[Swan] Android 4.0+ using group authentication and aggressive mode

Paul Wouters pwouters at redhat.com
Fri May 17 18:11:04 EEST 2013


On Fri, 17 May 2013, Elison Niven wrote:


Thanks for sharing your android config!

> 2) dpd is required because these android devices do not send Delete SA 
> payload upon disconnection.

Note that this might cost you a lot of battery. It would be good if the
tunnel stays up and Android can use it after it wakes up from screensave
without establishing a new one.

> Create the file /etc/ipsec.d/passwd :
> # htpasswd -c -d -b /etc/ipsec.d/passwd <username> <password>
> Now edit the file and add ":android" i.e. the connection name at the end.
>
> Example : For username=elison and password=elison, the file will look like :
> elison:<some hashed password>:android

You can also use xauthby=pam to use pam authentication, which could
include a token based authentication like secureid of google
authenticator.

If you use X.509 certificates, you can even use xauthby=alwaysok so it
won't matter what you fill in.

> This also works for Apple iOS devices. The device configuration is quite 
> similar on iOS.
>
> On Android, there is a field called "IPSec identifier" and on iOS, there is a 
> field called "Group Name". Whenever this field is configured, these devices 
> send an aggressive mode request:

If you use certificates, then Main Mode is used on iphone. However, be
aware that if you configured PSK, then switch to X509, the iphone does
_not_ wipe the groupname, and everything will fail. You'll have to
temporarilly enable psk to wipe the group name field and reconfigure it
back to certificates.

> What configuration/change is required to support this mode?

I would stay away from PSK/groupname/aggrmode if I were you and switch to
certificates with main mode. It gives more privacy (ID does not leak
plaintext) and using aggressive mode with PSK means any client knows the
full credentials to fake the gateway, and MITM other clients and get
their XAUTH credentials.

Paul


More information about the Swan mailing list