StrongSwan vs android native client
ку! Господа пишу в первый раз, пару дней как мучаюсь со следующей траблой: Стандартный клиент ведроеда не хотит соединяться с сервером StrongSwan. Но ! ведроид клиент стронг свена - соединяется. Винда и микроты тоже, хотя микроты зачем то хотят доп серт. Добавляет пикантности факт того, что есть более старый сервер с тем же конфигом за исключением отсутствия привязки к fqdn, подключение к которому прекрасно работает. Спасайте, сам уже головой буду скоро о
ipsec.conf
config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
uniqueids=yes
ca server-ca
auto=add
cacert=/etc/ipsec.d/cacerts/ca-cert.pem
conn ikev2-vpn
auto=add
compress=no
tupe=tunnel
keyexchange=ikev2
fragmentation=yes
forcencaps=yes
dpdaction=clear
dpdelay=300s
fragmentation=yes
rekey=no
left=MyIP
lefid=@fdqn
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.1.1.0/24 # подсеть VPN
rightdns=8.8.8.8
rightsendcert=never
eap_identity=%identity
ike=aes256-sha1-modp1024,3des-sha1-modp1024
esp=aes256-sha1,3des-sha1
Выдержка из логов
Apr 10 22:19:29 MyHostName ipsec[86651]: 10[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
Apr 10 22:19:29 MyHostName ipsec[86651]: 10[CFG] received supported signature hash algorithms: sha256 sha384 sha512
Apr 10 22:19:29 MyHostName ipsec[86651]: 10[IKE] remote host is behind NAT
Apr 10 22:19:29 MyHostName ipsec[86651]: 10[CFG] sending supported signature hash algorithms: sha256 sha384 sha512 identity
Apr 10 22:19:29 MyHostName ipsec[86651]: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
Apr 10 22:19:29 MyHostName ipsec[86651]: 10[NET] sending packet: from #ServerIP#[500] to #ClientP#[9478] (248 bytes)
Apr 10 22:19:29 MyHostName ipsec[86651]: 04[NET] sending packet: from #ServerIP#[500] to #ClientP#[9478]
Apr 10 22:19:29 MyHostName ipsec[86651]: 10[MGR] checkin IKEv2 SA (unnamed)[57] with SPIs 2acbecad070206df_i 3dfdd5559ffd9ba3_r
Apr 10 22:19:29 MyHostName ipsec[86651]: 10[MGR] checkin of IKE_SA successful
Apr 10 22:19:29 MyHostName ipsec[86651]: 03[NET] received packet: from #ClientP#[55858] to #ServerIP#[4500]
Apr 10 22:19:29 MyHostName ipsec[86651]: 03[NET] waiting for data on sockets
Apr 10 22:19:29 MyHostName ipsec[86651]: 14[MGR] checkout IKEv2 SA by message with SPIs 2acbecad070206df_i 3dfdd5559ffd9ba3_r
Apr 10 22:19:29 MyHostName ipsec[86651]: 14[MGR] IKE_SA (unnamed)[57] successfully checked out
Apr 10 22:19:29 MyHostName ipsec[86651]: 14[NET] received packet: from #ClientP#[55858] to #ServerIP#[4500] (496 bytes)
Apr 10 22:19:29 MyHostName ipsec[86651]: 14[ENC] parsed IKE_AUTH request 1 [ IDi IDr SA TSi TSr CPRQ(ADDR ADDR6 DNS DNS6 MASK VER) ]
Apr 10 22:19:29 MyHostName ipsec[86651]: 14[IKE] local endpoint changed from #ServerIP#[500] to #ServerIP#[4500]
Apr 10 22:19:29 MyHostName ipsec[86651]: 14[IKE] remote endpoint changed from #ClientP#[9478] to #ClientP#[55858]
Apr 10 22:19:29 MyHostName ipsec[86651]: 14[CFG] looking for peer configs matching #ServerIP#[fqdn]...#ClientP#[ikev2-vpn]
Apr 10 22:19:29 MyHostName ipsec[86651]: 14[CFG] no matching peer config found
Apr 10 22:19:29 MyHostName ipsec[86651]: 14[IKE] processing INTERNAL_IP4_ADDRESS attribute
Apr 10 22:19:29 MyHostName ipsec[86651]: 14[IKE] processing INTERNAL_IP6_ADDRESS attribute
Apr 10 22:19:29 MyHostName ipsec[86651]: 14[IKE] processing INTERNAL_IP4_DNS attribute
Apr 10 22:19:29 MyHostName ipsec[86651]: 14[IKE] processing INTERNAL_IP6_DNS attribute
Apr 10 22:19:29 MyHostName ipsec[86651]: 14[IKE] processing INTERNAL_IP4_NETMASK attribute
Apr 10 22:19:29 MyHostName ipsec[86651]: 14[IKE] processing APPLICATION_VERSION attribute
Apr 10 22:19:29 MyHostName ipsec[86651]: 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]