Can't connect to IpSec VPN from Android 14

[glsmith86]

Hy All!

I have a Samsung Galaxy S22 Ultra with factory Android 14 and ASUS RT-AX56U with ASUSWRT-Merlin RT-AX56U 3004.388.6_0 firmware.

I enabled the IpSec VPN server and I can't connect to it.

ipsec.conf file:
conn %default
keyexchange=ikev1
authby=secret
ike=aes256-sha1-modp1024
#Host-to-NET[prof#0]:4>Host-to-Net>null>null>wan>>1>password>null>null>null>null>null>1>10.10.10>null>1>null>null>0>null>null>null>1>>>eap-md5>1>500>4500>10>1>null>null>null>null><<<<>1


conn Host-to-Net
keyexchange=ikev1
left=1.2.3.4
#receive web value#left=
leftsubnet=0.0.0.0/0
leftfirewall=yes
#interface=wan
leftauth=psk
right=%any
rightauth=psk
rightauth2=xauth
#sourceip_en=1
rightsourceip=10.10.10.0/24
rightdns=192.168.1.1
ike=aes256-sha1-modp1024
dpdtimeout=30s
dpdaction=clear
dpddelay=10s
auto=add

#Host-to-NET[prof#1]:4>Host-to-Netv2>null>null>wan>>0>null>null>null>null>null>null>1>10.10.10>null>2>null>null>0>@xxx.asuscomm.com>null>null>0>>>eap-mschapv2>1>500>4500>10>1>null>null>null>null><<<<>1>pubkey>svrCert.pem>always>svrKey.pem>%identity


conn Host-to-Netv2
keyexchange=ikev2
mobike=no
left=1.2.3.4
#receive web value#left=
leftsubnet=0.0.0.0/0
leftfirewall=yes
#interface=wan
leftauth=pubkey
leftid=@xxx.asuscomm.com
leftcert=svrCert.pem
#leftsendcert is the key point for iOS devices
leftsendcert=always
eap_identity=%identity
right=%any
rightauth=eap-mschapv2
#sourceip_en=1
rightsourceip=10.10.10.0/24
rightdns=192.168.1.1
ike=aes256-sha1-modp1024
dpdtimeout=30s
dpdaction=clear
dpddelay=10s
auto=add

I have try out it on LAN and WAN with RSA, PSK and MSChapV2 method, nothing is working.

 

[rung]

I'm connecting with Android 14 without issue on stock. Only difference I see in the config files is that mine has my explict wan address instead of the asus ddns address in various locations (config file created automatically from the gui).

 

[glsmith86]

I'm connecting with Android 14 without issue on stock. Only difference I see in the config files is that mine has my explict wan address instead of the asus ddns address in various locations (config file created automatically from the gui).

My ISP work with dynamic IP. I masked out my real IP in the config file. What method do you use to connect to VPN?

 

[rung]

I just use the client built into Android. Attached is the config screen.

 

[glsmith86]

It doesn't seem to be running:

 

[rung]

What does the vpn log show? Can you share a screenshot of your ipsec config page?

 

[glsmith86]

Vpn log:

Spoiler: log

Feb 5 16:53:08 00[DMN] Starting IKE charon daemon (strongSwan 5.9.8, Linux 4.1.52, armv7l)
Feb 5 16:53:08 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Feb 5 16:53:08 00[CFG] loaded ca certificate "C=TW, O=ASUS, CN=ASUS RT-AX56U Root CA" from '/etc/ipsec.d/cacerts/asusCert.pem'
Feb 5 16:53:08 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Feb 5 16:53:08 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Feb 5 16:53:08 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Feb 5 16:53:08 00[CFG] loading crls from '/etc/ipsec.d/crls'
Feb 5 16:53:08 00[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 5 16:53:08 00[CFG] loaded IKE secret for %any
Feb 5 16:53:08 00[CFG] loaded EAP secret for vpnuser
Feb 5 16:53:09 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/svrKey.pem'
Feb 5 16:53:09 00[CFG] loaded EAP secret for vpnuser
Feb 5 16:53:09 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 agent xcbc cmac hmac kdf gcm drbg attr kernel-netlink socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-peap xauth-generic counters
Feb 5 16:53:09 00[JOB] spawning 8 worker threads
Feb 5 16:53:09 05[CFG] received stroke: add connection 'Host-to-Net'
Feb 5 16:53:09 05[CFG] adding virtual IP address pool 10.10.10.0/24
Feb 5 16:53:09 05[CFG] added configuration 'Host-to-Net'
Feb 5 16:53:09 07[CFG] received stroke: add connection 'Host-to-Netv2'
Feb 5 16:53:09 07[CFG] reusing virtual IP address pool 10.10.10.0/24
Feb 5 16:53:09 07[CFG] loaded certificate "C=TW, O=ASUS, CN=asdf.asuscomm.com" from 'svrCert.pem'
Feb 5 16:53:09 07[CFG] added configuration 'Host-to-Netv2'

