• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

StrongSwan user authentication failed on Android

Scheduled Pinned Locked Moved IPsec
24 Posts 4 Posters 4.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • K
    Konstanti @Alanesi
    last edited by Konstanti Aug 8, 2020, 12:31 PM Aug 8, 2020, 12:30 PM

    @Alanesi
    Then you need to check the settings of the Android client
    There may be an error in the username/password field

    A 1 Reply Last reply Aug 8, 2020, 2:07 PM Reply Quote 0
    • A
      Alanesi @Konstanti
      last edited by Aug 8, 2020, 2:07 PM

      @Konstanti
      Unfortunately still the same issue but with different log
      This is from pfSense:

      Aug 8 17:01:25 charon 16[CFG] <2464> looking for IKEv2 configs for x.x.x.x...y.y.y.y
      Aug 8 17:01:25 charon 16[CFG] <2464> candidate: %any...%any, prio 24
      Aug 8 17:01:25 charon 16[CFG] <2464> candidate: x.x.x.x...%any, prio 1052
      Aug 8 17:01:25 charon 16[IKE] <2464> no matching proposal found, trying alternative config
      Aug 8 17:01:25 charon 16[CFG] <2464> selecting proposal:
      Aug 8 17:01:25 charon 16[CFG] <2464> proposal matches
      Aug 8 17:01:25 charon 16[CFG] <2464> received proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
      Aug 8 17:01:25 charon 16[CFG] <2464> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
      Aug 8 17:01:25 charon 16[CFG] <2464> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
      Aug 8 17:01:25 charon 16[CFG] <2464> received supported signature hash algorithms: sha256 sha384 sha512 identity
      Aug 8 17:01:25 charon 16[IKE] <2464> remote host is behind NAT
      Aug 8 17:01:25 charon 16[CFG] <2464> sending supported signature hash algorithms: sha256 sha384 sha512 identity
      Aug 8 17:01:25 charon 16[IKE] <2464> sending cert request for "CN=internal-ca, C=SA, L=Riyadh, O=International"
      Aug 8 17:01:25 charon 16[ENC] <2464> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
      Aug 8 17:01:25 charon 16[NET] <2464> sending packet: from x.x.x.x[500] to y.y.y.y[40538] (305 bytes)
      Aug 8 17:01:25 charon 16[NET] <2464> received packet: from y.y.y.y[51903] to x.x.x.x[4500] (448 bytes)
      Aug 8 17:01:25 charon 16[ENC] <2464> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
      Aug 8 17:01:25 charon 16[CFG] <2464> looking for peer configs matching x.x.x.x[%any]...y.y.y.y[user@domain.com]
      Aug 8 17:01:25 charon 16[CFG] <2464> candidate "bypasslan", match: 1/1/24 (me/other/ike)
      Aug 8 17:01:25 charon 16[CFG] <2464> candidate "con-mobile", match: 1/1/1052 (me/other/ike)
      Aug 8 17:01:25 charon 16[CFG] <2464> ignore candidate 'con-mobile' without matching IKE proposal
      Aug 8 17:01:25 charon 16[CFG] <bypasslan|2464> selected peer config 'bypasslan'
      Aug 8 17:01:25 charon 16[IKE] <bypasslan|2464> peer requested EAP, config unacceptable
      Aug 8 17:01:25 charon 16[CFG] <bypasslan|2464> no alternative config found
      Aug 8 17:01:25 charon 16[IKE] <bypasslan|2464> processing INTERNAL_IP4_ADDRESS attribute
      Aug 8 17:01:25 charon 16[IKE] <bypasslan|2464> processing INTERNAL_IP6_ADDRESS attribute
      Aug 8 17:01:25 charon 16[IKE] <bypasslan|2464> processing INTERNAL_IP4_DNS attribute
      Aug 8 17:01:25 charon 16[IKE] <bypasslan|2464> processing INTERNAL_IP6_DNS attribute
      Aug 8 17:01:25 charon 16[IKE] <bypasslan|2464> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
      Aug 8 17:01:25 charon 16[IKE] <bypasslan|2464> peer supports MOBIKE
      Aug 8 17:01:25 charon 16[ENC] <bypasslan|2464> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
      Aug 8 17:01:25 charon 16[NET] <bypasslan|2464> sending packet: from x.x.x.x[4500] to y.y.y.y[51903] (80 bytes)
      Aug 8 17:01:25 charon 16[IKE] <bypasslan|2464> IKE_SA bypasslan[2464] state change: CONNECTING => DESTROYING

