[Swan] Problem connecting with android 4.2.2 using Xauth+PSK
antonio silva
asilva at wirelessmundi.com
Sun Jul 19 17:41:27 EEST 2015
Hi,
i was triyng to configure libreswan to use Xauth. my first attempt was
to configure with PSK and them pass to X.509 certs.
The problem that i'm having is that with android device in version 4.2.2
i cannot connect. With android 5.1 it connects well. The problem is that
i need it to connect on the older device running 4.2.2...
So i'm not sure if i'm doing something wrong or it might be a limitation
on the android version...
Any of you having the same issue?
My setup:
Cliente (192.168.7.0/24) router (188.80.213.101) ----- internet ---
(77.231.247.140) router (192.168.1.0/24) server (pool ipsec 172.16.1.0/24)
my ipsec.conf:
conn tunnel7
auto=add
authby=secret
left=192.168.1.2
leftnexthop=77.231.247.140
leftsubnet=0.0.0.0/0
leftid=77.231.247.140
right=%any
rightaddresspool=172.16.1.1-172.16.1.254
rightid=%any
dpddelay=30
dpdtimeout=120
dpdaction=clear
leftcert=test.domain.local
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
ike-frag=yes
#xauthby=file
xauthby=alwaysok
pfs=no
rekey=no
_log when it connects (android 5.1):_
Jul 19 16:07:02 sol pluto[21336]: packet from 188.80.213.101:8: received
Vendor ID payload [RFC 3947]
Jul 19 16:07:02 sol pluto[21336]: packet from 188.80.213.101:8: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Jul 19 16:07:02 sol pluto[21336]: packet from 188.80.213.101:8: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 19 16:07:02 sol pluto[21336]: packet from 188.80.213.101:8: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jul 19 16:07:02 sol pluto[21336]: packet from 188.80.213.101:8: received
Vendor ID payload [XAUTH]
Jul 19 16:07:02 sol pluto[21336]: packet from 188.80.213.101:8: received
Vendor ID payload [Cisco-Unity]
Jul 19 16:07:02 sol pluto[21336]: packet from 188.80.213.101:8: received
Vendor ID payload [FRAGMENTATION 80000000]
Jul 19 16:07:02 sol pluto[21336]: packet from 188.80.213.101:8: received
Vendor ID payload [Dead Peer Detection]
Jul 19 16:07:02 sol pluto[21336]: "tunnel7"[6] 188.80.213.101 #9:
enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jul 19 16:07:02 sol pluto[21336]: "tunnel7"[6] 188.80.213.101 #9:
responding to Main Mode from unknown peer 188.80.213.101
Jul 19 16:07:02 sol pluto[21336]: "tunnel7"[6] 188.80.213.101 #9:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 19 16:07:02 sol pluto[21336]: "tunnel7"[6] 188.80.213.101 #9:
STATE_MAIN_R1: sent MR1, expecting MI2
Jul 19 16:07:02 sol pluto[21336]: "tunnel7"[6] 188.80.213.101 #9:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 8: I am
behind NAT+peer behind NAT
Jul 19 16:07:02 sol pluto[21336]: "tunnel7"[6] 188.80.213.101 #9:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 19 16:07:02 sol pluto[21336]: "tunnel7"[6] 188.80.213.101 #9:
STATE_MAIN_R2: sent MR2, expecting MI3
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[6] 188.80.213.101 #9: Main
mode peer ID is ID_IPV4_ADDR: '192.168.7.3'
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[6] 188.80.213.101 #9:
switched from "tunnel7" to "tunnel7"
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: new
NAT mapping for #9, was 188.80.213.101:8, now 188.80.213.101:1031
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY
cipher=aes_256 integ=sha group=MODP1024}
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: Dead
Peer Detection (RFC 3706): enabled
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: XAUTH:
Sending XAUTH Login/Password Request
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: XAUTH:
Sending Username/Password request (XAUTH_R0)
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000,
length=28
Jul 19 16:07:03 sol pluto[21336]: | ISAKMP Notification Payload
Jul 19 16:07:03 sol pluto[21336]: | 00 00 00 1c 00 00 00 01 01 10 60 02
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
received and ignored informational message
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
Ignoring NUL at end of XAUTH User Password (Android Issue 36879?)
Jul 19 16:07:03 sol pluto[21336]: XAUTH: User ggg: Attempting to login
Jul 19 16:07:03 sol pluto[21336]: XAUTH: authentication method 'always
ok' requested to authenticate user ggg
Jul 19 16:07:03 sol pluto[21336]: XAUTH: User ggg: Authentication Successful
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: XAUTH:
xauth_inR1(STF_OK)
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
transition from state STATE_XAUTH_R1 to state STATE_MAIN_R3
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: Dead
Peer Detection (RFC 3706): enabled
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
Unsupported modecfg long attribute MODECFG_BANNER received.