Spoiler: ipsec statusall command output

Status of IKE charon daemon (weakSwan 5.9.8, Linux 4.1.52, armv7l):
uptime: 10 minutes, since Feb 05 16:53:09 2024
malloc: sbrk 1216512, mmap 0, used 273096, free 943416
worker threads: 3 of 8 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 agent xcbc cmac hmac kdf gcm drbg attr kernel-netlink socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-peap xauth-generic counters
Virtual IP pools (size/online/offline):
10.10.10.0/24: 254/0/0
Listening IP addresses:
10.40.210.13
123.456.789.000
Connections:
Host-to-Net: 123.456.897.000...%any IKEv1, dpddelay=10s
Host-to-Net: local: [123.456.987.000] uses pre-shared key authentication
Host-to-Net: remote: uses pre-shared key authentication
Host-to-Net: remote: uses XAuth authentication: any
Host-to-Net: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=none
Host-to-Netv2: 123.456.987.000...%any IKEv2, dpddelay=10s
Host-to-Netv2: local: [asdf.asuscomm.com] uses public key authentication
Host-to-Netv2: cert: "C=TW, O=ASUS, CN=asdf.asuscomm.com"
Host-to-Netv2: remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
Host-to-Netv2: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=none
Security Associations (0 up, 0 connecting):
none

Spoiler: strongSwan log

Feb 5 17:06:59 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Feb 5 17:06:59 00[DMN] Starting IKE service (strongSwan 5.9.11, Android 14 - UP1A.231005.007.S908BXXU7DXA6/2024-01-01, SM-S908B - samsung/b0sxeea/samsung, Linux 5.10.177-android12-9-27763393-abS908BXXU7DXA6, aarch64, org.strongswan.android)
Feb 5 17:06:59 00[LIB] providers loaded by OpenSSL: legacy default
Feb 5 17:06:59 00[LIB] loaded plugins: androidbridge charon android-log socket-default openssl nonce pkcs1 pem x509 xcbc kdf revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls
Feb 5 17:06:59 00[JOB] spawning 16 worker threads
Feb 5 17:06:59 07[IKE] initiating IKE_SA android[1] to 192.168.1.1
Feb 5 17:06:59 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Feb 5 17:06:59 07[NET] sending packet: from 192.168.1.185[46990] to 192.168.1.1[500] (948 bytes)
Feb 5 17:07:01 08[IKE] retransmit 1 of request with message ID 0
Feb 5 17:07:01 08[NET] sending packet: from 192.168.1.185[46990] to 192.168.1.1[500] (948 bytes)
Feb 5 17:07:04 09[IKE] retransmit 2 of request with message ID 0
Feb 5 17:07:04 09[NET] sending packet: from 192.168.1.185[46990] to 192.168.1.1[500] (948 bytes)
Feb 5 17:07:09 04[IKE] retransmit 3 of request with message ID 0
Feb 5 17:07:09 04[NET] sending packet: from 192.168.1.185[46990] to 192.168.1.1[500] (948 bytes)
Feb 5 17:07:15 10[IKE] giving up after 3 retransmits
Feb 5 17:07:15 10[IKE] establishing IKE_SA failed, peer not responding
Feb 5 17:07:15 10[IKE] unable to terminate IKE_SA: ID 1 not found

 

[rung]

Can you show the vpn log when you attempt to connect from outside your network (from the wan)? There should also be lots of other attempted connections from the Internet there as well (lots of uninvited folks knocking on your door).

