Android 4.1を実行しているデバイスとstrongSwan5.0を実行しているFedora17 Linuxボックスの間にVPNトンネルを構成しようとしています。デバイスは接続されていると報告し、strongSwan statusall
はそこにそれを返しますはIKESAですが、トンネルは表示されません。wikiで iOSの手順 を使用して証明書を生成し、strongSwanを構成しました。Androidは変更されたものを使用するためracoonのバージョンではこれが機能するはずであり、接続が部分的に確立されているので、私は正しい方向に進んでいると思います。トンネルを作成できないことに関するエラーは表示されません。
これはstrongSwan接続の構成です
conn Android2
keyexchange=ikev1
authby=xauthrsasig
xauth=server
left=96.244.142.28
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftcert=serverCert.pem
right=%any
rightsubnet=10.0.0.0/24
rightsourceip=10.0.0.2
rightcert=clientCert.pem
ike=aes256-sha1-modp1024
auto=add
これはstrongswan statusall
の出力です
Status of IKE charon daemon (strongSwan 5.0.0, Linux 3.3.4-5.fc17.x86_64, x86_64):
uptime: 20 minutes, since Oct 31 10:27:31 2012
malloc: sbrk 270336, mmap 0, used 198144, free 72192
worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, scheduled: 7
loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
Virtual IP pools (size/online/offline):
Android-hybrid: 1/0/0
Android2: 1/1/0
Listening IP addresses:
96.244.142.28
Connections:
Android-hybrid: %any...%any IKEv1
Android-hybrid: local: [C=CH, O=strongSwan, CN=vpn.strongswan.org] uses public key authentication
Android-hybrid: cert: "C=CH, O=strongSwan, CN=vpn.strongswan.org"
Android-hybrid: remote: [%any] uses XAuth authentication: any
Android-hybrid: child: dynamic === dynamic TUNNEL
Android2: 96.244.142.28...%any IKEv1
Android2: local: [C=CH, O=strongSwan, CN=vpn.strongswan.org] uses public key authentication
Android2: cert: "C=CH, O=strongSwan, CN=vpn.strongswan.org"
Android2: remote: [C=CH, O=strongSwan, CN=client] uses public key authentication
Android2: cert: "C=CH, O=strongSwan, CN=client"
Android2: remote: [%any] uses XAuth authentication: any
Android2: child: 0.0.0.0/0 === 10.0.0.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
Android2[3]: ESTABLISHED 10 seconds ago, 96.244.142.28[C=CH, O=strongSwan, CN=vpn.strongswan.org]...208.54.35.241[C=CH, O=strongSwan, CN=client]
Android2[3]: Remote XAuth identity: Android
Android2[3]: IKEv1 SPIs: 4151e371ad46b20d_i 59a56390d74792d2_r*, public key reauthentication in 56 minutes
Android2[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
ip -s xfrm policy
の出力
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 3819 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-10-31 13:29:08 use 2012-10-31 13:29:39
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 3812 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-10-31 13:29:08 use 2012-10-31 13:29:22
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 3803 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-10-31 13:29:08 use 2012-10-31 13:29:20
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 3796 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-10-31 13:29:08 use 2012-10-31 13:29:20
そのため、デバイスとstrongswanの間にSAがありますが、接続用のxfrmポリシーは作成されていません。Androidでip -s xfrm policy
を実行しています=デバイスの結果は次のようになります。
src 0.0.0.0/0 dst 10.0.0.2/32 uid 0
dir in action allow index 40 priority 2147483648 share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-10-31 13:42:08 use -
tmpl src 96.244.142.28 dst 25.239.33.30
proto esp spi 0x00000000(0) reqid 0(0x00000000) mode tunnel
level required share any
