| Android Always ON VPN [message #121323] |
Sun, 17 May 2015 01:06  |
RMCholewa
Messages: 9
Registered: July 2014
|
|
|
|
Hi there,
I am trying to setup Kerio Control VPN server to receive Android IPSec VPN connections with the always on feature.
The always on feature enables the device to keep the VPN connection on all times and only allow traffic through it. The big issue here is the fact that Android only enables this option if I use the IPsec xauth RSA option.
I already exported Kerio Control certificates in PKCS#12 format, along with the CA and user certificates and imported them in the device (it is a Sony xperia Z3 D6633 Dual, running Android 5.0.2).
Then, while setting up the ipsec xauth rsa connection, chose the server external IP and internal DNS servers.
When I try to connect to the server without the "use certificate for clients", "use preshared key" and "enable MSCHAP v2 authentication" options disabled, I get the following from the debug log:
[16/May/2015 19:43:07] {charon} charon: 11[NET] received packet: from x.y.z.w[500] to a.b.c.d[500] (720 bytes)
[16/May/2015 19:43:07] {charon} charon: 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
[16/May/2015 19:43:07] {charon} charon: 11[IKE] no IKE config found for a.b.c.d...x.y.z.w, sending NO_PROPOSAL_CHOSEN
[16/May/2015 19:43:07] {charon} charon: 11[ENC] generating INFORMATIONAL_V1 request 3226241301 [ N(NO_PROP) ]
When I try to connect with the "use certificate for clients" enabled and the VPN configured in Android to use the respective certificates, I receive the following from the debug log:
[16/May/2015 19:46:22] {charon} charon: 10[NET] received packet: from x.y.z.w[500] to a.b.c.d[500] (720 bytes)
[16/May/2015 19:46:22] {charon} charon: 10[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
[16/May/2015 19:46:22] {charon} charon: 10[IKE] received NAT-T (RFC 3947) vendor ID
[16/May/2015 19:46:22] {charon} charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
[16/May/2015 19:46:22] {charon} charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
[16/May/2015 19:46:22] {charon} charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
[16/May/2015 19:46:22] {charon} charon: 10[IKE] received XAuth vendor ID
[16/May/2015 19:46:22] {charon} charon: 10[IKE] received Cisco Unity vendor ID
[16/May/2015 19:46:22] {charon} charon: 10[IKE] received FRAGMENTATION vendor ID
[16/May/2015 19:46:22] {charon} charon: 10[IKE] received DPD vendor ID
[16/May/2015 19:46:22] {charon} charon: 10[IKE] x.y.z.w is initiating a Main Mode IKE_SA
[16/May/2015 19:46:22] {charon} charon: 10[IKE] x.y.z.w is initiating a Main Mode IKE_SA
[16/May/2015 19:46:22] {charon} charon: 10[ENC] generating ID_PROT response 0 [ SA V V V ]
[16/May/2015 19:46:22] {charon} charon: 10[NET] sending packet: from a.b.c.d[500] to x.y.z.w[500] (136 bytes)
[16/May/2015 19:46:23] {charon} charon: 03[NET] received packet: from x.y.z.w[500] to a.b.c.d[500] (252 bytes)
[16/May/2015 19:46:23] {charon} charon: 03[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
[16/May/2015 19:46:23] {charon} charon: 03[IKE] Sending 1 CERTREQ payloads (max is 5)
[16/May/2015 19:46:23] {charon} charon: 03[IKE] sending cert request for "CN=kerio.domain.com, OU=domain.com, O=Intranet, L=city, ST=state, C=CN"
[16/May/2015 19:46:23] {charon} charon: 03[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
[16/May/2015 19:46:23] {charon} charon: 03[NET] sending packet: from a.b.c.d[500] to x.y.z.w[500] (398 bytes)
[16/May/2015 19:46:24] {charon} charon: 11[NET] received packet: from x.y.z.w[500] to a.b.c.d[500] (1404 bytes)
[16/May/2015 19:46:24] {charon} charon: 11[ENC] parsed ID_PROT request 0 [ ID CERT SIG ]
[16/May/2015 19:46:24] {charon} charon: 11[IKE] received end entity cert "CN=kerio.domain.com, OU=domain.com, O=Org, L=city, ST=state, C=CN"
[16/May/2015 19:46:24] {charon} charon: 11[CFG] looking for XAuthInitRSA peer configs matching a.b.c.d...x.y.z.w[CN=kerio.domain.com, OU=domain.com, O=Org, L=city, ST=state, C=CN]
[16/May/2015 19:46:24] {charon} charon: 11[IKE] no peer config found
[16/May/2015 19:46:24] {charon} charon: 11[ENC] generating INFORMATIONAL_V1 request 1292230040 [ HASH N(AUTH_FAILED) ]
[16/May/2015 19:46:24] {charon} charon: 11[NET] sending packet: from a.b.c.d[500] to x.y.z.w[500] (108 bytes)
Any ideas?
|
|
|
|
| Re: Android Always ON VPN [message #121324 is a reply to message #121323] |
Sun, 17 May 2015 02:56  |
RMCholewa
Messages: 9
Registered: July 2014
|
|
|
|
Update:
changed to L2TP/ipsec RSA and it connected manually. To my surprise, Andoid 5.0.2 accepts this VPN mode for the always on feature.
Now, the funny part: I am able to successfully connect the vpn manually (if I choose to connect) and traffic is ok, working without a problem.
Once I choose the always on feature, it stops connecting.
Does any1 have an android device with the always on feature working with kerio control?
Thanks.
|
|
|
|
Members
Search
Help
Register
Login
Home
