Hi,
I am facing problems trying to setup a tunnel between an android smartphone and
the gateway.
Configuration should be fairly simple. I only want to use simple eap
authentication (just username and password, no certificates).
Here is gateway ipsec.conf:
[root@zircon strongswan]# cat ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn server
authby=secret
left=192.168.1.20
leftsubnet=192.168.1.0/24
leftfirewall=yes
right=%any
rightsourceip=10.3.0.0/28
rightauth=eap-mschapv2
eap_identity=%any
auto=add
Here is gateway ipsec.secrets (secrets are hidden):
[root@zircon strongswan]# cat ipsec.secrets
<username> : EAP “<password>”
The smartphone is configured using Strongswan android app client.
Here are the relevant iptables rules:
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp
dpt:ipsec-nat-t
I’ve also added the following rules:
iptables -t nat -A POSTROUTING -s 10.3.0.0/28 -o eno16777984 -m policy --dir
out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.3.0.0/28 -o eno16777984 -j MASQUERADE
Here is the gateway status:
[root@zircon strongswan]# strongswan statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-957.1.3.el7.x86_64,
x86_64):
uptime: 49 minutes, since Aug 12 14:49:34 2019
malloc: sbrk 1724416, mmap 0, used 576960, free 1147456
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1
random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12
pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac
hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke
vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5
eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap
xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity
counters
Virtual IP pools (size/online/offline):
10.3.0.0/28: 14/0/0
Listening IP addresses:
192.168.1.20
10.8.0.1
Connections:
server: 192.168.1.20...%any IKEv2
server: local: [192.168.1.20] uses public key authentication
server: remote: uses EAP_MSCHAPV2 authentication with EAP identity
'%any'
server: child: 192.168.1.0/24 === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
none
The first problem that I see is that, even though I set "authby=secret”
authentication method, the statusall command reports that the gateway uses
public key authentication (which I don’t want):
server: local: [192.168.1.20] uses public key authentication
When I try to connect, I can see that connection requests are received by the
server, but the server does not answer:
[root@zircon strongswan]# tcpdump -i eno16777984 host 5.90.170.158 and udp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno16777984, link-type EN10MB (Ethernet), capture size 262144 bytes
15:44:00.761866 IP mob-5-90-170-158.net.vodafone.it.36365 >
zircon.imbrauglio.local.isakmp: isakmp: parent_sa ikev2_init[I]
15:44:02.795942 IP mob-5-90-170-158.net.vodafone.it.36365 >
zircon.imbrauglio.local.isakmp: isakmp: parent_sa ikev2_init[I]
15:44:05.616891 IP mob-5-90-170-158.net.vodafone.it.36365 >
zircon.imbrauglio.local.isakmp: isakmp: parent_sa ikev2_init[I]
15:44:09.494909 IP mob-5-90-170-158.net.vodafone.it.36365 >
zircon.imbrauglio.local.isakmp: isakmp: parent_sa ikev2_init[I]
15:44:14.993817 IP mob-5-90-170-158.net.vodafone.it.36365 >
zircon.imbrauglio.local.isakmp: isakmp: parent_sa ikev2_init[I]
What am I missing? What’s wrong with my configuration?
Any help would be greatly appreciated.
Thank you very much in advance.
Regards,
Costantino Imbrauglio