enc-mask 00000000 auth-mask 00000000 comp-mask 00000000
src 10.0.0.2/32 dst 0.0.0.0/0 uid 0
dir out action allow index 33 priority 2147483648 share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-10-31 13:42:08 use -
tmpl src 25.239.33.30 dst 96.244.142.28
proto esp spi 0x00000000(0) reqid 0(0x00000000) mode tunnel
level required share any
enc-mask 00000000 auth-mask 00000000 comp-mask 00000000
カロンからのログ:
00[DMN] Starting IKE charon daemon (strongSwan 5.0.0, Linux 3.3.4-5.fc17.x86_64, x86_64)
00[KNL] listening on interfaces:
00[KNL] em1
00[KNL] 96.244.142.28
00[KNL] fe80::224:e8ff:fed2:18b2
00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
00[CFG] loaded ca certificate "C=CH, O=strongSwan, CN=strongSwan CA" from '/etc/strongswan/ipsec.d/cacerts/caCert.pem'
00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
00[CFG] loaded RSA private key from '/etc/strongswan/ipsec.d/private/clientKey.pem'
00[CFG] loaded IKE secret for %any
00[CFG] loaded EAP secret for Android
00[CFG] loaded EAP secret for Android
00[DMN] loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
08[NET] waiting for data on sockets
16[LIB] created thread 16 [15338]
16[JOB] started worker thread 16
11[CFG] received stroke: add connection 'Android-hybrid'
11[CFG] conn Android-hybrid
11[CFG] left=%any
11[CFG] leftsubnet=(null)
11[CFG] leftsourceip=(null)
11[CFG] leftauth=pubkey
11[CFG] leftauth2=(null)
11[CFG] leftid=(null)
11[CFG] leftid2=(null)
11[CFG] leftrsakey=(null)
11[CFG] leftcert=serverCert.pem
11[CFG] leftcert2=(null)
11[CFG] leftca=(null)
11[CFG] leftca2=(null)
11[CFG] leftgroups=(null)
11[CFG] leftupdown=ipsec _updown iptables
11[CFG] right=%any
11[CFG] rightsubnet=(null)
11[CFG] rightsourceip=96.244.142.3
11[CFG] rightauth=xauth
11[CFG] rightauth2=(null)
11[CFG] rightid=%any
11[CFG] rightid2=(null)
11[CFG] rightrsakey=(null)
11[CFG] rightcert=(null)
11[CFG] rightcert2=(null)
11[CFG] rightca=(null)
11[CFG] rightca2=(null)
11[CFG] rightgroups=(null)
11[CFG] rightupdown=(null)
11[CFG] eap_identity=(null)
11[CFG] aaa_identity=(null)
11[CFG] xauth_identity=(null)
11[CFG] ike=aes256-sha1-modp1024
11[CFG] esp=aes128-sha1-modp2048,3des-sha1-modp1536
11[CFG] dpddelay=30
11[CFG] dpdtimeout=150
11[CFG] dpdaction=0
11[CFG] closeaction=0
11[CFG] mediation=no
11[CFG] mediated_by=(null)
11[CFG] me_peerid=(null)
11[CFG] keyexchange=ikev1
11[KNL] getting interface name for %any
11[KNL] %any is not a local address
11[KNL] getting interface name for %any
11[KNL] %any is not a local address
11[CFG] left nor right Host is our side, assuming left=local
11[CFG] loaded certificate "C=CH, O=strongSwan, CN=vpn.strongswan.org" from 'serverCert.pem'
11[CFG] id '%any' not confirmed by certificate, defaulting to 'C=CH, O=strongSwan, CN=vpn.strongswan.org'
11[CFG] added configuration 'Android-hybrid'
11[CFG] adding virtual IP address pool 'Android-hybrid': 96.244.142.3/32
13[CFG] received stroke: add connection 'Android2'
13[CFG] conn Android2
13[CFG] left=96.244.142.28
13[CFG] leftsubnet=0.0.0.0/0
13[CFG] leftsourceip=(null)
13[CFG] leftauth=pubkey
13[CFG] leftauth2=(null)
13[CFG] leftid=(null)
13[CFG] leftid2=(null)
13[CFG] leftrsakey=(null)
13[CFG] leftcert=serverCert.pem
13[CFG] leftcert2=(null)
13[CFG] leftca=(null)
13[CFG] leftca2=(null)
