[Swan] IKEv2 connection from Android drops after a few minutes

Beat Zahnd beat.zahnd at gmail.com
Wed Mar 11 20:56:14 UTC 2020 

Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[13] 178.197.x.x #10: Peer CERT payload SubjectAltName does not match peer ID for this connection
> 
> You do not have a subjectAltName=178.197.x.x in our certificate as a valid ID.
> The IKE ID has to match a subjectAltName= to prevent another certificate
> that is valid, but or a different ID, to spood this IKE ID. Since many
> people have generated bad certificates, we provide the override option.

This is intentional since it is a roadwarrior client. The client public IP is never the same... 

> 
>> Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[13] 178.197.x.x #10: switched from "ikev2-cp"[13] 178.197.x.x to "ikev2-cp"
>> Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[13] 178.197.x.x #10: X509: connection allows unmatched IKE ID and certificate SAN
>> Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[14] 178.197.x.x #10: deleting connection "ikev2-cp"[13] 178.197.x.x instance with peer 178.197.x.x {isakmp=#0/ipsec=#0}
>> Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[14] 178.197.x.x #10: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'CN=bz'
>> Mar 11 20:34:23 core pluto[29856]: "ikev2-cp"[14] 178.197.x.x #10: No acceptable ECDSA/RSA-PSS ASN.1 signature hash proposal included for rsasig in I2 Auth Payload
> 
> What is your authby= line? Perhaps try authby=rsa-sha1 ? It looks like
> it is trying rsa-sha1 but the remote peer does not support that and is
> (against RFC 8472) trying to use rsa-sha1 with the RFC 7427 method.

authby is not set, as in https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2

OK 2.31 is now connecting with the following settings:

conn ikev2-cp
    authby=rsa-sha1
    require-id-on-certificate=no
    left=%defaultroute
    leftcert="test VPN"
    leftid=@test.dyn.ch
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    leftrsasigkey=%cert
    mobike=yes
    right=%any
    rightaddresspool=192.168.1.100-192.168.1.200
    rightca=%same
    rightrsasigkey=%cert
    modecfgdns=10.76.1.1
    narrowing=yes
    dpddelay=12h
    dpdtimeout=13h
    dpdaction=clear
    auto=add
    ikev2=insist
    rekey=no
    fragmentation=yes


But still not a single nat-t keepalive from the server...

More information about the Swan mailing list