search

trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.61k stars 2.32k forks source link

Failure to connect using generated Strongswan profile on Android #836

Closed jearbear closed 6 years ago

jearbear commented 6 years ago

OS / Environment (where do you run Algo on)

Linux sugo 4.15.9-1-ARCH #1 SMP PREEMPT Sun Mar 11 17:54:33 UTC 2018 x86_64 GNU/Linux

Cloud Provider (where do you deploy Algo to)

Digital Ocean

Summary of the problem

Get the error message: Failed to establish VPN: Verifying server authentication failed. when using the Strongswan app in Android 8.1.

Steps to reproduce the behavior

  1. Run the ./algo script to provision a Digital Ocean instance. (used all of the default options)
  2. Import the generated .sswan config into the Strongswan app
  3. Attempt to connect to the profile

Full log

Mar 18 22:49:05 00[DMN] Starting IKE charon daemon (strongSwan 5.6.1dr3, Android 8.1.0 - OPM3.171019.013/2018-01-05, Nexus 6P - google/angler/Huawei, Linux 3.10.73-g5a720136d4a, aarch64)
Mar 18 22:49:05 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Mar 18 22:49:05 00[JOB] spawning 16 worker threads
Mar 18 22:49:05 06[CFG] loaded user certificate 'CN=jerry' and private key
Mar 18 22:49:05 06[IKE] initiating IKE_SA android[2] to 159.65.105.246
Mar 18 22:49:05 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 18 22:49:05 06[NET] sending packet: from 192.168.0.111[39531] to 159.65.105.246[500] (704 bytes)
Mar 18 22:49:05 04[NET] received packet: from 159.65.105.246[500] to 192.168.0.111[39531] (289 bytes)
Mar 18 22:49:05 04[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Mar 18 22:49:05 04[IKE] local host is behind NAT, sending keep alives
Mar 18 22:49:05 04[IKE] received 1 cert requests for an unknown ca
Mar 18 22:49:05 04[IKE] sending cert request for "C=HU, L=Budapest, O=Microsec Ltd., CN=Microsec e-Szigno Root CA 2009, E=info@e-szigno.hu"
Mar 18 22:49:05 04[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2"
Mar 18 22:49:05 04[IKE] sending cert request for "C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA"
Mar 18 22:49:05 04[IKE] sending cert request for "C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1"
Mar 18 22:49:05 04[IKE] sending cert request for "C=TR, L=Gebze - Kocaeli, O=T??rkiye Bilimsel ve Teknolojik Ara??t??rma Kurumu - T??B??TAK, OU=Ulusal Elektronik ve Kriptoloji Ara??t??rma Enstit??s?? - UEKAE, OU=Kamu Sertifikasyon Merkezi, CN=T??B??TAK UEKAE K??k Sertifika Hizmet Sa??lay??c??s?? - S??r??m 3"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA"
Mar 18 22:49:05 04[IKE] sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden EV Root CA"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=thawte, Inc., OU=(c) 2007 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G2"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority"
Mar 18 22:49:05 04[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3 G3"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G3"
Mar 18 22:49:05 04[IKE] sending cert request for "C=CH, O=SwissSign AG, CN=SwissSign Silver CA - G2"
Mar 18 22:49:05 04[IKE] sending cert request for "C=CN, O=China Financial Certification Authority, CN=CFCA EV ROOT"
Mar 18 22:49:05 04[IKE] sending cert request for "C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R1"
Mar 18 22:49:05 04[IKE] sending cert request for "C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication RootCA2"
Mar 18 22:49:05 04[IKE] sending cert request for "O=Cybertrust, Inc, CN=Cybertrust Global Root"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Premium ECC"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4"
Mar 18 22:49:05 04[IKE] sending cert request for "C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Chambers of Commerce Root"
Mar 18 22:49:05 04[IKE] sending cert request for "C=PL, O=Krajowa Izba Rozliczeniowa S.A., CN=SZAFIR ROOT CA2"
Mar 18 22:49:05 04[IKE] sending cert request for "C=IT, L=Milan, O=Actalis S.p.A./03358520967, CN=Actalis Authentication Root CA"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G3"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=SecureTrust Corporation, CN=Secure Global CA"
Mar 18 22:49:05 04[IKE] sending cert request for "C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA 2"
Mar 18 22:49:05 04[IKE] sending cert request for "OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - EC1"
