Discussion:
[strongSwan] IKEv2 EAP (username/password) authentication failing with strongswan server
Ravi Kanth Vanapalli
2014-12-22 16:47:51 UTC
Permalink
Dear All,

I am trying to do IKEv2 EAP Username/password authentication between
Dec 22 11:44:59 samsung-600

Client: Strongswan Android google play apk
Server: Strongswan server runningon my linux machine

Connection is failing with


*charon: 11[IKE] no shared key found for '10.0.0.35' - 'user1'*


*Please find below the snapshot of my configuration files. Please let me
know if I missed something.*
ipsec.conf
---------------

# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
# nat_traversal=yes
charonstart=yes
plutostart=yes
# Add connections here.
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret

conn ssandroid
left=10.0.0.35
leftfirewall=no
right=%any
rightsourceip = 10.0.0.2
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=start

ipsec.secrets
-------------------
include /var/lib/strongswan/ipsec.secrets.inc

user1:EAP "topsecretpassword"


*Daemon log for this failure* i.e tail -f /var/log/syslog

c 22 11:44:58 samsung-600B4B-600B5B charon: 16[NET] received packet: from
10.0.0.29[59701] to 10.0.0.35[500]
Dec 22 11:44:58 samsung-600B4B-600B5B charon: 16[ENC] parsed IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N((16430)) ]
Dec 22 11:44:58 samsung-600B4B-600B5B charon: 16[IKE] 10.0.0.29 is
initiating an IKE_SA
Dec 22 11:44:58 samsung-600B4B-600B5B charon: 16[IKE] remote host is behind
NAT
Dec 22 11:44:58 samsung-600B4B-600B5B charon: 16[ENC] generating
IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Dec 22 11:44:58 samsung-600B4B-600B5B charon: 16[NET] sending packet: from
10.0.0.35[500] to 10.0.0.29[59701]
Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[NET] received packet: from
10.0.0.29[49704] to 10.0.0.35[4500]
Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[ENC] parsed IKE_AUTH
request 1 [ IDi N(INIT_CONTACT) CERTREQ CP(ADDR ADDR6 DNS DNS6)
N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR)
N(MULT_AUTH) N(EAP_ONLY) ]
Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[IKE] received cert request
for "C=CH, O=strongSwan, CN=strongSwan Root CA"
Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[CFG] looking for peer
configs matching 10.0.0.35[%any]...10.0.0.29[user1]
Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[CFG] selected peer config
'ssandroid'
Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[IKE] initiating
EAP-Identity request
Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[IKE] peer supports MOBIKE
Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[IKE] authentication of
'10.0.0.35' (myself) with pre-shared key

*Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[IKE] no shared key found
for '10.0.0.35' - 'user1'*Dec 22 11:44:59 samsung-600B4B-600B5B charon:
11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[NET] sending packet: from
10.0.0.35[4500] to 10.0.0.29[49704]

Please help me resolve this issue.
--
Regards,
RaviKanth
Noel Kuntze
2014-12-22 17:38:48 UTC
Permalink
Hello Ravi,

You didn't set "leftauth", so it defaults to "psk". EAP usually uses a certificate on the server side
to authenticate the server against the client. Because your current configuration uses "leftauth=psk",
charon looks for a preshared key. To make your setup work, you need to set "leftauth=pubkey" and generate
a server certificate following the guide at this [1] link. You will need to import your CA into your Android
phone's certificate store after you created your server certificate.

