This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ASG doesn't work with Android L2TP/IPSec (Certificates, Remote VPN)

I managed to get Android 2.1 to work with ASG 8.101 with Preshared Key. This is not what I expect to get though. I want Android phones to connect with certificates.
I imported certificates to Android and Astaro ASG but I keep getting errors in logs. I thought that it might be a problem with external certificates so I tried to use certs generated by ASG. I had problem with exporting user certificate. First of all Android doesn't accept chained PKCS#12. I followed a guide to unchain the PKCS#12, but apparently there was password mismatch between the one I declared in ASG for exported user-account certificate and during the process of unpacking PKCS#12 with openssl. Seems like an Astaro bug to me. I created another certificate and that one didn't have password problem. I tested following three pairs of certificates:
1. Original certs (DN type)
2. Built-in ASG user certificates (e-mail type)
3. Self-generated in ASG user certificates (IP type)

Second pair couldn't be tested, because as I mentioned above it wasn't possible to export user certificate to Android Smartphone.

The communication looks as follows:
Android -> Wi-Fi Router -> ADSL connection (Internet) -> Astaro ASG
192.168.1.104 -> (Internal IP 192.168.1.1, External IP 83.20.75.202) -> 170.170.170.170 (Astaro ASG)
Android is behind NAT set up on Wi-Fi router. ASG has external public IP in completely different network.

Logs for first pair of certificates are pasted below:


2011:02:14-12:20:20 asg pluto[1047]: packet from 83.20.75.202:500: received Vendor ID payload [RFC 3947]

2011:02:14-12:20:20 asg pluto[1047]: packet from 83.20.75.202:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]

2011:02:14-12:20:20 asg pluto[1047]: packet from 83.20.75.202:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]

2011:02:14-12:20:20 asg pluto[1047]: packet from 83.20.75.202:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

2011:02:14-12:20:20 asg pluto[1047]: packet from 83.20.75.202:500: ignoring Vendor ID payload [FRAGMENTATION 80000000]

2011:02:14-12:20:20 asg pluto[1047]: "D_REF_KQynzieBcy"[1] 83.20.75.202 #5: responding to Main Mode from unknown peer 83.20.75.202

2011:02:14-12:20:20 asg pluto[1047]: "D_REF_KQynzieBcy"[1] 83.20.75.202 #5: NAT-Traversal: Result using RFC 3947: peer is NATed

2011:02:14-12:20:20 asg pluto[1047]: "D_REF_KQynzieBcy"[1] 83.20.75.202 #5: Peer ID is ID_IPV4_ADDR: '192.168.1.104'

2011:02:14-12:20:20 asg pluto[1047]: "D_REF_KQynzieBcy"[1] 83.20.75.202 #5: crl not found

2011:02:14-12:20:20 asg pluto[1047]: "D_REF_KQynzieBcy"[1] 83.20.75.202 #5: certificate status unknown

2011:02:14-12:20:20 asg pluto[1047]: "D_REF_KQynzieBcy"[1] 83.20.75.202 #5: no public key known for '192.168.1.104'

2011:02:14-12:20:20 asg pluto[1047]: "D_REF_KQynzieBcy"[1] 83.20.75.202 #5: sending encrypted notification INVALID_KEY_INFORMATION to 83.20.75.202:500

2011:02:14-12:20:30 asg pluto[1047]: "D_REF_KQynzieBcy"[1] 83.20.75.202 #5: Peer ID is ID_IPV4_ADDR: '192.168.1.104'

2011:02:14-12:20:30 asg pluto[1047]: "D_REF_KQynzieBcy"[1] 83.20.75.202 #5: crl not found

2011:02:14-12:20:30 asg pluto[1047]: "D_REF_KQynzieBcy"[1] 83.20.75.202 #5: certificate status unknown

2011:02:14-12:20:30 asg pluto[1047]: "D_REF_KQynzieBcy"[1] 83.20.75.202 #5: no public key known for '192.168.1.104'

2011:02:14-12:20:30 asg pluto[1047]: "D_REF_KQynzieBcy"[1] 83.20.75.202 #5: sending encrypted notification INVALID_KEY_INFORMATION to 83.20.75.202:500

2011:02:14-12:20:40 asg pluto[1047]: "D_REF_KQynzieBcy"[1] 83.20.75.202 #5: Peer ID is ID_IPV4_ADDR: '192.168.1.104'

2011:02:14-12:20:40 asg pluto[1047]: "D_REF_KQynzieBcy"[1] 83.20.75.202 #5: crl not found