13[CFG] leftgroups=(null)
13[CFG] leftupdown=ipsec _updown iptables
13[CFG] right=%any
13[CFG] rightsubnet=10.0.0.0/24
13[CFG] rightsourceip=10.0.0.2
13[CFG] rightauth=pubkey
13[CFG] rightauth2=xauth
13[CFG] rightid=(null)
13[CFG] rightid2=(null)
13[CFG] rightrsakey=(null)
13[CFG] rightcert=clientCert.pem
13[CFG] rightcert2=(null)
13[CFG] rightca=(null)
13[CFG] rightca2=(null)
13[CFG] rightgroups=(null)
13[CFG] rightupdown=(null)
13[CFG] eap_identity=(null)
13[CFG] aaa_identity=(null)
13[CFG] xauth_identity=(null)
13[CFG] ike=aes256-sha1-modp1024
13[CFG] esp=aes128-sha1-modp2048,3des-sha1-modp1536
13[CFG] dpddelay=30
13[CFG] dpdtimeout=150
13[CFG] dpdaction=0
13[CFG] closeaction=0
13[CFG] mediation=no
13[CFG] mediated_by=(null)
13[CFG] me_peerid=(null)
13[CFG] keyexchange=ikev0
13[KNL] getting interface name for %any
13[KNL] %any is not a local address
13[KNL] getting interface name for 96.244.142.28
13[KNL] 96.244.142.28 is on interface em1
13[CFG] loaded certificate "C=CH, O=strongSwan, CN=vpn.strongswan.org" from 'serverCert.pem'
13[CFG] id '96.244.142.28' not confirmed by certificate, defaulting to 'C=CH, O=strongSwan, CN=vpn.strongswan.org'
13[CFG] loaded certificate "C=CH, O=strongSwan, CN=client" from 'clientCert.pem'
13[CFG] id '%any' not confirmed by certificate, defaulting to 'C=CH, O=strongSwan, CN=client'
13[CFG] added configuration 'Android2'
13[CFG] adding virtual IP address pool 'Android2': 10.0.0.2/32
08[NET] received packet: from 208.54.35.241[32235] to 96.244.142.28[500]
15[CFG] looking for an ike config for 96.244.142.28...208.54.35.241
15[CFG] candidate: %any...%any, prio 2
15[CFG] candidate: 96.244.142.28...%any, prio 5
15[CFG] found matching ike config: 96.244.142.28...%any with prio 5
01[JOB] next event in 29s 999ms, waiting
15[IKE] received NAT-T (RFC 3947) vendor ID
15[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
15[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
15[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
15[IKE] received XAuth vendor ID
15[IKE] received Cisco Unity vendor ID
15[IKE] received DPD vendor ID
15[IKE] 208.54.35.241 is initiating a Main Mode IKE_SA
15[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
15[CFG] selecting proposal:
15[CFG] proposal matches
15[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
15[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160
15[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
15[NET] sending packet: from 96.244.142.28[500] to 208.54.35.241[32235]
04[NET] sending packet: from 96.244.142.28[500] to 208.54.35.241[32235]
15[MGR] checkin IKE_SA (unnamed)[1]
15[MGR] check-in of IKE_SA successful.
08[NET] received packet: from 208.54.35.241[32235] to 96.244.142.28[500]
08[NET] waiting for data on sockets
07[MGR] checkout IKE_SA by message
07[MGR] IKE_SA (unnamed)[1] successfully checked out
07[NET] received packet: from 208.54.35.241[32235] to 96.244.142.28[500]
07[LIB] size of DH secret exponent: 1023 bits
07[IKE] remote Host is behind NAT
07[IKE] sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA"
07[ENC] generating NAT_D_V1 payload finished
07[NET] sending packet: from 96.244.142.28[500] to 208.54.35.241[32235]
07[MGR] checkin IKE_SA (unnamed)[1]
07[MGR] check-in of IKE_SA successful.