[1] https://wiki.strongswan.org/projects/strongswan/wiki/SimpleCA

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Post by Ravi Kanth Vanapalli
Dear All,
I am trying to do IKEv2 EAP Username/password authentication between*
*Dec 22 11:44:59 samsung-600
Client: Strongswan Android google play apk
Server: Strongswan server runningon my linux machine
Connection is failing with
*charon: 11[IKE] no shared key found for '10.0.0.35' - 'user1'
*
*Please find below the snapshot of my configuration files. Please let me know if I missed something.
*
ipsec.conf
---------------
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
# nat_traversal=yes
charonstart=yes
plutostart=yes
# Add connections here.
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
conn ssandroid
left=10.0.0.35
leftfirewall=no
right=%any
rightsourceip = 10.0.0.2
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=start
ipsec.secrets
-------------------
include /var/lib/strongswan/ipsec.secrets.inc
user1:EAP "topsecretpassword"
_Daemon log for this failure_ i.e tail -f /var/log/syslog
c 22 11:44:58 samsung-600B4B-600B5B charon: 16[NET] received packet: from 10.0.0.29[59701] to 10.0.0.35[500]
Dec 22 11:44:58 samsung-600B4B-600B5B charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N((16430)) ]
Dec 22 11:44:58 samsung-600B4B-600B5B charon: 16[IKE] 10.0.0.29 is initiating an IKE_SA
Dec 22 11:44:58 samsung-600B4B-600B5B charon: 16[IKE] remote host is behind NAT
Dec 22 11:44:58 samsung-600B4B-600B5B charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Dec 22 11:44:58 samsung-600B4B-600B5B charon: 16[NET] sending packet: from 10.0.0.35[500] to 10.0.0.29[59701]
Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[NET] received packet: from 10.0.0.29[49704] to 10.0.0.35[4500]
Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ CP(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[IKE] received cert request for "C=CH, O=strongSwan, CN=strongSwan Root CA"
Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[CFG] looking for peer configs matching 10.0.0.35[%any]...10.0.0.29[user1]
Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[CFG] selected peer config 'ssandroid'
Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[IKE] initiating EAP-Identity request
Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[IKE] peer supports MOBIKE
Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[IKE] authentication of '10.0.0.35' (myself) with pre-shared key
*Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[IKE] no shared key found for '10.0.0.35' - 'user1'
*Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Dec 22 11:44:59 samsung-600B4B-600B5B charon: 11[NET] sending packet: from 10.0.0.35[4500] to 10.0.0.29[49704]
Please help me resolve this issue.
--
Regards,
RaviKanth
_______________________________________________
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users
Ravi Kanth Vanapalli
2014-12-22 19:12:22 UTC
Permalink
Dear Noel,
I was able to make some progress after setting the leftauth to pubkey.

I generated the certificates using the procedure outlined in the link.
Now I am running into the issue where gateway sends the last IKE_AUTH
message with IP address. Then UE sends back AUTH failed. On looking into
charon.log, there was an error like

Dec 22 14:02:52 12[CFG] constraint check failed: identity '192.168.43.185'
required
Dec 22 14:02:52 12[CFG] selected peer config 'android' inacceptable:
constraint checking failed

Here is the print of daemon log (/var/log/syslog)on the strongswan server
side
---------------------------------------------------------------------------------------------------------------


Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[NET] received packet: from
192.168.43.94[54252] to 192.168.43.185[500]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[ENC] parsed IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N((16430)) ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[IKE] 192.168.43.94 is
initiating an IKE_SA
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[IKE] remote host is behind
NAT
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[ENC] generating
IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[NET] sending packet: from
192.168.43.185[500] to 192.168.43.94[54252]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[NET] received packet: from
192.168.43.94[46301] to 192.168.43.185[4500]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[ENC] parsed IKE_AUTH
request 1 [ IDi N(INIT_CONTACT) CERTREQ CP(ADDR ADDR6 DNS DNS6)
N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR)
N(MULT_AUTH) N(EAP_ONLY) ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] received cert request
for "C=CH, O=strongSwan, CN=strongSwan Root CA"
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[CFG] looking for peer
configs matching 192.168.43.185[%any]...192.168.43.94[user1]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[CFG] selected peer config
'ssandroid'
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] initiating
EAP-Identity request
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] peer supports MOBIKE
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] authentication of
'C=CH, O=strongSwan, CN=strongSwan Root CA' (myself) with RSA signature
successful
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] sending end entity
cert "C=CH, O=strongSwan, CN=strongSwan Root CA"
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[ENC] generating IKE_AUTH
response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[NET] sending packet: from
192.168.43.185[4500] to 192.168.43.94[46301]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[NET] received packet: from
192.168.43.94[46301] to 192.168.43.185[4500]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[ENC] parsed IKE_AUTH
request 2 [ EAP/RES/ID ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[IKE] received EAP identity
'user1'
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[IKE] initiating
EAP_MSCHAPV2 method (id 0x87)
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[ENC] generating IKE_AUTH
response 2 [ EAP/REQ/MSCHAPV2 ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[NET] sending packet: from
192.168.43.185[4500] to 192.168.43.94[46301]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 10[NET] received packet: from
192.168.43.94[46301] to 192.168.43.185[4500]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 10[ENC] parsed IKE_AUTH
request 3 [ EAP/RES/MSCHAPV2 ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 10[ENC] generating IKE_AUTH
response 3 [ EAP/REQ/MSCHAPV2 ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 10[NET] sending packet: from
192.168.43.185[4500] to 192.168.43.94[46301]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[NET] received packet: from
192.168.43.94[46301] to 192.168.43.185[4500]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[ENC] parsed IKE_AUTH
request 4 [ EAP/RES/MSCHAPV2 ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[IKE] EAP method
EAP_MSCHAPV2 succeeded, MSK established
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[ENC] generating IKE_AUTH
response 4 [ EAP/SUCC ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[NET] sending packet: from
192.168.43.185[4500] to 192.168.43.94[46301]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[NET] received packet: from
192.168.43.94[46301] to 192.168.43.185[4500]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[ENC] parsed IKE_AUTH
request 5 [ AUTH ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] authentication of
'user1' with EAP successful
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] authentication of
'C=CH, O=strongSwan, CN=strongSwan Root CA' (myself) with EAP
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] IKE_SA ssandroid[2]
established between 192.168.43.185[C=CH, O=strongSwan, CN=strongSwan Root
CA]...192.168.43.94[user1]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] scheduling
reauthentication in 3250s
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] maximum IKE_SA
lifetime 3430s
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] peer requested
virtual IP %any6
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[CFG] assigning new lease
to 'user1'
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] assigning virtual IP
10.0.0.3 to peer 'user1'
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] CHILD_SA ssandroid{1}
established with SPIs c04897ea_i 87a8ff7a_o and TS 192.168.43.185/32 ===
10.0.0.3/32
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[ENC] generating IKE_AUTH
response 5 [ AUTH CP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP)
N(ADD_6_ADDR) N(ADD_6_ADDR) ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[NET] sending packet: from
192.168.43.185[4500] to 192.168.43.94[46301]
Dec 22 14:02:55 samsung-600B4B-600B5B charon: 01[NET] received packet: from
192.168.43.94[46301] to 192.168.43.185[4500]
Dec 22 14:02:55 samsung-600B4B-600B5B charon: 01[ENC] parsed INFORMATIONAL
request 6 [ N(AUTH_FAILED) ]
Dec 22 14:02:55 samsung-600B4B-600B5B charon: 01[ENC] generating
INFORMATIONAL response 6 [ ]
Dec 22 14:02:55 samsung-600B4B-600B5B charon: 01[NET] sending packet: from
192.168.43.185[4500] to 192.168.43.94[46301]


ipsec.conf file looks like below
-----------------------------------------------
conn ssandroid
left=192.168.43.185
leftfirewall=no
right=%any
rightsourceip = 10.0.0.2/24
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=start
leftcert=ServerCert.pem
leftauth=pubkey

ipsec.secrets file looks like below
------------------------------------
include /var/lib/strongswan/ipsec.secrets.inc

: RSA ServerPrivKey.pem

user1 : EAP "topsecretpassword"

On the charon.log on the Android client side here is the error
----------------------------------------------------------------------------------------

Note:

Dec 22 14:02:52 16[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
Dec 22 14:02:52 16[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Dec 22 14:02:52 16[IKE] authentication of 'user1' (myself) with EAP
Dec 22 14:02:52 16[ENC] generating IKE_AUTH request 5 [ AUTH ]
Dec 22 14:02:52 16[NET] sending packet: from 192.168.43.94[46301] to
192.168.43.185[4500] (92 bytes)
Dec 22 14:02:52 12[NET] received packet: from 192.168.43.185[4500] to
192.168.43.94[46301] (268 bytes)
Dec 22 14:02:52 12[ENC] parsed IKE_AUTH response 5 [ AUTH CPRP(ADDR) SA TSi
TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
Dec 22 14:02:52 12[IKE] authentication of 'C=CH, O=strongSwan,
CN=strongSwan Root CA' with EAP successful
Dec 22 14:02:52 12[CFG] constraint check failed: identity '192.168.43.185'
required
Dec 22 14:02:52 12[CFG] selected peer config 'android' inacceptable:
constraint checking failed
Dec 22 14:02:52 12[CFG] no alternative config found
Dec 22 14:02:52 12[ENC] generating INFORMATIONAL request 6 [ N(AUTH_FAILED)
]
Dec 22 14:02:52 12[NET] sending packet: from 192.168.43.94[46301] to
192.168.43.185[4500] (76 bytes)