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
Unsupported modecfg long attribute MODECFG_DOMAIN received.
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
Unsupported modecfg long attribute CISCO_SPLIT_DNS received.
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
Unsupported modecfg long attribute CISCO_SPLIT_INC received.
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
Unsupported modecfg long attribute CISCO_SPLIT_EXCLUDE received.
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
Unsupported modecfg long attribute APPLICATION_VERSION received.
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
modecfg_inR0(STF_OK)
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
transition from state STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9: Dead
Peer Detection (RFC 3706): enabled
_
__log when it fails (android 4.2.2)_
Jul 19 16:12:47 sol pluto[22595]: packet from 188.80.213.101:500:
received Vendor ID payload [RFC 3947]
Jul 19 16:12:47 sol pluto[22595]: packet from 188.80.213.101:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Jul 19 16:12:47 sol pluto[22595]: packet from 188.80.213.101:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Jul 19 16:12:47 sol pluto[22595]: packet from 188.80.213.101:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jul 19 16:12:47 sol pluto[22595]: packet from 188.80.213.101:500:
received Vendor ID payload [XAUTH]
Jul 19 16:12:47 sol pluto[22595]: packet from 188.80.213.101:500:
received Vendor ID payload [Cisco-Unity]
Jul 19 16:12:47 sol pluto[22595]: packet from 188.80.213.101:500:
received Vendor ID payload [FRAGMENTATION 80000000]
Jul 19 16:12:47 sol pluto[22595]: packet from 188.80.213.101:500:
received Vendor ID payload [Dead Peer Detection]
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[1] 188.80.213.101 #1:
enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[1] 188.80.213.101 #1:
responding to Main Mode from unknown peer 188.80.213.101
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[1] 188.80.213.101 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[1] 188.80.213.101 #1:
STATE_MAIN_R1: sent MR1, expecting MI2
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[1] 188.80.213.101 #1:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: I
am behind NAT+peer behind NAT
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[1] 188.80.213.101 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[1] 188.80.213.101 #1:
STATE_MAIN_R2: sent MR2, expecting MI3
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[1] 188.80.213.101 #1: Main
mode peer ID is ID_IPV4_ADDR: '192.168.7.11'
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[1] 188.80.213.101 #1:
switched from "tunnel7" to "tunnel7"
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
deleting connection "tunnel7" instance with peer 188.80.213.101
{isakmp=#0/ipsec=#0}
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: new
NAT mapping for #1, was 188.80.213.101:500, now 188.80.213.101:4500
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY
cipher=aes_256 integ=sha group=MODP1024}
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: Dead
Peer Detection (RFC 3706): enabled
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: XAUTH:
Sending XAUTH Login/Password Request
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: XAUTH:
Sending Username/Password request (XAUTH_R0)
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000,
length=28
Jul 19 16:12:47 sol pluto[22595]: | ISAKMP Notification Payload
Jul 19 16:12:47 sol pluto[22595]: | 00 00 00 1c 00 00 00 01 01 10 60 02
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
received and ignored informational message
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
Ignoring NUL at end of XAUTH User Password (Android Issue 36879?)
Jul 19 16:12:47 sol pluto[22595]: XAUTH: User ggsrs: Attempting to login
Jul 19 16:12:47 sol pluto[22595]: XAUTH: authentication method 'always
ok' requested to authenticate user ggsrs
Jul 19 16:12:47 sol pluto[22595]: XAUTH: User ggsrs: Authentication
Successful
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: XAUTH:
xauth_inR1(STF_OK)
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
transition from state STATE_XAUTH_R1 to state STATE_MAIN_R3
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: Dead
Peer Detection (RFC 3706): enabled
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
Unsupported modecfg long attribute MODECFG_BANNER received.
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
Unsupported modecfg long attribute MODECFG_DOMAIN received.
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
Unsupported modecfg long attribute CISCO_SPLIT_DNS received.
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
Unsupported modecfg long attribute CISCO_SPLIT_INC received.
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
Unsupported modecfg long attribute CISCO_SPLIT_EXCLUDE received.
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
Unsupported modecfg long attribute APPLICATION_VERSION received.
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
modecfg_inR0(STF_OK)
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
transition from state STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1: Dead
Peer Detection (RFC 3706): enabled
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150719/cb917f5b/attachment.html>
More information about the Swan
mailing list