      1 Reply Last reply Reply Quote 0
      • A
        Alitai
        last edited by Aug 8, 2020, 11:50 PM

        do you have set dns sec on your android?

        A 1 Reply Last reply Aug 9, 2020, 9:09 AM Reply Quote 0
        • A
          Alanesi @Alitai
          last edited by Aug 9, 2020, 9:09 AM

          @Alitai

          No, but to wich server?

          1 Reply Last reply Reply Quote 0
          • A
            Alitai
            last edited by Aug 9, 2020, 12:04 PM

            okay, did you set the user identity under advance settings on the strongswan app?

            A 1 Reply Last reply Aug 9, 2020, 1:46 PM Reply Quote 0
            • A
              Alanesi @Alitai
              last edited by Aug 9, 2020, 1:46 PM

              @Alitai
              Yes its the same username.

              1 Reply Last reply Reply Quote 0
              • A
                Alitai
                last edited by Aug 9, 2020, 2:35 PM

                okay, on the android part there is not much more to todo.
                Normally this is the easy part.

                Now, I think it's time for pictures from your pfsense and android. but don't forget to deleted the sensitive Infos.

                A 1 Reply Last reply Aug 12, 2020, 7:06 AM Reply Quote 0
                • A
                  Alanesi @Alitai
                  last edited by Alanesi Aug 12, 2020, 7:25 AM Aug 12, 2020, 7:06 AM

                  @Alitai
                  This the P1 on pfSense.

                  2020-08-12_9-25-04.png
                  2020-08-12_9-25-53.png

                  This Mobile Client
                  2020-08-12_9-25-53.png

                  For the Pre-Shared Keys the secret type is EAP.

                  This P2

                  P2.png

                  This on the Andriod

                  Screenshot_20200812-093931_strongSwan VPN Client.jpg

                  K 1 Reply Last reply Aug 12, 2020, 8:47 AM Reply Quote 0
                  • K
                    Konstanti @Alanesi
                    last edited by Aug 12, 2020, 8:47 AM

                    @Alanesi
                    Phase 1 - My identifier

                    7760fdd0-7620-42df-bb23-7daccc4aef9c-image.png

                    A 1 Reply Last reply Aug 12, 2020, 4:13 PM Reply Quote 0
                    • A
                      Alanesi @Konstanti
                      last edited by Aug 12, 2020, 4:13 PM

                      Thanks @Konstanti

                      I did that but it didnt make any diffreance still same error.

                      1 Reply Last reply Reply Quote 0
                      • A
                        Alitai
                        last edited by Aug 12, 2020, 4:24 PM

                        Phase 1:
                        Switch to:
                        AES / 256 bits / SHA256 / 14 (2048 bit)
                        and
                        Enable MOBIKE

                        Android:
                        Don't forget the advanced settings (see above).

                        A 1 Reply Last reply Aug 12, 2020, 5:59 PM Reply Quote 1
                        • A
                          Alanesi @Alitai
                          last edited by Alanesi Aug 12, 2020, 6:08 PM Aug 12, 2020, 5:59 PM

                          @Alitai
                          THAT'S GREAT IT WORKED.
                          I accualy added AES / 256 bits / SHA256 / 14 (2048 bit) to the current one.

                          Thanks @Alitai 🎖

                          1 Reply Last reply Reply Quote 0
                          24 out of 24
                          • First post
                            24/24
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                            This community forum collects and processes your personal information.
                            consent.not_received