Mar 18 22:49:05 04[IKE] sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G3"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Global CA"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Primary Certification Authority"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA 1"
Mar 18 22:49:05 04[IKE] sending cert request for "C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Root CA - G2"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2008 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G3"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2"
Mar 18 22:49:05 04[IKE] sending cert request for "C=SK, L=Bratislava, O=Disig a.s., CN=CA Disig Root R2"
Mar 18 22:49:05 04[IKE] sending cert request for "C=TW, O=Government Root Certification Authority"
Mar 18 22:49:05 04[IKE] sending cert request for "C=DE, O=Deutsche Telekom AG, OU=T-TeleSec Trust Center, CN=Deutsche Telekom Root CA 2"
Mar 18 22:49:05 04[IKE] sending cert request for "C=TR, L=Ankara, O=E-Tu??ra EBG Bili??im Teknolojileri ve Hizmetleri A.??., OU=E-Tugra Sertifikasyon Merkezi, CN=E-Tugra Certification Authority"
Mar 18 22:49:05 04[IKE] sending cert request for "C=EU, O=AC Camerfirma SA CIF A82743287, OU=http://www.chambersign.org, CN=Global Chambersign Root"
Mar 18 22:49:05 04[IKE] sending cert request for "C=PL, O=Unizeto Sp. z o.o., CN=Certum CA"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Premium"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA"
Mar 18 22:49:05 04[IKE] sending cert request for "C=FR, O=OpenTrust, CN=OpenTrust Root CA G1"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 2"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=SecureTrust Corporation, CN=SecureTrust CA"
Mar 18 22:49:05 04[IKE] sending cert request for "OU=GlobalSign ECC Root CA - R4, O=GlobalSign, CN=GlobalSign"
Mar 18 22:49:05 04[IKE] sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 2 Root CA"
Mar 18 22:49:05 04[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 1 G3"
Mar 18 22:49:05 04[IKE] sending cert request for "O=TeliaSonera, CN=TeliaSonera Root CA v1"
Mar 18 22:49:05 04[IKE] sending cert request for "C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA"
Mar 18 22:49:05 04[IKE] sending cert request for "C=CH, O=SwissSign AG, CN=SwissSign Gold CA - G2"
Mar 18 22:49:05 04[IKE] sending cert request for "C=EU, L=Madrid (see current address at www.camerfirma.com/address), SN=A82743287, O=AC Camerfirma S.A., CN=Chambers of Commerce Root - 2008"
Mar 18 22:49:05 04[IKE] sending cert request for "C=LU, O=LuxTrust S.A., CN=LuxTrust Global Root 2"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=VISA, OU=Visa International Service Association, CN=Visa eCommerce Root"
Mar 18 22:49:05 04[IKE] sending cert request for "C=FR, O=Certplus, CN=Class 2 Primary CA"
Mar 18 22:49:05 04[IKE] sending cert request for "CN=ACEDICOM Root, OU=PKI, O=EDICOM, C=ES"
Mar 18 22:49:05 04[IKE] sending cert request for "C=TW, O=Chunghwa Telecom Co., Ltd., OU=ePKI Root Certification Authority"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 1"
Mar 18 22:49:05 04[IKE] sending cert request for "OU=GlobalSign ECC Root CA - R5, O=GlobalSign, CN=GlobalSign"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Networking"
Mar 18 22:49:05 04[IKE] sending cert request for "C=HK, O=Hongkong Post, CN=Hongkong Post Root CA 1"
Mar 18 22:49:05 04[IKE] sending cert request for "O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)"
Mar 18 22:49:05 04[IKE] sending cert request for "C=FR, O=Dhimyotis, CN=Certigna"
Mar 18 22:49:05 04[IKE] sending cert request for "C=FR, O=Certplus, CN=Certplus Root CA G1"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 3"
Mar 18 22:49:05 04[IKE] sending cert request for "C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority"
Mar 18 22:49:05 04[IKE] sending cert request for "CN=Atos TrustedRoot 2011, O=Atos, C=DE"
Mar 18 22:49:05 04[IKE] sending cert request for "OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign"
Mar 18 22:49:05 04[IKE] sending cert request for "C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 2"
Mar 18 22:49:05 04[IKE] sending cert request for "C=TR, L=Gebze - Kocaeli, O=Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK, OU=Kamu Sertifikasyon Merkezi - Kamu SM, CN=TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
Mar 18 22:49:05 04[IKE] sending cert request for "C=CH, O=WISeKey, OU=Copyright (c) 2005, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GA CA"
Mar 18 22:49:05 04[IKE] sending cert request for "C=GR, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2011"
