search

hwdsl2 / setup-ipsec-vpn

Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
Other
25.25k stars 6.32k forks source link

IKEv2 vpn set up with .p12 file, runs very well on Windows 11, while does not work on Android 13 phone. #1511

Closed fuckbaike closed 10 months ago

fuckbaike commented 10 months ago

Describe the issue I setup the VPN server on the VPS, generate the .p12 .sswan .mobileconfig files. I set the connection step by step just as the guide shows, It runs very well on my Windows 11 laptop. But it does not work on my Android 13 phone.

Logs Log1: Dec 29 23:21 It ran perfectly on my laptop [OS: Windows 11 without firewall] Dec 29 23:21:13 www pluto[1466]: "ikev2-cp"[275] X.X.X.X #429: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[first-match] Dec 29 23:21:13 www pluto[1466]: "ikev2-cp"[275] X.X.X.X #429: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048} Dec 29 23:21:13 www pluto[1466]: "ikev2-cp"[275] X.X.X.X #429: processing decrypted IKE_AUTH request: SK{IDi,CERT,CERTREQ,AUTH,N,CP,SA,TSi,TSr} Dec 29 23:21:13 www pluto[1466]: "ikev2-cp"[275] X.X.X.X #429: ignoring CERTREQ payload that is not ASN1 Dec 29 23:21:13 www pluto[1466]: "ikev2-cp"[275] X.X.X.X #429: established IKE SA; authenticated using RSA with SHA1 and peer certificate 'CN=vpnclient, O=IKEv2 VPN' issued by CA 'CN=IKEv2 VPN CA, O=IKEv2 VPN' Dec 29 23:21:13 www pluto[1466]: "ikev2-cp"[275] X.X.X.X #430: proposal 1:ESP=AES_GCM_C_128-DISABLED SPI=59c088e8 chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED[first-match] Dec 29 23:21:13 www pluto[1466]: "ikev2-cp"[275] X.X.X.X #430: established Child SA using #429; IPsec tunnel [0.0.0.0-255.255.255.255:0-65535 0] -> [192.168.43.10-192.168.43.10:0-65535 0] {ESPinUDP=>0x59c088e8 <0x0b031dc1 xfrm=AES_GCM_16_128-NONE NATD=X.X.X.X:20502 DPD=active}

It does not work, since I download the .p12 file to my Andriod 13 Redmi cellphone, imported as CA certificate, setting a strongSwan VPN connection. just as the following Log2 file shows: Dec 30 01:56:46 www pluto[20136]: "ikev2-cp"[19] X.X.X.X #20: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;PRF=HMAC_SHA2_256;DH=MODP2048[first-match] Dec 30 01:56:46 www pluto[20136]: "ikev2-cp"[19] X.X.X.X #20: sent IKE_SA_INIT reply {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048} Dec 30 01:56:46 www pluto[20136]: "ikev2-cp"[19] X.X.X.X #20: processing decrypted IKE_AUTH request: SK{IDi,CERT,N,CERTREQ,AUTH,CP,SA,TSi,TSr,N,N,N,N} Dec 30 01:56:46 www pluto[20136]: "ikev2-cp"[19] X.X.X.X #20: ignoring CERTREQ payload that is not ASN1 Dec 30 01:56:46 www pluto[20136]: "ikev2-cp"[19] X.X.X.X #20: authentication failed: no acceptable ECDSA/RSA-PSS ASN.1 signature hash proposal included for rsasig Dec 30 01:56:46 www pluto[20136]: "ikev2-cp"[19] X.X.X.X #20: responding to IKE_AUTH message (ID 1) from X.X.X.X:20732 with encrypted notification AUTHENTICATION_FAILED Dec 30 01:56:46 www pluto[20136]: "ikev2-cp"[19] X.X.X.X #20: encountered fatal error in state STATE_V2_PARENT_R1 Dec 30 01:56:46 www pluto[20136]: "ikev2-cp"[19] X.X.X.X #20: deleting state (STATE_V2_PARENT_R1) aged 0.333826s and NOT sending notification Dec 30 01:56:46 www pluto[20136]: "ikev2-cp"[19] X.X.X.X: deleting connection instance with peer X.X.X.X {isakmp=#0/ipsec=#0}

I compared the logs, the IKE_AUTH request were not the same, SK{IDi,CERT,CERTREQ,AUTH,N,CP,SA,TSi,TSr} in log1[VPN work on windows 11], while SK{IDi,CERT,N,CERTREQ,AUTH,CP,SA,TSi,TSr,N,N,N,N} in log2[VPN does not work on andriod 13 phone].

Server (please complete the following information)

Client (please complete the following information)

I've no idea about whether you can read Chinese, please forgive me for my poor English.

hwdsl2 commented 10 months ago

@fuckbaike Hello! For Android devices it is recommended to import the .sswan file and connect using the strongSwan VPN client. Instructions: English, 中文.

On the other hand, if you manually import the .p12 file and connect using the strongSwan VPN client, do the following step: Edit the VPN connection and tap Show advanced settings. Scroll down, find and enable the Use RSA/PSS signatures option. For more details, expand "If you manually set up IKEv2 without using the helper script..." in the linked instructions above.

letoams commented 10 months ago

This is an interop problem with strongswan who doesn’t keep to RFC 8221 recommendations about RSA-PSS.Dec 30 01:56:46 www pluto[20136]: "ikev2-cp"[19] X.X.X.X #20: authentication failed: no acceptable ECDSA/RSA-PSS ASN.1 signature hash proposal included for rsasigSee the libreswan test case for a workaround in the strongswan.conf file in the interop-strongswan-IKEv2 something rsa-pss test case at https://github.com/libreswan/libreswan/tree/main/testing/pluto(Sorry on phone, can’t check exact test name)Sent using a virtual keyboard on a phoneOn Dec 30, 2023, at 03:56, fuckbaike @.***> wrote:Dec 30 01:56:46 www pluto[20136]: "ikev2-cp"[19] X.X.X.X #20: authentication failed: no acceptable ECDSA/RSA-PSS ASN.1 signature hash proposal included for rsasig