Please let me know the issue here. Is something wrong with the certificates
created.
I have attached the complete charon.log file to this email.

Thanks,
Ravikanth
Ravi Kanth Vanapalli
2014-12-22 20:42:22 UTC
Permalink
Dear Noel,
I have made progress with this issue.
Issue was the Assigned Name in the certifcate. I have set it to the
gateway IP, generated the certifcaets and re-installed the certificates on
the UE and server side.

I refered to the following link to solve this issue:
http://marc.info/?t=134837490100004&r=1&w=2

Now my strongswan Android App is connnected to my gateway.

Thanks much for your quick support.

Regards,
Ravikanth



On Mon, Dec 22, 2014 at 2:12 PM, Ravi Kanth Vanapalli <
Post by Ravi Kanth Vanapalli
Dear Noel,
I was able to make some progress after setting the leftauth to pubkey.
I generated the certificates using the procedure outlined in the link.
Now I am running into the issue where gateway sends the last IKE_AUTH
message with IP address. Then UE sends back AUTH failed. On looking into
charon.log, there was an error like
Dec 22 14:02:52 12[CFG] constraint check failed: identity '192.168.43.185'
required
constraint checking failed
Here is the print of daemon log (/var/log/syslog)on the strongswan server
side
---------------------------------------------------------------------------------------------------------------
from 192.168.43.94[54252] to 192.168.43.185[500]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[ENC] parsed IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N((16430)) ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[IKE] 192.168.43.94 is
initiating an IKE_SA
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[IKE] remote host is
behind NAT
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[ENC] generating
IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 14[NET] sending packet: from
192.168.43.185[500] to 192.168.43.94[54252]
from 192.168.43.94[46301] to 192.168.43.185[4500]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[ENC] parsed IKE_AUTH
request 1 [ IDi N(INIT_CONTACT) CERTREQ CP(ADDR ADDR6 DNS DNS6)
N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR)
N(MULT_AUTH) N(EAP_ONLY) ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] received cert
request for "C=CH, O=strongSwan, CN=strongSwan Root CA"
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[CFG] looking for peer
configs matching 192.168.43.185[%any]...192.168.43.94[user1]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[CFG] selected peer config
'ssandroid'
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] initiating
EAP-Identity request
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] peer supports MOBIKE
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] authentication of
'C=CH, O=strongSwan, CN=strongSwan Root CA' (myself) with RSA signature
successful
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[IKE] sending end entity
cert "C=CH, O=strongSwan, CN=strongSwan Root CA"
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[ENC] generating IKE_AUTH
response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 15[NET] sending packet: from
192.168.43.185[4500] to 192.168.43.94[46301]
from 192.168.43.94[46301] to 192.168.43.185[4500]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[ENC] parsed IKE_AUTH
request 2 [ EAP/RES/ID ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[IKE] received EAP
identity 'user1'
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[IKE] initiating
EAP_MSCHAPV2 method (id 0x87)
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[ENC] generating IKE_AUTH
response 2 [ EAP/REQ/MSCHAPV2 ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 09[NET] sending packet: from
192.168.43.185[4500] to 192.168.43.94[46301]
from 192.168.43.94[46301] to 192.168.43.185[4500]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 10[ENC] parsed IKE_AUTH
request 3 [ EAP/RES/MSCHAPV2 ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 10[ENC] generating IKE_AUTH
response 3 [ EAP/REQ/MSCHAPV2 ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 10[NET] sending packet: from
192.168.43.185[4500] to 192.168.43.94[46301]
