<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi,<br>
<br>
i was triyng to configure libreswan to use Xauth. my first attempt
was to configure with PSK and them pass to X.509 certs.<br>
<br>
The problem that i'm having is that with android device in version
4.2.2 i cannot connect. With android 5.1 it connects well. The
problem is that i need it to connect on the older device running
4.2.2...<br>
<br>
So i'm not sure if i'm doing something wrong or it might be a
limitation on the android version... <br>
<br>
Any of you having the same issue?<br>
<br>
<br>
<br>
My setup:<br>
<br>
Cliente (192.168.7.0/24) router (188.80.213.101) ----- internet
--- (77.231.247.140) router (192.168.1.0/24) server (pool ipsec
172.16.1.0/24)<br>
<br>
<br>
my ipsec.conf:<br>
conn tunnel7<br>
auto=add<br>
authby=secret<br>
left=192.168.1.2<br>
leftnexthop=77.231.247.140<br>
leftsubnet=0.0.0.0/0<br>
leftid=77.231.247.140<br>
right=%any<br>
rightaddresspool=172.16.1.1-172.16.1.254<br>
rightid=%any<br>
dpddelay=30<br>
dpdtimeout=120<br>
dpdaction=clear<br>
leftcert=test.domain.local<br>
leftxauthserver=yes<br>
rightxauthclient=yes<br>
leftmodecfgserver=yes<br>
rightmodecfgclient=yes<br>
modecfgpull=yes<br>
ike-frag=yes<br>
#xauthby=file<br>
xauthby=alwaysok<br>
pfs=no<br>
rekey=no<br>
<br>
<br>
<u>log when it connects (android 5.1):</u><br>
Jul 19 16:07:02 sol pluto[21336]: packet from 188.80.213.101:8:
received Vendor ID payload [RFC 3947]<br>
Jul 19 16:07:02 sol pluto[21336]: packet from 188.80.213.101:8:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]<br>
Jul 19 16:07:02 sol pluto[21336]: packet from 188.80.213.101:8:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]<br>
Jul 19 16:07:02 sol pluto[21336]: packet from 188.80.213.101:8:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]<br>
Jul 19 16:07:02 sol pluto[21336]: packet from 188.80.213.101:8:
received Vendor ID payload [XAUTH]<br>
Jul 19 16:07:02 sol pluto[21336]: packet from 188.80.213.101:8:
received Vendor ID payload [Cisco-Unity]<br>
Jul 19 16:07:02 sol pluto[21336]: packet from 188.80.213.101:8:
received Vendor ID payload [FRAGMENTATION 80000000]<br>
Jul 19 16:07:02 sol pluto[21336]: packet from 188.80.213.101:8:
received Vendor ID payload [Dead Peer Detection]<br>
Jul 19 16:07:02 sol pluto[21336]: "tunnel7"[6] 188.80.213.101 #9:
enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)<br>
Jul 19 16:07:02 sol pluto[21336]: "tunnel7"[6] 188.80.213.101 #9:
responding to Main Mode from unknown peer 188.80.213.101<br>
Jul 19 16:07:02 sol pluto[21336]: "tunnel7"[6] 188.80.213.101 #9:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>
Jul 19 16:07:02 sol pluto[21336]: "tunnel7"[6] 188.80.213.101 #9:
STATE_MAIN_R1: sent MR1, expecting MI2<br>
Jul 19 16:07:02 sol pluto[21336]: "tunnel7"[6] 188.80.213.101 #9:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 8:
I am behind NAT+peer behind NAT<br>
Jul 19 16:07:02 sol pluto[21336]: "tunnel7"[6] 188.80.213.101 #9:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>
Jul 19 16:07:02 sol pluto[21336]: "tunnel7"[6] 188.80.213.101 #9:
STATE_MAIN_R2: sent MR2, expecting MI3<br>
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[6] 188.80.213.101 #9:
Main mode peer ID is ID_IPV4_ADDR: '192.168.7.3'<br>
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[6] 188.80.213.101 #9:
switched from "tunnel7" to "tunnel7"<br>
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
new NAT mapping for #9, was 188.80.213.101:8, now
188.80.213.101:1031<br>
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY
cipher=aes_256 integ=sha group=MODP1024}<br>
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
Dead Peer Detection (RFC 3706): enabled<br>
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
XAUTH: Sending XAUTH Login/Password Request<br>
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
XAUTH: Sending Username/Password request (XAUTH_R0)<br>
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
ignoring informational payload IPSEC_INITIAL_CONTACT,
msgid=00000000, length=28<br>
Jul 19 16:07:03 sol pluto[21336]: | ISAKMP Notification Payload<br>
Jul 19 16:07:03 sol pluto[21336]: | 00 00 00 1c 00 00 00 01 01
10 60 02<br>
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
received and ignored informational message<br>
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
Ignoring NUL at end of XAUTH User Password (Android Issue 36879?)<br>
Jul 19 16:07:03 sol pluto[21336]: XAUTH: User ggg: Attempting to
login<br>
Jul 19 16:07:03 sol pluto[21336]: XAUTH: authentication method
'always ok' requested to authenticate user ggg<br>
Jul 19 16:07:03 sol pluto[21336]: XAUTH: User ggg: Authentication
Successful<br>
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
XAUTH: xauth_inR1(STF_OK)<br>
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
transition from state STATE_XAUTH_R1 to state STATE_MAIN_R3<br>
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
STATE_MAIN_R3: sent MR3, ISAKMP SA established<br>
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
Dead Peer Detection (RFC 3706): enabled<br>
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
Unsupported modecfg long attribute MODECFG_BANNER received.<br>
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
Unsupported modecfg long attribute MODECFG_DOMAIN received.<br>
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
Unsupported modecfg long attribute CISCO_SPLIT_DNS received.<br>
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
Unsupported modecfg long attribute CISCO_SPLIT_INC received.<br>
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