Mar 18 22:49:05 04[IKE] sending cert request for "C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root"
Mar 18 22:49:05 04[IKE] sending cert request for "C=FI, O=Sonera, CN=Sonera Class2 CA"
Mar 18 22:49:05 04[IKE] sending cert request for "C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068"
Mar 18 22:49:05 04[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO Certification Authority"
Mar 18 22:49:05 04[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=GeoTrust Inc., OU=(c) 2007 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G2"
Mar 18 22:49:05 04[IKE] sending cert request for "C=CH, O=WISeKey, OU=OISTE Foundation Endorsed, CN=OISTE WISeKey Global Root GB CA"
Mar 18 22:49:05 04[IKE] sending cert request for "C=FR, O=OpenTrust, CN=OpenTrust Root CA G2"
Mar 18 22:49:05 04[IKE] sending cert request for "CN=ACCVRAIZ1, OU=PKIACCV, O=ACCV, C=ES"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=GeoTrust Inc., CN=GeoTrust Universal CA 2"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2007 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G4"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust ECC Certification Authority"
Mar 18 22:49:05 04[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECC Certification Authority"
Mar 18 22:49:05 04[IKE] sending cert request for "C=BM, O=QuoVadis Limited, OU=Root Certification Authority, CN=QuoVadis Root Certification Authority"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=Amazon, CN=Amazon Root CA 4"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=IdenTrust, CN=IdenTrust Public Sector Root CA 1"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, OU=(c) 2006 Entrust, Inc., CN=Entrust Root Certification Authority"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA"
Mar 18 22:49:05 04[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2008 VeriSign, Inc. - For authorized use only, CN=VeriSign Universal Root Certification Authority"
Mar 18 22:49:05 04[IKE] sending cert request for "C=DE, O=T-Systems Enterprise Services GmbH, OU=T-Systems Trust Center, CN=T-TeleSec GlobalRoot Class 3"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA"
Mar 18 22:49:05 04[IKE] sending cert request for "C=FR, O=Certplus, CN=Certplus Root CA G2"
Mar 18 22:49:05 04[IKE] sending cert request for "CN=T??RKTRUST Elektronik Sertifika Hizmet Sa??lay??c??s??, C=TR, L=Ankara, O=T??RKTRUST Bilgi ??leti??im ve Bili??im G??venli??i Hizmetleri A.??. (c) Aral??k 2007"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2"
Mar 18 22:49:05 04[IKE] sending cert request for "C=FR, O=OpenTrust, CN=OpenTrust Root CA G3"
Mar 18 22:49:05 04[IKE] sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 EV 2009"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority"
Mar 18 22:49:05 04[IKE] sending cert request for "C=EU, L=Madrid (see current address at www.camerfirma.com/address), SN=A82743287, O=AC Camerfirma S.A., CN=Global Chambersign Root - 2008"
Mar 18 22:49:05 04[IKE] sending cert request for "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 3"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority"
Mar 18 22:49:05 04[IKE] sending cert request for "C=ES, O=IZENPE S.A., CN=Izenpe.com"
Mar 18 22:49:05 04[IKE] sending cert request for "C=EE, O=AS Sertifitseerimiskeskus, CN=EE Certification Centre Root CA, E=pki@sk.ee"
Mar 18 22:49:05 04[IKE] sending cert request for "C=HU, L=Budapest, O=NetLock Kft., OU=Tan??s??tv??nykiad??k (Certification Services), CN=NetLock Arany (Class Gold) F??tan??s??tv??ny"
Mar 18 22:49:05 04[IKE] sending cert request for "O=Digital Signature Trust Co., CN=DST Root CA X3"
Mar 18 22:49:05 04[IKE] sending cert request for "C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis Publics de Certificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03, OU=Jerarquia Entitats de Certificacio Catalanes, CN=EC-ACC"
Mar 18 22:49:05 04[IKE] sending cert request for "C=GB, O=Trustis Limited, OU=Trustis FPS Root CA"
Mar 18 22:49:05 04[IKE] sending cert request for "C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 Root CA"
Mar 18 22:49:05 04[IKE] sending cert request for "C=JP, O=SECOM Trust Systems CO.,LTD., OU=Security Communication EV RootCA1"
Mar 18 22:49:05 04[IKE] sending cert request for "C=ES, O=FNMT-RCM, OU=AC RAIZ FNMT-RCM"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G2"
Mar 18 22:49:05 04[IKE] sending cert request for "C=TR, L=Ankara, O=T??RKTRUST Bilgi ??leti??im ve Bili??im G??venli??i Hizmetleri A.??., CN=T??RKTRUST Elektronik Sertifika Hizmet Sa??lay??c??s?? H5"
