[Swan] Android 4.0+ using group authentication and aggressive mode

Fri May 17 12:21:34 EEST 2013

Hi,

I am able to connect Android 4.0+ devices to Libreswan 3.3 using 
XAUTH+PSK+MODECFG like this:

Configuration on the Android device:
1) Goto Settings->More->VPN->Add VPN Profile
2) You will need to setup a secure screen lock(Pattern, PIN etc.)
3) Fill up the details of the connection :
Name : <Connection Name>
Type : IPSec Xauth PSK
Server Address : <IP Address of your Libreswan machine>
IPSec identifier : <Blank> (It will show as (not used))
IPSec pre-shared key : <Your pre-shared key>

Configuration on Libreswan 3.3 :
/etc/ipsec.conf :
conn android
	left=<Your Server IP>
	right=%any
	authby=secret
	pfs=no
	leftsubnet=0.0.0.0/0
	leftxauthserver=yes
	modecfgpull=yes
	modecfgdns1=8.8.8.8 <Or your DNS servers>
	modecfgdns2=4.2.2.2
	rightaddresspool=192.168.1.10-192.168.1.25
	dpdaction=clear
	dpddelay=30
	dpdtimeout=60

Note :
1) rightaddresspool is the range of IP addresses you want to lease to 
the clients.
2) dpd is required because these android devices do not send Delete SA 
payload upon disconnection.

/etc/ipsec.secrets:
<Your Server IP> %any : PSK "pre-shared key"

Create the file /etc/ipsec.d/passwd :
# htpasswd -c -d -b /etc/ipsec.d/passwd <username> <password>
Now edit the file and add ":android" i.e. the connection name at the end.

Example : For username=elison and password=elison, the file will look 
like :
elison:<some hashed password>:android

This also works for Apple iOS devices. The device configuration is quite 
similar on iOS.

On Android, there is a field called "IPSec identifier" and on iOS, there 
is a field called "Group Name". Whenever this field is configured, these 
devices send an aggressive mode request:

May 17 14:32:32 elisonniven pluto[9043]: packet from 10.103.6.102:500: 
initial Aggressive Mode message from 10.103.6.102 but no (wildcard) 
connection has been configured with policy=PSK+XAUTH+AGGRESSIVE

So I added aggrmode=yes and ike=aes-sha1;modp1024 to ipsec.conf.
Now the connection reaches till here :

May 17 14:48:09 elisonniven pluto[9928]: packet from 10.103.6.102:500: 
received Vendor ID payload [FRAGMENTATION 80000000]
May 17 14:48:09 elisonniven pluto[9928]: packet from 10.103.6.102:500: 
received Vendor ID payload [RFC 3947]
May 17 14:48:09 elisonniven pluto[9928]: packet from 10.103.6.102:500: 
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
May 17 14:48:09 elisonniven pluto[9928]: packet from 10.103.6.102:500: 
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
May 17 14:48:09 elisonniven pluto[9928]: packet from 10.103.6.102:500: 
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
May 17 14:48:09 elisonniven pluto[9928]: packet from 10.103.6.102:500: 
received Vendor ID payload [XAUTH]
May 17 14:48:09 elisonniven pluto[9928]: packet from 10.103.6.102:500: 
received Vendor ID payload [Cisco-Unity]
May 17 14:48:09 elisonniven pluto[9928]: packet from 10.103.6.102:500: 
received Vendor ID payload [Dead Peer Detection]
May 17 14:48:09 elisonniven pluto[9928]: "android"[3] 10.103.6.102 #11: 
Aggressive mode peer ID is ID_KEY_ID: '@#0x454c49534f4e'
May 17 14:48:09 elisonniven pluto[9928]: "android"[3] 10.103.6.102 #11: 
switched from "android" to "android"
May 17 14:48:09 elisonniven pluto[9928]: "android"[4] 10.103.6.102 #11: 
deleting connection "android" instance with peer 10.103.6.102 
{isakmp=#0/ipsec=#0}
May 17 14:48:09 elisonniven pluto[9928]: "android"[4] 10.103.6.102 #11: 
responding to Aggressive Mode, state #11, connection "android" from 
10.103.6.102
May 17 14:48:09 elisonniven pluto[9928]: "android"[4] 10.103.6.102 #11: 
enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
May 17 14:48:09 elisonniven pluto[9928]: "android"[4] 10.103.6.102 #11: 
transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
May 17 14:48:09 elisonniven pluto[9928]: "android"[4] 10.103.6.102 #11: 
STATE_AGGR_R1: sent AR1, expecting AI2

What configuration/change is required to support this mode?

-- 
Best Regards,
Elison Niven