[Swan] Android 14 - IKEv2/IPSEC PSK
antonio
asilva at wirelessmundi.com
Wed Mar 27 20:11:32 EET 2024
Hi,
I’m trying to connect an android device using native vpn and libreswan version 5.0rc2, it looks like a simple connection host - host/subnet but it doesn’t connect… got the following log:
Mar 27 17:55:02.739193: "tunnel1"[1] 192.168.1.126 #1: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_512-ECP_256 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=DH24;DH=ECP_384;DH=ECP_256;DH=MODP2048;DH=MODP1536[better-match]
Mar 27 17:55:02.739254: "tunnel1"[1] 192.168.1.126 #1: initiator guessed wrong keying material group (DH24); responding with INVALID_KE_PAYLOAD requesting DH19
Mar 27 17:55:02.739330: "tunnel1"[1] 192.168.1.126 #1: responding to IKE_SA_INIT message (ID 0) from 192.168.1.126:41943 with unencrypted notification INVALID_KE_PAYLOAD
Mar 27 17:55:02.739356: "tunnel1"[1] 192.168.1.126 #1: encountered fatal error in state STATE_V2_PARENT_R0
Mar 27 17:55:02.739516: "tunnel1"[1] 192.168.1.126 #1: deleting IKE SA (processing IKE_SA_INIT request)
Mar 27 17:55:02.739710: "tunnel1"[1] 192.168.1.126: deleting connection instance with peer 192.168.1.126
Mar 27 17:55:02.750583: "tunnel1"[2] 192.168.1.126 #2: proposal 2:IKE=AES_GCM_C_256-HMAC_SHA2_512-ECP_256 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_384_192;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=ECP_256;DH=DH24;DH=ECP_384;DH=MODP2048;DH=MODP1536[first-match] 2:IKE:ENCR=AES_GCM_C_256;ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_384;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=ECP_256;DH=DH24;DH=ECP_384;DH=MODP2048;DH=MODP1536[better-match]
Mar 27 17:55:02.754631: "tunnel1"[2] 192.168.1.126 #2: processed IKE_SA_INIT request from 192.168.1.126:UDP/41943 {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=DH19}
My tunnel configuration:
conn tunnel1
type=tunnel
authby=secret
auto=add
left=192.168.1.10
leftsubnet=192.168.10.0/24
leftid=192.168.101.2
keyingtries=3
ikelifetime=8h
salifetime=8h
right=%any
rightid=192.168.102.1
It looks like that I doesn’t agree with the purposal, I’ve try to use extra parameters I found in the mailing: https://lists.libreswan.org/pipermail/swan/2017/002132.html
conn tunnel1
type=tunnel
authby=secret
auto=add
left=192.168.1.10
leftsubnet=192.168.10.0/24
leftid=192.168.101.2
right=%any
rightid=192.168.102.1
salifetime=1h
ikelifetime=8h
ikev2=insist
rekey=no
#ike=aes128-sha2_256;modp1536
#phase2alg=aes128-sha2_384
#ike=aes256-sha2_256;modp2048
#phase2alg=aes256-sha2_256
sha2-truncbug=yes
ike=aes256-sha2_512;modp2048,aes256-sha2_512;modp2048,aes128-sha2_512;modp2048,aes256-sha1;modp1024,aes128-sha1;modp1024
esp=aes256-sha2_512,aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512
rightaddresspool=172.17.4.16-172.17.4.31
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
But I’m unable to connected…
You can see pluto.log, debug = all here https://pastebin.com/4V26rLnw
Thanks for the help.
—
Saludos / Regards / Cumprimentos
António Silva
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20240327/e420a573/attachment.htm>
More information about the Swan
mailing list