Issue in setting up VPN connection (IKEv1) using android (ICS vpn client) with Strongswan 4.5.0 server
- by Kushagra Bhatnagar
I am facing issues in setting up VPN connection(IKEv1) using android (ICS vpn client) and Strongswan 4.5.0 server.
Below is the set up:
Strongswan server is running on ubuntu linux machine which is connected to some wifi hotspot.
Using the steps in this guide link, I generated CA, server and client certificate.
Once certificates are generated, following (clientCert.p12 and caCert.pem) are sent to mobile via mail and installed on android device.
Below are the ip addresses assigned to various interfaces
Linux server wlan0 interface ip where server is running: 192.168.43.212, android device eth0 interface ip address: 192.168.43.62; Android device is also attached with the same wifi hotspot.
On the Android device, I uses IPsec Xauth RSA option for setting up VPN authentication configuration.
I am using the following ipsec.conf configuration:
# basic configuration
config setup
plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
nat_traversal=yes
# charonstart=yes
plutostart=yes
# Add connections here.
# Sample VPN connections
conn ios1
keyexchange=ikev1
authby=xauthrsasig
xauth=server
left=%defaultroute
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftcert=serverCert.pem
right=192.168.43.62
rightsubnet=10.0.0.0/24
rightsourceip=10.0.0.2
rightcert=clientCert.pem
pfs=no
auto=add
With the above configurations when I enable VPN on android device, VPN connection is not successful and it gets timed out in Authentication phase.
I ran wireshark on both the android device and strongswan server, from the tcpdump below are the observations.
Initially Identity Protection (Main mode) exchanges happens between device and server and all are successful.
After all successful Identity Protection (Main mode) exchanges server is sending Transaction (Config mode) to device.
In reply android device is sending Informational message instead of Transaction (Config mode) message.
Further server is keep on sending Transaction (Config mode) message and device is again sending Identity Protection (Main mode) messages.
Finally timeout happens and connection fails.
I also capture Strongswan server logs and below are the snippets from the server logs which also verifies the same(described above).
Apr 27 21:09:40 Linux pluto[12105]: | **parse ISAKMP Message:
Apr 27 21:09:40 Linux pluto[12105]: | initiator cookie:
Apr 27 21:09:40 Linux pluto[12105]: | 06 fd 61 b8 86 82 df ed
Apr 27 21:09:40 Linux pluto[12105]: | responder cookie:
Apr 27 21:09:40 Linux pluto[12105]: | 73 7a af 76 74 f0 39 8b
Apr 27 21:09:40 Linux pluto[12105]: | next payload type: ISAKMP_NEXT_HASH
Apr 27 21:09:40 Linux pluto[12105]: | ISAKMP version: ISAKMP Version 1.0
Apr 27 21:09:40 Linux pluto[12105]: | exchange type: ISAKMP_XCHG_INFO
Apr 27 21:09:40 Linux pluto[12105]: | flags: ISAKMP_FLAG_ENCRYPTION
Apr 27 21:09:40 Linux pluto[12105]: | message ID: a2 80 ad 82
Apr 27 21:09:40 Linux pluto[12105]: | length: 92
Apr 27 21:09:40 Linux pluto[12105]: | ICOOKIE: 06 fd 61 b8 86 82 df ed
Apr 27 21:09:40 Linux pluto[12105]: | RCOOKIE: 73 7a af 76 74 f0 39 8b
Apr 27 21:09:40 Linux pluto[12105]: | peer: c0 a8 2b 3e Apr 27 21:09:40 Linux pluto[12105]: | state hash entry 25
Apr 27 21:09:40 Linux pluto[12105]: | state object not found Apr 27 21:09:40 Linux pluto[12105]: packet from 192.168.43.62:500: Informational Exchange is for an unknown (expired?) SA
Apr 27 21:09:40 Linux pluto[12105]: | next event EVENT_RETRANSMIT in 10 seconds for #9
Can anyone please provide update on this issue. Why the VPN connection gets timed out and why the ISAKMP exchanges are not proper between Android and strongswan server.