Android native VPN client to Strongswan problem

kemeris · 04-08-2014, 04:01 AM

Hi everyone,

i've been banging my heads against this issue for several days and i cannot establish connection with VPN server (Centos/Strongswan v5.1.2) from my Android phone using IPSec Xauth RSA (ikev1) connection type. I tried various tutorials but the problem remains the same. Have no problem connecting from iPhone (ikev1) and Android (ikev2).

I am getting "invalid HASH_V1 payload length, decryption failed?" error

ipsec.conf

Code:

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1


conn android_IPSec_ikev1
    keyexchange=ikev1
    left=%defaultroute
    leftsubnet=0.0.0.0/0
    leftcert=serverCert.pem
    leftfirewall=yes
    right=%any
    rightsourceip=10.255.0.0/24
    rightdns=212.59.1.1
    rightauth=pubkey
    rightauth2=xauth
    auto=add

ipsec.secret

Code:

: RSA serverKey.pem
kemeris : XAUTH "pass1"

error.log

Code:

Apr  8 11:31:32 s1 charon: 11[NET] received packet: from 10.0.0.11[500] to 78.60.3.52[500] (476 bytes)
Apr  8 11:31:32 s1 charon: 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
Apr  8 11:31:32 s1 charon: 11[IKE] received NAT-T (RFC 3947) vendor ID
Apr  8 11:31:32 s1 charon: 11[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Apr  8 11:31:32 s1 charon: 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr  8 11:31:32 s1 charon: 11[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Apr  8 11:31:32 s1 charon: 11[IKE] received XAuth vendor ID
Apr  8 11:31:32 s1 charon: 11[IKE] received Cisco Unity vendor ID
Apr  8 11:31:32 s1 charon: 11[IKE] received FRAGMENTATION vendor ID
Apr  8 11:31:32 s1 charon: 11[IKE] received DPD vendor ID
Apr  8 11:31:32 s1 charon: 11[IKE] 10.0.0.11 is initiating a Main Mode IKE_SA
Apr  8 11:31:32 s1 charon: 11[ENC] generating ID_PROT response 0 [ SA V V V ]
Apr  8 11:31:32 s1 charon: 11[NET] sending packet: from 78.60.3.52[500] to 10.0.0.11[500] (136 bytes)
Apr  8 11:31:32 s1 charon: 10[NET] received packet: from 10.0.0.11[500] to 78.60.3.52[500] (228 bytes)
Apr  8 11:31:32 s1 charon: 10[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr  8 11:31:32 s1 charon: 10[IKE] sending cert request for "C=LT, S=Vilniaus m., L=Vilnius, O=Zeusman MB, CN=vpn.zeusman.lt"
Apr  8 11:31:32 s1 charon: 10[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
Apr  8 11:31:32 s1 charon: 10[NET] sending packet: from 78.60.3.52[500] to 10.0.0.11[500] (350 bytes)
Apr  8 11:31:32 s1 charon: 12[NET] received packet: from 10.0.0.11[500] to 78.60.3.52[500] (1228 bytes)
Apr  8 11:31:32 s1 charon: 12[ENC] parsed ID_PROT request 0 [ ID CERT SIG ]
Apr  8 11:31:32 s1 charon: 12[IKE] received end entity cert "C=GB, O=Zeusman MB, CN=Tadas Blinda"
Apr  8 11:31:32 s1 charon: 12[CFG] looking for XAuthInitRSA peer configs matching 78.60.3.52...10.0.0.11[C=GB, O=Zeusman MB, CN=Tadas Blinda]
Apr  8 11:31:32 s1 charon: 12[CFG] selected peer config "ios_IPSec_ikev1"
Apr  8 11:31:32 s1 charon: 12[CFG]   using trusted ca certificate "C=LT, S=Vilniaus m., L=Vilnius, O=Zeusman MB, CN=vpn.zeusman.lt"
Apr  8 11:31:32 s1 charon: 12[CFG] checking certificate status of "C=GB, O=Zeusman MB, CN=Tadas Blinda"
Apr  8 11:31:32 s1 charon: 12[CFG] certificate status is not available
Apr  8 11:31:32 s1 charon: 12[CFG]   reached self-signed root ca with a path length of 0
Apr  8 11:31:32 s1 charon: 12[CFG]   using trusted certificate "C=GB, O=Zeusman MB, CN=Tadas Blinda"
Apr  8 11:31:32 s1 charon: 12[IKE] authentication of 'C=GB, O=Zeusman MB, CN=Tadas Blinda' with RSA successful
Apr  8 11:31:32 s1 charon: 12[IKE] authentication of 'C=LT, S=Vilniaus m., L=Vilnius, O=Zeusman MB, CN=vpn.zeusman.lt' (myself) successful
Apr  8 11:31:32 s1 charon: 12[ENC] generating ID_PROT response 0 [ ID SIG ]
Apr  8 11:31:32 s1 charon: 12[NET] sending packet: from 78.60.3.52[500] to 10.0.0.11[500] (412 bytes)
Apr  8 11:31:32 s1 charon: 12[ENC] generating TRANSACTION request 3632658472 [ HASH CPRQ(X_USER X_PWD) ]
Apr  8 11:31:32 s1 charon: 12[NET] sending packet: from 78.60.3.52[500] to 10.0.0.11[500] (76 bytes)
Apr  8 11:31:32 s1 charon: 13[NET] received packet: from 10.0.0.11[500] to 78.60.3.52[500] (92 bytes)
Apr  8 11:31:32 s1 charon: 13[ENC] invalid HASH_V1 payload length, decryption failed?
Apr  8 11:31:32 s1 charon: 13[ENC] could not decrypt payloads
Apr  8 11:31:32 s1 charon: 13[IKE] message parsing failed
Apr  8 11:31:32 s1 charon: 13[IKE] ignore malformed INFORMATIONAL request
Apr  8 11:31:32 s1 charon: 13[IKE] INFORMATIONAL_V1 request with message ID 2246676801 processing failed
Apr  8 11:31:35 s1 charon: 15[NET] received packet: from 10.0.0.11[500] to 78.60.3.52[500] (1228 bytes)
Apr  8 11:31:35 s1 charon: 15[IKE] received retransmit of request with ID 0, retransmitting response
Apr  8 11:31:35 s1 charon: 15[NET] sending packet: from 78.60.3.52[500] to 10.0.0.11[500] (412 bytes)
Apr  8 11:31:35 s1 charon: 05[NET] received packet: from 10.0.0.11[500] to 78.60.3.52[500] (92 bytes)
Apr  8 11:31:35 s1 charon: 05[ENC] invalid HASH_V1 payload length, decryption failed?
Apr  8 11:31:35 s1 charon: 05[ENC] could not decrypt payloads
Apr  8 11:31:35 s1 charon: 05[IKE] message parsing failed
Apr  8 11:31:35 s1 charon: 05[IKE] ignore malformed INFORMATIONAL request