Unsupported modecfg long attribute CISCO_SPLIT_EXCLUDE received.<br>
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
Unsupported modecfg long attribute APPLICATION_VERSION received.<br>
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
modecfg_inR0(STF_OK)<br>
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
transition from state STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1<br>
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack<br>
Jul 19 16:07:03 sol pluto[21336]: "tunnel7"[5] 188.80.213.101 #9:
Dead Peer Detection (RFC 3706): enabled<br>
<br>
<br>
<u><br>
</u><u>log when it fails (android 4.2.2)</u><br>
Jul 19 16:12:47 sol pluto[22595]: packet from 188.80.213.101:500:
received Vendor ID payload [RFC 3947]<br>
Jul 19 16:12:47 sol pluto[22595]: packet from 188.80.213.101:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]<br>
Jul 19 16:12:47 sol pluto[22595]: packet from 188.80.213.101:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]<br>
Jul 19 16:12:47 sol pluto[22595]: packet from 188.80.213.101:500:
ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]<br>
Jul 19 16:12:47 sol pluto[22595]: packet from 188.80.213.101:500:
received Vendor ID payload [XAUTH]<br>
Jul 19 16:12:47 sol pluto[22595]: packet from 188.80.213.101:500:
received Vendor ID payload [Cisco-Unity]<br>
Jul 19 16:12:47 sol pluto[22595]: packet from 188.80.213.101:500:
received Vendor ID payload [FRAGMENTATION 80000000]<br>
Jul 19 16:12:47 sol pluto[22595]: packet from 188.80.213.101:500:
received Vendor ID payload [Dead Peer Detection]<br>
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[1] 188.80.213.101 #1:
enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)<br>
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[1] 188.80.213.101 #1:
responding to Main Mode from unknown peer 188.80.213.101<br>
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[1] 188.80.213.101 #1:
transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[1] 188.80.213.101 #1:
STATE_MAIN_R1: sent MR1, expecting MI2<br>
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[1] 188.80.213.101 #1:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port
500: I am behind NAT+peer behind NAT<br>
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[1] 188.80.213.101 #1:
transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[1] 188.80.213.101 #1:
STATE_MAIN_R2: sent MR2, expecting MI3<br>
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[1] 188.80.213.101 #1:
Main mode peer ID is ID_IPV4_ADDR: '192.168.7.11'<br>
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[1] 188.80.213.101 #1:
switched from "tunnel7" to "tunnel7"<br>
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
deleting connection "tunnel7" instance with peer 188.80.213.101
{isakmp=#0/ipsec=#0}<br>
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
new NAT mapping for #1, was 188.80.213.101:500, now
188.80.213.101:4500<br>
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY
cipher=aes_256 integ=sha group=MODP1024}<br>
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
Dead Peer Detection (RFC 3706): enabled<br>
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
XAUTH: Sending XAUTH Login/Password Request<br>
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
XAUTH: Sending Username/Password request (XAUTH_R0)<br>
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
ignoring informational payload IPSEC_INITIAL_CONTACT,
msgid=00000000, length=28<br>
Jul 19 16:12:47 sol pluto[22595]: | ISAKMP Notification Payload<br>
Jul 19 16:12:47 sol pluto[22595]: | 00 00 00 1c 00 00 00 01 01
10 60 02<br>
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
received and ignored informational message<br>
Jul 19 16:12:47 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
Ignoring NUL at end of XAUTH User Password (Android Issue 36879?)<br>
Jul 19 16:12:47 sol pluto[22595]: XAUTH: User ggsrs: Attempting to
login<br>
Jul 19 16:12:47 sol pluto[22595]: XAUTH: authentication method
'always ok' requested to authenticate user ggsrs<br>
Jul 19 16:12:47 sol pluto[22595]: XAUTH: User ggsrs: Authentication
Successful<br>
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
XAUTH: xauth_inR1(STF_OK)<br>
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
transition from state STATE_XAUTH_R1 to state STATE_MAIN_R3<br>
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
STATE_MAIN_R3: sent MR3, ISAKMP SA established<br>
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
Dead Peer Detection (RFC 3706): enabled<br>
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
Unsupported modecfg long attribute MODECFG_BANNER received.<br>
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
Unsupported modecfg long attribute MODECFG_DOMAIN received.<br>
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
Unsupported modecfg long attribute CISCO_SPLIT_DNS received.<br>
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
Unsupported modecfg long attribute CISCO_SPLIT_INC received.<br>
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
Unsupported modecfg long attribute CISCO_SPLIT_EXCLUDE received.<br>
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
Unsupported modecfg long attribute APPLICATION_VERSION received.<br>
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
modecfg_inR0(STF_OK)<br>
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
transition from state STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1<br>
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack<br>
Jul 19 16:12:48 sol pluto[22595]: "tunnel7"[2] 188.80.213.101 #1:
Dead Peer Detection (RFC 3706): enabled<br>
<br>
</body>
</html>