[Swan] Problem connecting with android 4.2.2 using Xauth+PSK

antonio silva asilva at wirelessmundi.com
Sun Jul 19 17:41:27 EEST 2015


Hi,

  i was triyng to configure libreswan to use Xauth. my first attempt was 
to configure with PSK and them pass to X.509 certs.

The problem that i'm having is that with android device in version 4.2.2 
i cannot connect. With android 5.1 it connects well. The problem is that 
i need it to connect on the older device running 4.2.2...

So i'm not sure if i'm doing something wrong or it might be a limitation 
on the android version...

Any of you having the same issue?



My setup:

Cliente  (192.168.7.0/24)  router (188.80.213.101) ----- internet --- 
(77.231.247.140) router (192.168.1.0/24) server (pool ipsec 172.16.1.0/24)


my ipsec.conf:
conn tunnel7
         auto=add
         authby=secret
         left=192.168.1.2
         leftnexthop=77.231.247.140
         leftsubnet=0.0.0.0/0
         leftid=77.231.247.140
         right=%any
         rightaddresspool=172.16.1.1-172.16.1.254
         rightid=%any
         dpddelay=30
         dpdtimeout=120
         dpdaction=clear
         leftcert=test.domain.local
         leftxauthserver=yes
         rightxauthclient=yes
         leftmodecfgserver=yes
         rightmodecfgclient=yes
         modecfgpull=yes
         ike-frag=yes
         #xauthby=file
         xauthby=alwaysok
         pfs=no
         rekey=no


_log when it connects (android 5.1):_
Jul 19 16:07:02 sol pluto[21336]: packet from 188.80.213.101:8: received 
Vendor ID payload [RFC 3947]
Jul 19 16:07:02 sol pluto[21336]: packet from 188.80.213.101:8: ignoring 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Jul 19 16:07:02 sol pluto[21336]: packet from 188.80.213.101:8: ignoring 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 19 16:07:02 sol pluto[21336]: packet from 188.80.213.101:8: ignoring 
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jul 19 16:07:02 sol pluto[21336]: packet from 188.80.213.101:8: received 
Vendor ID payload [XAUTH]
Jul 19 16:07:02 sol pluto[21336]: packet from 188.80.213.101:8: received 
Vendor ID payload [Cisco-Unity]
Jul 19 16:07:02 sol pluto[21336]: packet from 188.80.213.101:8: received 
Vendor ID payload [FRAGMENTATION 80000000]
Jul 19 16:07:02 sol pluto[21336]: packet from 188.80.213.101:8: received 
Vendor ID payload [Dead Peer Detection]
Jul 19 16:07:02 sol pluto[21336]: "tunnel7"[6] 188.80.213.101 #9: 
enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jul 19 16:07:02 sol pluto[21336]: "tunnel7"[6] 188.80.213.101 #9: 
responding to Main Mode from unknown peer 188.80.213.101
Jul 19 16:07:02 sol pluto[21336]: "tunnel7"[6] 188.80.213.101 #9: 
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 19 16:07:02 sol pluto[21336]: "tunnel7"[6] 188.80.213.101 #9: 
STATE_MAIN_R1: sent MR1, expecting MI2
Jul 19 16:07:02 sol pluto[21336]: "tunnel7"[6] 188.80.213.101 #9: 
NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 8: I am 
behind NAT+peer behind NAT
Jul 19 16:07:02 sol pluto[21336]: "tunnel7"[6] 188.80.213.101 #9: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 19 16:07:02 sol pluto[21336]: "tunnel7"[6] 188.80.213.101 #9: 
STATE_MAIN_R2: sent MR2, expecting MI3
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[6] 188.80.213.101 #9: Main 
mode peer ID is ID_IPV4_ADDR: '192.168.7.3'
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[6] 188.80.213.101 #9: 
switched from "tunnel7" to "tunnel7"
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: 
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: new 
NAT mapping for #9, was 188.80.213.101:8, now 188.80.213.101:1031
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: 
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY 
cipher=aes_256 integ=sha group=MODP1024}
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: Dead 
Peer Detection (RFC 3706): enabled
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: XAUTH: 
Sending XAUTH Login/Password Request
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: XAUTH: 
Sending Username/Password request (XAUTH_R0)
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: 
ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, 
length=28
Jul 19 16:07:03 sol pluto[21336]: | ISAKMP Notification Payload
Jul 19 16:07:03 sol pluto[21336]: |   00 00 00 1c  00 00 00 01  01 10 60 02
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: 
received and ignored informational message
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: 
Ignoring NUL at end of XAUTH User Password (Android Issue 36879?)
Jul 19 16:07:03 sol pluto[21336]: XAUTH: User ggg: Attempting to login
Jul 19 16:07:03 sol pluto[21336]: XAUTH: authentication method 'always 
ok' requested to authenticate user ggg
Jul 19 16:07:03 sol pluto[21336]: XAUTH: User ggg: Authentication Successful
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: XAUTH: 
xauth_inR1(STF_OK)
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: 
transition from state STATE_XAUTH_R1 to state STATE_MAIN_R3
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: 
STATE_MAIN_R3: sent MR3, ISAKMP SA established
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: Dead 
Peer Detection (RFC 3706): enabled
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: 
Unsupported modecfg long attribute MODECFG_BANNER received.
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: 
Unsupported modecfg long attribute MODECFG_DOMAIN received.
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: 
Unsupported modecfg long attribute CISCO_SPLIT_DNS received.
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: 
Unsupported modecfg long attribute CISCO_SPLIT_INC received.
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: 
Unsupported modecfg long attribute CISCO_SPLIT_EXCLUDE received.
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: 
Unsupported modecfg long attribute APPLICATION_VERSION received.
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: 
modecfg_inR0(STF_OK)
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: 
transition from state STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: 
STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: Dead 
Peer Detection (RFC 3706): enabled


