=FR, ST=France, L=Angers, O=myCompany, OU=myUnit, CN=example.com, [email protected]" Feb 1 10:15:07 15[IKE] authentication of 'C=FR, ST=France, O=myCompany, OU=myUnit, CN=user.com, [email protected]' (myself) with RSA signature successful Feb 1 10:15:07 15[IKE] establishing CHILD_SA android Feb 1 10:15:07 15[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ AUTH CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] Feb 1 10:15:07 15[NET] sending packet: from 10.42.43.36[36844] to 10.42.43.1[4500] Feb 1 10:15:07 12[NET] received packet: from 10.42.43.1[4500] to 10.42.43.36[36844] Feb 1 10:15:07 12[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] Feb 1 10:15:07 12[IKE] received AUTHENTICATION_FAILED notify error
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