Mar 18 22:49:05 04[IKE] sending cert request for "C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions ECC RootCA 2015"
Mar 18 22:49:05 04[IKE] sending cert request for "C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Root CA"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=GeoTrust Inc., OU=(c) 2008 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G3"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2"
Mar 18 22:49:05 04[IKE] sending cert request for "C=RO, O=certSIGN, OU=certSIGN ROOT CA"
Mar 18 22:49:05 04[IKE] sending cert request for "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=Digital Signature Trust, OU=DST ACES, CN=DST ACES CA X6"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Root Certificate Authority - G2"
Mar 18 22:49:05 04[IKE] sending cert request for "C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Global Root CA"
Mar 18 22:49:05 04[IKE] sending cert request for "C=DE, O=D-Trust GmbH, CN=D-TRUST Root Class 3 CA 2 2009"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, O=AffirmTrust, CN=AffirmTrust Commercial"
Mar 18 22:49:05 04[IKE] sending cert request for "C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Autorit?? Racine"
Mar 18 22:49:05 04[IKE] sending cert request for "C=JP, O=Japan Certification Services, Inc., CN=SecureSign RootCA11"
Mar 18 22:49:05 04[IKE] sending cert request for "C=GR, L=Athens, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2015"
Mar 18 22:49:05 04[IKE] sending cert request for "C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root"
Mar 18 22:49:05 04[IKE] sending cert request for "C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Services Root Certificate Authority - G2"
Mar 18 22:49:05 04[IKE] authentication of 'CN=jerry' (myself) with ECDSA_WITH_SHA256_DER successful
Mar 18 22:49:05 04[IKE] sending end entity cert "CN=jerry"
Mar 18 22:49:05 04[IKE] establishing CHILD_SA android{2}
Mar 18 22:49:05 04[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Mar 18 22:49:05 04[ENC] splitting IKE message with length of 3776 bytes into 4 fragments
Mar 18 22:49:05 04[ENC] generating IKE_AUTH request 1 [ EF(1/4) ]
Mar 18 22:49:05 04[ENC] generating IKE_AUTH request 1 [ EF(2/4) ]
Mar 18 22:49:05 04[ENC] generating IKE_AUTH request 1 [ EF(3/4) ]
Mar 18 22:49:05 04[ENC] generating IKE_AUTH request 1 [ EF(4/4) ]
Mar 18 22:49:05 04[NET] sending packet: from 192.168.0.111[42265] to 159.65.105.246[4500] (1248 bytes)
Mar 18 22:49:05 04[NET] sending packet: from 192.168.0.111[42265] to 159.65.105.246[4500] (1248 bytes)
Mar 18 22:49:05 04[NET] sending packet: from 192.168.0.111[42265] to 159.65.105.246[4500] (1248 bytes)
Mar 18 22:49:05 04[NET] sending packet: from 192.168.0.111[42265] to 159.65.105.246[4500] (219 bytes)
Mar 18 22:49:05 10[NET] received packet: from 159.65.105.246[4500] to 192.168.0.111[42265] (441 bytes)
Mar 18 22:49:05 10[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Mar 18 22:49:05 10[ENC] received fragment #2 of 2, waiting for complete IKE message
Mar 18 22:49:05 09[NET] received packet: from 159.65.105.246[4500] to 192.168.0.111[42265] (544 bytes)
Mar 18 22:49:05 09[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Mar 18 22:49:05 09[ENC] received fragment #1 of 2, reassembling fragmented IKE message
Mar 18 22:49:05 09[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR ADDR6 DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
Mar 18 22:49:05 09[IKE] received end entity cert "CN=159.65.105.246"
Mar 18 22:49:05 09[CFG]   using certificate "CN=159.65.105.246"
Mar 18 22:49:05 09[CFG] no issuer certificate found for "CN=159.65.105.246"
Mar 18 22:49:05 09[CFG]   issuer is "CN=159.65.105.246"
Mar 18 22:49:05 09[IKE] no trusted ECDSA public key found for '159.65.105.246'
Mar 18 22:49:05 09[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Mar 18 22:49:05 09[NET] sending packet: from 192.168.0.111[42265] to 159.65.105.246[4500] (65 bytes)

For what it's worth I've tried several times, both manually creating the profile and using the generated one and the same issue occurs.

jackivanov commented 6 years ago

Probably related to https://github.com/trailofbits/algo/pull/835. I will file a PR later today

jackivanov commented 6 years ago

@jearbear Could you, please, check if the PR above works for you?

jearbear commented 6 years ago

@jackivanov Yup, the PR fixed the issue for me. Thank you so much!