_
__log when it fails (android 4.2.2)_
Jul 19 16:12:47 sol pluto[22595]: packet from 188.80.213.101:500: 
received Vendor ID payload [RFC 3947]
Jul 19 16:12:47 sol pluto[22595]: packet from 188.80.213.101:500: 
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Jul 19 16:12:47 sol pluto[22595]: packet from 188.80.213.101:500: 
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 19 16:12:47 sol pluto[22595]: packet from 188.80.213.101:500: 
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jul 19 16:12:47 sol pluto[22595]: packet from 188.80.213.101:500: 
received Vendor ID payload [XAUTH]
Jul 19 16:12:47 sol pluto[22595]: packet from 188.80.213.101:500: 
received Vendor ID payload [Cisco-Unity]
Jul 19 16:12:47 sol pluto[22595]: packet from 188.80.213.101:500: 
received Vendor ID payload [FRAGMENTATION 80000000]
Jul 19 16:12:47 sol pluto[22595]: packet from 188.80.213.101:500: 
received Vendor ID payload [Dead Peer Detection]
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[1] 188.80.213.101 #1: 
enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[1] 188.80.213.101 #1: 
responding to Main Mode from unknown peer 188.80.213.101
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[1] 188.80.213.101 #1: 
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[1] 188.80.213.101 #1: 
STATE_MAIN_R1: sent MR1, expecting MI2
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[1] 188.80.213.101 #1: 
NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: I 
am behind NAT+peer behind NAT
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[1] 188.80.213.101 #1: 
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[1] 188.80.213.101 #1: 
STATE_MAIN_R2: sent MR2, expecting MI3
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[1] 188.80.213.101 #1: Main 
mode peer ID is ID_IPV4_ADDR: '192.168.7.11'
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[1] 188.80.213.101 #1: 
switched from "tunnel7" to "tunnel7"
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: 
deleting connection "tunnel7" instance with peer 188.80.213.101 
{isakmp=#0/ipsec=#0}
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: 
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: new 
NAT mapping for #1, was 188.80.213.101:500, now 188.80.213.101:4500
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: 
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY 
cipher=aes_256 integ=sha group=MODP1024}
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: Dead 
Peer Detection (RFC 3706): enabled
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: XAUTH: 
Sending XAUTH Login/Password Request
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: XAUTH: 
Sending Username/Password request (XAUTH_R0)
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: 
ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, 
length=28
Jul 19 16:12:47 sol pluto[22595]: | ISAKMP Notification Payload
Jul 19 16:12:47 sol pluto[22595]: |   00 00 00 1c  00 00 00 01  01 10 60 02
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: 
received and ignored informational message
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: 
Ignoring NUL at end of XAUTH User Password (Android Issue 36879?)
Jul 19 16:12:47 sol pluto[22595]: XAUTH: User ggsrs: Attempting to login
Jul 19 16:12:47 sol pluto[22595]: XAUTH: authentication method 'always 
ok' requested to authenticate user ggsrs
Jul 19 16:12:47 sol pluto[22595]: XAUTH: User ggsrs: Authentication 
Successful
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: XAUTH: 
xauth_inR1(STF_OK)
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: 
transition from state STATE_XAUTH_R1 to state STATE_MAIN_R3
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: 
STATE_MAIN_R3: sent MR3, ISAKMP SA established
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: Dead 
Peer Detection (RFC 3706): enabled
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: 
Unsupported modecfg long attribute MODECFG_BANNER received.
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: 
Unsupported modecfg long attribute MODECFG_DOMAIN received.
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: 
Unsupported modecfg long attribute CISCO_SPLIT_DNS received.
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: 
Unsupported modecfg long attribute CISCO_SPLIT_INC received.
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: 
Unsupported modecfg long attribute CISCO_SPLIT_EXCLUDE received.
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: 
Unsupported modecfg long attribute APPLICATION_VERSION received.
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: 
modecfg_inR0(STF_OK)
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: 
transition from state STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: 
STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: Dead 
Peer Detection (RFC 3706): enabled

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150719/cb917f5b/attachment.html>


More information about the Swan mailing list