Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    failing to connect with strongSwan

    IPsec
    1
    1
    177
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • adamw
      adamw last edited by

      Hi all,

      I'm on 2.4.4-RELEASE-p1
      I've set up IPSec following Netgate pfSense Book dated Aug 2018.
      A screenshot showing an overview of my settings attached:
      IPSec_settings.png

      I can connect fine from Windows 10 with both routing and DNS working and from MacOSX with routing but without DNS as yet.

      Unfortunately I can't get that far with strongSwan for Android (the latest version as of today).
      I've triple checked my username and password and I'm using exactly the same as in Pre-Shared Keys (EAP type).
      It works in other clients / OS'es anyway.

      server IP xxx.xxx.xxx.xxx
      client IP yyy.yyy.yyy.yyy

      My client side logs:

      Mar 19 12:37:46 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Mar 19 12:37:46 00[DMN] Starting IKE service (strongSwan 5.7.2, Android 8.0.0 - R16NW.G935FXXS4ESAE/2019-02-01, SM-G935F - samsung/hero2ltexx/samsung, Linux 3.18.91-14843133-QB21795979, aarch64)
Mar 19 12:37:46 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Mar 19 12:37:46 00[JOB] spawning 16 worker threads
Mar 19 12:37:46 06[IKE] initiating IKE_SA android[29] to xxx.xxx.xxx.xxx
Mar 19 12:37:46 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 19 12:37:46 06[NET] sending packet: from 100.87.12.210[40815] to xxx.xxx.xxx.xxx[500] (716 bytes)
Mar 19 12:37:46 10[NET] received packet: from xxx.xxx.xxx.xxx[500] to 100.87.12.210[40815] (297 bytes)
Mar 19 12:37:46 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Mar 19 12:37:46 10[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Mar 19 12:37:46 10[IKE] local host is behind NAT, sending keep alives
Mar 19 12:37:46 10[IKE] received cert request for "CN=MyServer-CA, C=GB, ST=England, L=London, O=MyCompany"
Mar 19 12:37:46 10[IKE] sending cert request for "CN=MyServer-CA, C=GB, ST=England, L=London, O=MyCompany"
Mar 19 12:37:46 10[IKE] establishing CHILD_SA android{29}
Mar 19 12:37:46 10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Mar 19 12:37:46 10[NET] sending packet: from 100.87.12.210[39158] to xxx.xxx.xxx.xxx[4500] (480 bytes)
Mar 19 12:37:46 11[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 100.87.12.210[39158] (80 bytes)
Mar 19 12:37:46 11[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Mar 19 12:37:46 11[IKE] received AUTHENTICATION_FAILED notify error

      Server side:

      Mar 19 12:37:50	charon		10[NET] <52> received packet: from yyy.yyy.yyy.yyy[15296] to xxx.xxx.xxx.xxx[500] (716 bytes)
Mar 19 12:37:50	charon		10[ENC] <52> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 19 12:37:50	charon		10[IKE] <52> yyy.yyy.yyy.yyy is initiating an IKE_SA
Mar 19 12:37:50	charon		10[CFG] <52> received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Mar 19 12:37:50	charon		10[CFG] <52> configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Mar 19 12:37:50	charon		10[IKE] <52> no matching proposal found, trying alternative config
Mar 19 12:37:50	charon		10[CFG] <52> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Mar 19 12:37:50	charon		10[IKE] <52> remote host is behind NAT
Mar 19 12:37:50	charon		10[IKE] <52> sending cert request for "CN=MyServer-CA, C=GB, ST=England, L=London, O=MyCompany"
Mar 19 12:37:50	charon		10[ENC] <52> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Mar 19 12:37:50	charon		10[NET] <52> sending packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyy.yyy[15296] (297 bytes)
Mar 19 12:37:50	charon		10[NET] <52> received packet: from yyy.yyy.yyy.yyy[54459] to xxx.xxx.xxx.xxx[4500] (480 bytes)
Mar 19 12:37:50	charon		10[ENC] <52> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Mar 19 12:37:50	charon		10[IKE] <52> received cert request for "CN=MyServer-CA, C=GB, ST=England, L=London, O=MyCompany"
Mar 19 12:37:50	charon		10[CFG] <52> looking for peer configs matching xxx.xxx.xxx.xxx[%any]...yyy.yyy.yyy.yyy[user@mycompany.com]
Mar 19 12:37:50	charon		10[CFG] <bypasslan|52> selected peer config 'bypasslan'
Mar 19 12:37:50	charon		10[IKE] <bypasslan|52> peer requested EAP, config unacceptable
Mar 19 12:37:50	charon		10[CFG] <bypasslan|52> no alternative config found
Mar 19 12:37:50	charon		10[IKE] <bypasslan|52> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Mar 19 12:37:50	charon		10[IKE] <bypasslan|52> peer supports MOBIKE
Mar 19 12:37:50	charon		10[ENC] <bypasslan|52> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Mar 19 12:37:50	charon		10[NET] <bypasslan|52> sending packet: from xxx.xxx.xxx.xxx[4500] to yyy.yyy.yyy.yyy[54459] (80 bytes)

      Why is it failing and how to fix it?
      Anything to do with choice of ciphers?

      Thanks,
      Adam

      1 Reply Last reply Reply Quote 0
      • First post
        Last post

      Products

      • Platform Overview
      • TNSR
      • pfSense Plus
      • Appliances

      Services

      • Training
      • Professional Services

      Support

      • Subscription Plans
      • Contact Support
      • Product Lifecycle
      • Documentation

      News

      • Media Coverage
      • Press
      • Events

      Resources

      • Blog
      • FAQ
      • Find a Partner
      • Resource Library
      • Security Information

      Company

      • About Us
      • Careers
      • Partners
      • Contact Us
      • Legal
      Our Mission

      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

      Subscribe to our Newsletter

      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

      © 2021 Rubicon Communications, LLC | Privacy Policy