04[NET] sending packet: from 96.244.142.28[500] to 208.54.35.241[32235]
08[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500]
10[IKE] ignoring certificate request without data
10[IKE] received end entity cert "C=CH, O=strongSwan, CN=client"
10[CFG] looking for XAuthInitRSA peer configs matching 96.244.142.28...208.54.35.241[C=CH, O=strongSwan, CN=client]
10[CFG] candidate "Android-hybrid", match: 1/1/2/2 (me/other/ike/version)
10[CFG] candidate "Android2", match: 1/20/5/1 (me/other/ike/version)
10[CFG] selected peer config "Android2"
10[CFG] certificate "C=CH, O=strongSwan, CN=client" key: 2048 bit RSA
10[CFG] using trusted ca certificate "C=CH, O=strongSwan, CN=strongSwan CA"
10[CFG] checking certificate status of "C=CH, O=strongSwan, CN=client"
10[CFG] ocsp check skipped, no ocsp found
10[CFG] certificate status is not available
10[CFG] certificate "C=CH, O=strongSwan, CN=strongSwan CA" key: 2048 bit RSA
10[CFG] reached self-signed root ca with a path length of 0
10[CFG] using trusted certificate "C=CH, O=strongSwan, CN=client"
10[IKE] authentication of 'C=CH, O=strongSwan, CN=client' with RSA successful
10[ENC] added payload of type ID_V1 to message
10[ENC] added payload of type SIGNATURE_V1 to message
10[IKE] authentication of 'C=CH, O=strongSwan, CN=vpn.strongswan.org' (myself) successful
10[IKE] queueing XAUTH task
10[IKE] sending end entity cert "C=CH, O=strongSwan, CN=vpn.strongswan.org"
10[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595]
04[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595]
10[IKE] activating new tasks
10[IKE] activating XAUTH task
10[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595]
04[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595]
01[JOB] next event in 3s 999ms, waiting
10[MGR] checkin IKE_SA Android2[1]
10[MGR] check-in of IKE_SA successful.
08[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500]
08[NET] waiting for data on sockets
12[MGR] checkout IKE_SA by message
12[MGR] IKE_SA Android2[1] successfully checked out
12[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500]
12[MGR] checkin IKE_SA Android2[1]
12[MGR] check-in of IKE_SA successful.
08[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500]
16[MGR] checkout IKE_SA by message
16[MGR] IKE_SA Android2[1] successfully checked out
16[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500]
08[NET] waiting for data on sockets
16[IKE] XAuth authentication of 'Android' successful
16[IKE] reinitiating already active tasks
16[IKE] XAUTH task
16[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595]
04[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595]
16[MGR] checkin IKE_SA Android2[1]
01[JOB] next event in 3s 907ms, waiting
16[MGR] check-in of IKE_SA successful.
08[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500]
09[MGR] checkout IKE_SA by message
09[MGR] IKE_SA Android2[1] successfully checked out
09[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500] .8rS
09[IKE] IKE_SA Android2[1] established between 96.244.142.28[C=CH, O=strongSwan, CN=vpn.strongswan.org]...208.54.35.241[C=CH, O=strongSwan, CN=client]
09[IKE] IKE_SA Android2[1] state change: CONNECTING => ESTABLISHED
09[IKE] scheduling reauthentication in 3409s
09[IKE] maximum IKE_SA lifetime 3589s
09[IKE] activating new tasks
09[IKE] nothing to initiate
09[MGR] checkin IKE_SA Android2[1]
09[MGR] check-in of IKE_SA successful.
09[MGR] checkout IKE_SA
09[MGR] IKE_SA Android2[1] successfully checked out
09[MGR] checkin IKE_SA Android2[1]
09[MGR] check-in of IKE_SA successful.