2011:02:14-12:20:40 asg pluto[1047]: "D_REF_KQynzieBcy"[1] 83.20.75.202 #5: certificate status unknown

2011:02:14-12:20:40 asg pluto[1047]: "D_REF_KQynzieBcy"[1] 83.20.75.202 #5: no public key known for '192.168.1.104'

2011:02:14-12:20:40 asg pluto[1047]: "D_REF_KQynzieBcy"[1] 83.20.75.202 #5: sending encrypted notification INVALID_KEY_INFORMATION to 83.20.75.202:500

2011:02:14-12:20:50 asg pluto[1047]: "D_REF_KQynzieBcy"[1] 83.20.75.202 #5: Peer ID is ID_IPV4_ADDR: '192.168.1.104'

2011:02:14-12:20:50 asg pluto[1047]: "D_REF_KQynzieBcy"[1] 83.20.75.202 #5: crl not found

2011:02:14-12:20:50 asg pluto[1047]: "D_REF_KQynzieBcy"[1] 83.20.75.202 #5: certificate status unknown

2011:02:14-12:20:50 asg pluto[1047]: "D_REF_KQynzieBcy"[1] 83.20.75.202 #5: no public key known for '192.168.1.104'

2011:02:14-12:20:50 asg pluto[1047]: "D_REF_KQynzieBcy"[1] 83.20.75.202 #5: sending encrypted notification INVALID_KEY_INFORMATION to 83.20.75.202:500

2011:02:14-12:21:30 asg pluto[1047]: "D_REF_KQynzieBcy"[1] 83.20.75.202 #5: max number of retransmissions (2) reached STATE_MAIN_R2

2011:02:14-12:21:30 asg pluto[1047]: "D_REF_KQynzieBcy"[1] 83.20.75.202: deleting connection "D_REF_KQynzieBcy" instance with peer 83.20.75.202 {isakmp=#0/ipsec=#0}

The questions is, is it possible to have Remote VPN IPSec/L2TP (with Certs!) working with Android at all?

This thread was automatically locked due to age.

Parents

0 jonf_01 over 14 years ago

Hi,

Search the forum. There are already a couple of threads on this topic, with other people who I believe are also struggling to get certificate-based L2TP VPN working.

Regards,

Jon.
Cancel
Vote Up 0 Vote Down

Cancel
0 Redist over 14 years ago in reply to jonf_01

I read all the forum. All I found is the instruction how to get L2TP/IPSec with PSK working. I didn't find one single case where someone succeeded with certs.
Cancel
Vote Up 0 Vote Down

Cancel
0 Redist over 14 years ago in reply to Redist

I found the answer to my issue. I decided to post the explanation for those who face similar problem.

Generally, it's impossible to make L2TP/IPSec connection (with certificates) from Android phone to ASG. This is because Android uses default ID type 'IPv4 Address'.

Now, why this is important? Generally you use identifiers such as ASN.1 DN or Username (e-mail). The IDs you use with IPSec have to match IDs of your certificates. Theretically, if you have certificates generated with IPv4 ID, you can have your connection from Android to ASG working, but only under one condition! Your Android IP cannot change, which means it has to be static. It's rare to have static IPs for your mobile connection though. More to that, I believe you cannot be behind NAT too (I haven't verified that though).

Solutions:
1. Apply patch to Android kernel that changes ID type from IPv4 to ASN.1 DN, compile it, put it on your phone.
2. Resign completely from certificate use, make it running with PSK.
3. Try other VPN solutions eg. bare IPSec or OpenVPN (both require rooting Android phone).
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Redist over 14 years ago in reply to Redist

I found the answer to my issue. I decided to post the explanation for those who face similar problem.

Generally, it's impossible to make L2TP/IPSec connection (with certificates) from Android phone to ASG. This is because Android uses default ID type 'IPv4 Address'.

Now, why this is important? Generally you use identifiers such as ASN.1 DN or Username (e-mail). The IDs you use with IPSec have to match IDs of your certificates. Theretically, if you have certificates generated with IPv4 ID, you can have your connection from Android to ASG working, but only under one condition! Your Android IP cannot change, which means it has to be static. It's rare to have static IPs for your mobile connection though. More to that, I believe you cannot be behind NAT too (I haven't verified that though).

Solutions:
1. Apply patch to Android kernel that changes ID type from IPv4 to ASN.1 DN, compile it, put it on your phone.
2. Resign completely from certificate use, make it running with PSK.
3. Try other VPN solutions eg. bare IPSec or OpenVPN (both require rooting Android phone).
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data