from 192.168.43.94[46301] to 192.168.43.185[4500]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[ENC] parsed IKE_AUTH
request 4 [ EAP/RES/MSCHAPV2 ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[IKE] EAP method
EAP_MSCHAPV2 succeeded, MSK established
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[ENC] generating IKE_AUTH
response 4 [ EAP/SUCC ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 11[NET] sending packet: from
192.168.43.185[4500] to 192.168.43.94[46301]
from 192.168.43.94[46301] to 192.168.43.185[4500]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[ENC] parsed IKE_AUTH
request 5 [ AUTH ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] authentication of
'user1' with EAP successful
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] authentication of
'C=CH, O=strongSwan, CN=strongSwan Root CA' (myself) with EAP
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] IKE_SA ssandroid[2]
established between 192.168.43.185[C=CH, O=strongSwan, CN=strongSwan Root
CA]...192.168.43.94[user1]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] scheduling
reauthentication in 3250s
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] maximum IKE_SA
lifetime 3430s
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] peer requested
virtual IP %any6
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[CFG] assigning new lease
to 'user1'
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] assigning virtual IP
10.0.0.3 to peer 'user1'
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[IKE] CHILD_SA
ssandroid{1} established with SPIs c04897ea_i 87a8ff7a_o and TS
192.168.43.185/32 === 10.0.0.3/32
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[ENC] generating IKE_AUTH
response 5 [ AUTH CP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP)
N(ADD_6_ADDR) N(ADD_6_ADDR) ]
Dec 22 14:02:54 samsung-600B4B-600B5B charon: 13[NET] sending packet: from
192.168.43.185[4500] to 192.168.43.94[46301]
from 192.168.43.94[46301] to 192.168.43.185[4500]
Dec 22 14:02:55 samsung-600B4B-600B5B charon: 01[ENC] parsed INFORMATIONAL
request 6 [ N(AUTH_FAILED) ]
Dec 22 14:02:55 samsung-600B4B-600B5B charon: 01[ENC] generating
INFORMATIONAL response 6 [ ]
Dec 22 14:02:55 samsung-600B4B-600B5B charon: 01[NET] sending packet: from
192.168.43.185[4500] to 192.168.43.94[46301]
ipsec.conf file looks like below
-----------------------------------------------
conn ssandroid
left=192.168.43.185
leftfirewall=no
right=%any
rightsourceip = 10.0.0.2/24
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
auto=start
leftcert=ServerCert.pem
leftauth=pubkey
ipsec.secrets file looks like below
------------------------------------
include /var/lib/strongswan/ipsec.secrets.inc
: RSA ServerPrivKey.pem
user1 : EAP "topsecretpassword"
On the charon.log on the Android client side here is the error
----------------------------------------------------------------------------------------
Dec 22 14:02:52 16[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
Dec 22 14:02:52 16[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Dec 22 14:02:52 16[IKE] authentication of 'user1' (myself) with EAP
Dec 22 14:02:52 16[ENC] generating IKE_AUTH request 5 [ AUTH ]
Dec 22 14:02:52 16[NET] sending packet: from 192.168.43.94[46301] to
192.168.43.185[4500] (92 bytes)
Dec 22 14:02:52 12[NET] received packet: from 192.168.43.185[4500] to
192.168.43.94[46301] (268 bytes)
Dec 22 14:02:52 12[ENC] parsed IKE_AUTH response 5 [ AUTH CPRP(ADDR) SA
TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
Dec 22 14:02:52 12[IKE] authentication of 'C=CH, O=strongSwan,
CN=strongSwan Root CA' with EAP successful
Dec 22 14:02:52 12[CFG] constraint check failed: identity '192.168.43.185'
required
constraint checking failed
Dec 22 14:02:52 12[CFG] no alternative config found
Dec 22 14:02:52 12[ENC] generating INFORMATIONAL request 6 [
N(AUTH_FAILED) ]
Dec 22 14:02:52 12[NET] sending packet: from 192.168.43.94[46301] to
192.168.43.185[4500] (76 bytes)
Please let me know the issue here. Is something wrong with the
certificates created.
I have attached the complete charon.log file to this email.
Thanks,
Ravikanth
--
Regards,

RaviKanth VN Vanapalli
Ph: (469) 999 7567
Email: ***@gmail.com
Loading...