01[JOB] next event in 3s 854ms, waiting
08[NET] waiting for data on sockets
08[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500]
14[MGR] checkout IKE_SA by message
14[MGR] IKE_SA Android2[1] successfully checked out
14[NET] received packet: from 208.54.35.241[35595] to 96.244.142.28[4500]
14[IKE] processing INTERNAL_IP4_ADDRESS attribute
14[IKE] processing INTERNAL_IP4_NETMASK attribute
14[IKE] processing INTERNAL_IP4_DNS attribute
14[IKE] processing INTERNAL_IP4_NBNS attribute
14[IKE] processing UNITY_BANNER attribute
14[IKE] processing UNITY_DEF_DOMAIN attribute
14[IKE] processing UNITY_SPLITDNS_NAME attribute
14[IKE] processing UNITY_SPLIT_INCLUDE attribute
14[IKE] processing UNITY_LOCAL_LAN attribute
14[IKE] processing APPLICATION_VERSION attribute
14[IKE] peer requested virtual IP %any
14[CFG] assigning new lease to 'Android'
14[IKE] assigning virtual IP 10.0.0.2 to peer 'Android'
14[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595]
14[MGR] checkin IKE_SA Android2[1]
14[MGR] check-in of IKE_SA successful.
04[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595]
08[NET] waiting for data on sockets
01[JOB] got event, queuing job for execution
01[JOB] next event in 91ms, waiting
13[MGR] checkout IKE_SA
13[MGR] IKE_SA Android2[1] successfully checked out
13[MGR] checkin IKE_SA Android2[1]
13[MGR] check-in of IKE_SA successful.
01[JOB] got event, queuing job for execution
01[JOB] next event in 24s 136ms, waiting
15[MGR] checkout IKE_SA
15[MGR] IKE_SA Android2[1] successfully checked out
15[MGR] checkin IKE_SA Android2[1]
15[MGR] check-in of IKE_SA successful.
Androidデバイス:
tcpdump: listening on wlan0, link-type EN10MB (Ethernet), capture size 96 bytes
09:58:28.990424 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 504) 10.1.12.140.500 > 96.244.142.28.500: isakmp 1.0 msgid : phase 1 I ident: [|sa]
09:58:29.037879 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 164) 96.244.142.28.500 > 10.1.12.140.500: isakmp 1.0 msgid : phase 1 R ident: [|sa]
09:58:29.058692 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 256) 10.1.12.140.500 > 96.244.142.28.500: isakmp 1.0 msgid : phase 1 I ident: [|ke]
09:58:29.111273 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 337) 96.244.142.28.500 > 10.1.12.140.500: isakmp 1.0 msgid : phase 1 R ident: [|ke]
09:58:29.174781 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 1212) 10.1.12.140.4500 > 96.244.142.28.4500: NONESP-encap: isakmp 1.0 msgid : phase 1 I ident[E]: [encrypted id]
09:58:29.204199 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 1276) 96.244.142.28.4500 > 10.1.12.140.4500: NONESP-encap: isakmp 1.0 msgid : phase 1 R ident[E]: [encrypted id]
09:58:29.204352 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 108) 96.244.142.28.4500 > 10.1.12.140.4500: NONESP-encap: isakmp 1.0 msgid : phase 2/others R #6[E]: [encrypted hash]
09:58:29.207953 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 140) 10.1.12.140.4500 > 96.244.142.28.4500: NONESP-encap: isakmp 1.0 msgid : phase 2/others I inf[E]: [encrypted hash]
09:58:29.208869 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 140) 10.1.12.140.4500 > 96.244.142.28.4500: NONESP-encap: isakmp 1.0 msgid : phase 2/others I #6[E]: [encrypted hash]
09:58:29.283637 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 124) 96.244.142.28.4500 > 10.1.12.140.4500: NONESP-encap: isakmp 1.0 msgid : phase 2/others ? inf[E]: [encrypted hash]
09:58:29.283881 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 108) 96.244.142.28.4500 > 10.1.12.140.4500: NONESP-encap: isakmp 1.0 msgid : phase 2/others R #6[E]: [encrypted hash]
