[Swan] Android 4.0+ using group authentication and aggressive mode
Elison Niven
elison.niven at cyberoam.com
Fri May 17 12:21:34 EEST 2013
Hi,
I am able to connect Android 4.0+ devices to Libreswan 3.3 using
XAUTH+PSK+MODECFG like this:
Configuration on the Android device:
1) Goto Settings->More->VPN->Add VPN Profile
2) You will need to setup a secure screen lock(Pattern, PIN etc.)
3) Fill up the details of the connection :
Name : <Connection Name>
Type : IPSec Xauth PSK
Server Address : <IP Address of your Libreswan machine>
IPSec identifier : <Blank> (It will show as (not used))
IPSec pre-shared key : <Your pre-shared key>
Configuration on Libreswan 3.3 :
/etc/ipsec.conf :
conn android
left=<Your Server IP>
right=%any
authby=secret
pfs=no
leftsubnet=0.0.0.0/0
leftxauthserver=yes
modecfgpull=yes
modecfgdns1=8.8.8.8 <Or your DNS servers>
modecfgdns2=4.2.2.2
rightaddresspool=192.168.1.10-192.168.1.25
dpdaction=clear
dpddelay=30
dpdtimeout=60
Note :
1) rightaddresspool is the range of IP addresses you want to lease to
the clients.
2) dpd is required because these android devices do not send Delete SA
payload upon disconnection.
/etc/ipsec.secrets:
<Your Server IP> %any : PSK "pre-shared key"
Create the file /etc/ipsec.d/passwd :
# htpasswd -c -d -b /etc/ipsec.d/passwd <username> <password>
Now edit the file and add ":android" i.e. the connection name at the end.
Example : For username=elison and password=elison, the file will look
like :
elison:<some hashed password>:android
This also works for Apple iOS devices. The device configuration is quite
similar on iOS.
On Android, there is a field called "IPSec identifier" and on iOS, there
is a field called "Group Name". Whenever this field is configured, these
devices send an aggressive mode request:
May 17 14:32:32 elisonniven pluto[9043]: packet from 10.103.6.102:500:
initial Aggressive Mode message from 10.103.6.102 but no (wildcard)
connection has been configured with policy=PSK+XAUTH+AGGRESSIVE
So I added aggrmode=yes and ike=aes-sha1;modp1024 to ipsec.conf.
Now the connection reaches till here :
May 17 14:48:09 elisonniven pluto[9928]: packet from 10.103.6.102:500:
received Vendor ID payload [FRAGMENTATION 80000000]
May 17 14:48:09 elisonniven pluto[9928]: packet from 10.103.6.102:500:
received Vendor ID payload [RFC 3947]
May 17 14:48:09 elisonniven pluto[9928]: packet from 10.103.6.102:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
May 17 14:48:09 elisonniven pluto[9928]: packet from 10.103.6.102:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
May 17 14:48:09 elisonniven pluto[9928]: packet from 10.103.6.102:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
May 17 14:48:09 elisonniven pluto[9928]: packet from 10.103.6.102:500:
received Vendor ID payload [XAUTH]
May 17 14:48:09 elisonniven pluto[9928]: packet from 10.103.6.102:500:
received Vendor ID payload [Cisco-Unity]
May 17 14:48:09 elisonniven pluto[9928]: packet from 10.103.6.102:500:
received Vendor ID payload [Dead Peer Detection]
May 17 14:48:09 elisonniven pluto[9928]: "android"[3] 10.103.6.102 #11:
Aggressive mode peer ID is ID_KEY_ID: '@#0x454c49534f4e'
May 17 14:48:09 elisonniven pluto[9928]: "android"[3] 10.103.6.102 #11:
switched from "android" to "android"
May 17 14:48:09 elisonniven pluto[9928]: "android"[4] 10.103.6.102 #11:
deleting connection "android" instance with peer 10.103.6.102
{isakmp=#0/ipsec=#0}
May 17 14:48:09 elisonniven pluto[9928]: "android"[4] 10.103.6.102 #11:
responding to Aggressive Mode, state #11, connection "android" from
10.103.6.102
May 17 14:48:09 elisonniven pluto[9928]: "android"[4] 10.103.6.102 #11:
enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
May 17 14:48:09 elisonniven pluto[9928]: "android"[4] 10.103.6.102 #11:
transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
May 17 14:48:09 elisonniven pluto[9928]: "android"[4] 10.103.6.102 #11:
STATE_AGGR_R1: sent AR1, expecting AI2
What configuration/change is required to support this mode?
--
Best Regards,
Elison Niven
More information about the Swan
mailing list