09:58:29.285498 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 124) 10.1.12.140.4500 > 96.244.142.28.4500: NONESP-encap: isakmp 1.0 msgid : phase 2/others I #6[E]: [encrypted hash]
09:58:29.286658 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 156) 10.1.12.140.4500 > 96.244.142.28.4500: NONESP-encap: isakmp 1.0 msgid : phase 2/others I #6[E]: [encrypted hash]
09:58:29.323554 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 108) 96.244.142.28.4500 > 10.1.12.140.4500: NONESP-encap: isakmp 1.0 msgid : phase 2/others R #6[E]: [encrypted hash]
09:58:48.447272 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 29) 10.1.12.140.4500 > 96.244.142.28.4500: isakmp-nat-keep-alive
Strongswanマシン:
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
09:58:29.005470 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 504)
96.244.142.3.isakmp > 96.244.142.28.isakmp: isakmp 1.0 msgid 00000000: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=8
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0100)(type=auth value=fded)(type=hash value=sha1)(type=group desc value=modp1024))
(t: #2 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0100)(type=auth value=fded)(type=hash value=md5)(type=group desc value=modp1024))
(t: #3 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=fded)(type=hash value=sha1)(type=group desc value=modp1024))
(t: #4 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=aes)(type=keylen value=0080)(type=auth value=fded)(type=hash value=md5)(type=group desc value=modp1024))
(t: #5 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=fded)(type=hash value=sha1)(type=group desc value=modp1024))
(t: #6 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=3des)(type=auth value=fded)(type=hash value=md5)(type=group desc value=modp1024))
(t: #7 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=fded)(type=hash value=sha1)(type=group desc value=modp1024))
(t: #8 id=ike (type=lifetype value=sec)(type=lifeduration value=7080)(type=enc value=1des)(type=auth value=fded)(type=hash value=md5)(type=group desc value=modp1024))))
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=16)
(vid: len=8)
(vid: len=16)
(vid: len=20)
(vid: len=16)
09:58:29.021590 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 164)
96.244.142.28.isakmp > 96.244.142.3.isakmp: isakmp 1.0 msgid 00000000: phase 1 R ident:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1
(t: #1 id=ike (type=enc value=aes)(type=keylen value=0100)(type=hash value=sha1)(type=group desc value=modp1024)(type=auth value=fded)(type=lifetype value=sec)(type=lifeduration value=7080))))
(vid: len=8)
(vid: len=16)
(vid: len=16)
09:58:29.065654 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 256)
96.244.142.3.isakmp > 96.244.142.28.isakmp: isakmp 1.0 msgid 00000000: phase 1 I ident:
(ke: key len=128)
(nonce: n len=16)
(pay20)
(pay20)
09:58:29.073252 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 337)
96.244.142.28.isakmp > 96.244.142.3.isakmp: isakmp 1.0 msgid 00000000: phase 1 R ident:
(ke: key len=128)
(nonce: n len=32)
(cr: len=61 type=x509sign)
(pay20)
(pay20)
09:58:29.172970 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 1212)
96.244.142.3.44673 > 96.244.142.28.ipsec-nat-t: NONESP-encap: isakmp 1.0 msgid 00000000: phase 1 I ident[E]: [encrypted id]
09:58:29.182596 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 1276)
96.244.142.28.ipsec-nat-t > 96.244.142.3.44673: NONESP-encap: isakmp 1.0 msgid 00000000: phase 1 R ident[E]: [encrypted id]
09:58:29.183033 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 108)
96.244.142.28.ipsec-nat-t > 96.244.142.3.44673: NONESP-encap: isakmp 1.0 msgid 25eb381b: phase 2/others R #6[E]: [encrypted hash]
09:58:29.250287 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 140)
96.244.142.3.44673 > 96.244.142.28.ipsec-nat-t: NONESP-encap: isakmp 1.0 msgid bbbe7b6d: phase 2/others I inf[E]: [encrypted hash]
09:58:29.250325 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 140)
96.244.142.3.44673 > 96.244.142.28.ipsec-nat-t: NONESP-encap: isakmp 1.0 msgid 25eb381b: phase 2/others I #6[E]: [encrypted hash]
09:58:29.256037 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 124)
96.244.142.28.ipsec-nat-t > 96.244.142.3.44673: NONESP-encap: isakmp 1.0 msgid beb336b4: phase 2/others ? inf[E]: [encrypted hash]
09:58:29.257801 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 108)
96.244.142.28.ipsec-nat-t > 96.244.142.3.44673: NONESP-encap: isakmp 1.0 msgid 15d8cae0: phase 2/others R #6[E]: [encrypted hash]
09:58:29.300333 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 124)
96.244.142.3.44673 > 96.244.142.28.ipsec-nat-t: NONESP-encap: isakmp 1.0 msgid 15d8cae0: phase 2/others I #6[E]: [encrypted hash]
09:58:29.300362 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 156)
96.244.142.3.44673 > 96.244.142.28.ipsec-nat-t: NONESP-encap: isakmp 1.0 msgid b96496f8: phase 2/others I #6[E]: [encrypted hash]
09:58:29.307755 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 108)
96.244.142.28.ipsec-nat-t > 96.244.142.3.44673: NONESP-encap: isakmp 1.0 msgid b96496f8: phase 2/others R #6[E]: [encrypted hash]
09:58:48.449886 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 29)
96.244.142.3.44673 > 96.244.142.28.ipsec-nat-t: isakmp-nat-keep-alive
09:59:08.488463 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 29)
strongswan statusall
の出力に表示されるSAはIKE_SA(または、ISAKMP SAこれはIKEv1であるため))であり、IPsec SAではありません。したがって、メインモード終了後の何らかの問題。
ModeConfig(仮想IPおよびその他の属性の割り当て)は正常に機能しているようです。これは、AndroidデバイスにインストールされているIPsecポリシーにも反映されています。しかし、不足しているのはクイックモード要求です(そのとき、IPsec SAがネゴシエートされます):
14[IKE] assigning virtual IP 10.0.0.2 to peer 'Android'
14[NET] sending packet: from 96.244.142.28[4500] to 208.54.35.241[35595]
これはAndroidデバイスに送信されるModeConfig応答ですが、charonはその後メッセージを受信しません。
これを再現することができました。この動作は意図的なものです。 ModeConfigが終了し、ISAKMP SAが確立されると、以下がlogcat
に記録されます。
I/racoon (11096): ISAKMP-SA established [...]
D/VpnJni ( 310): Route added on tun0: 0.0.0.0/0
I/LegacyVpnRunner( 310): Connected!
また、ModeConfig中に受信した仮想IP(この場合は10.0.0.2
)がtun0
に追加され、10.0.0.2 <=> 0.0.0.0/0
のIPsecポリシーがカーネルにインストールされます(これは、投稿したip xfrm policies
出力でも確認できます)。
現在、IPsec SAは、トラフィックがアウトバウンドポリシーに一致するまで確立されません。0.0.0.0/0
がリモートトラフィックセレクターとして使用されるため(tun0
経由のルートにも)任意のパケットポリシーに一致するため、トリガークイックモードネゴシエーション。
私の場合、ブラウザを開くとすぐに次のログが記録されました。
I/racoon (15504): initiate new phase 2 negotiation: [...]
I/racoon (15504): NAT detected -> UDP encapsulation (ENC_MODE 1->3).
W/racoon (15504): attribute has been modified.
I/racoon (15504): Adjusting my encmode UDP-Tunnel->Tunnel
I/racoon (15504): Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
W/racoon (15504): low key length proposed, mine:256 peer:128.
W/racoon (15504): authtype mismatched: my:hmac-md5 peer:hmac-sha
I/racoon (15504): IPsec-SA established: ESP/Tunnel [...]
これにより、strongSwanゲートウェイで期待される出力も得られました。
Android2{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: cd7ceff0_i 0e7ab2fc_o
Android2{1}: AES_CBC_128/HMAC_SHA1_96, 60 bytes_i, 0 bytes_o, rekeying in 41 minutes
Android2{1}: 0.0.0.0/0 === 10.0.0.2/32