 

[glsmith86]

strongSwan log when connect from outside:

Spoiler: strongsswan log

Feb 5 19:16:06 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Feb 5 19:16:06 00[DMN] Starting IKE service (strongSwan 5.9.11, Android 14 - UP1A.231005.007.S908BXXU7DXA6/2024-01-01, SM-S908B - samsung/b0sxeea/samsung, Linux 5.10.177-android12-9-27763393-abS908BXXU7DXA6, aarch64, org.strongswan.android)
Feb 5 19:16:06 00[LIB] providers loaded by OpenSSL: legacy default
Feb 5 19:16:06 00[LIB] loaded plugins: androidbridge charon android-log socket-default openssl nonce pkcs1 pem x509 xcbc kdf revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls
Feb 5 19:16:06 00[JOB] spawning 16 worker threads
Feb 5 19:16:06 12[IKE] initiating IKE_SA android[1] to vpn_ ip
Feb 5 19:16:06 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Feb 5 19:16:06 12[NET] sending packet: from mobile_ip[55461] to vpn_ip[500] (948 bytes)
Feb 5 19:16:08 06[IKE] retransmit 1 of request with message ID 0
Feb 5 19:16:08 06[NET] sending packet: from mobile_ip[55461] to vpn_ip[500] (948 bytes)
Feb 5 19:16:11 07[IKE] retransmit 2 of request with message ID 0
Feb 5 19:16:11 07[NET] sending packet: from mobile_ip[55461] to vpn _p[500] (948 bytes)
Feb 5 19:16:16 08[IKE] retransmit 3 of request with message ID 0
Feb 5 19:16:16 08[NET] sending packet: from mobile_ip[55461] to vpn_ip[500] (948 bytes)
Feb 5 19:16:22 13[IKE] giving up after 3 retransmits
Feb 5 19:16:22 13[IKE] establishing IKE_SA failed, peer not responding
Feb 5 19:16:22 15[IKE] unable to terminate IKE_SA: ID 1 not found

Spoiler: syslog

Feb 5 19:21:48 ipsec_starter[31351]: Starting weakSwan 5.9.8 IPsec [starter]...
Feb 5 19:21:48 ipsec_starter[31351]: charon is already running (/var/run/charon.pid exists) -- skipping daemon start
Feb 5 19:21:48 ipsec_starter[31351]: starter is already running (/var/run/starter.charon.pid exists) -- no fork done

Spoiler: vpn server log

Feb 5 19:21:48 06[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 5 19:21:48 06[CFG] loaded IKE secret for %any
Feb 5 19:21:48 06[CFG] loaded EAP secret for vpnuser
Feb 5 19:21:49 06[CFG] loaded RSA private key from '/etc/ipsec.d/private/svrKey.pem'
Feb 5 19:21:49 06[CFG] loaded EAP secret for vpnuser
Feb 5 19:21:49 06[CFG] rereading ca certificates from '/etc/ipsec.d/cacerts'
Feb 5 19:21:49 06[CFG] loaded ca certificate "C=TW, O=ASUS, CN=ASUS RT-AX56U Root CA" from '/etc/ipsec.d/cacerts/asusCert.pem'
Feb 5 19:21:49 06[CFG] rereading aa certificates from '/etc/ipsec.d/aacerts'
Feb 5 19:21:49 06[CFG] rereading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Feb 5 19:21:49 06[CFG] rereading attribute certificates from '/etc/ipsec.d/acerts'
Feb 5 19:21:49 06[CFG] rereading crls from '/etc/ipsec.d/crls'
Feb 5 19:21:50 07[CFG] received stroke: delete connection 'Host-to-Net'
Feb 5 19:21:50 07[CFG] deleted connection 'Host-to-Net'
Feb 5 19:21:50 05[CFG] received stroke: delete connection 'Host-to-Netv2'
Feb 5 19:21:50 05[CFG] deleted connection 'Host-to-Netv2'
Feb 5 19:21:50 07[CFG] received stroke: add connection 'Host-to-Net'
Feb 5 19:21:50 07[CFG] reusing virtual IP address pool 10.10.10.0/24
Feb 5 19:21:50 07[CFG] added configuration 'Host-to-Net'
Feb 5 19:21:50 06[CFG] received stroke: add connection 'Host-to-Netv2'
Feb 5 19:21:50 06[CFG] reusing virtual IP address pool 10.10.10.0/24
Feb 5 19:21:50 06[CFG] loaded certificate "C=TW, O=ASUS, CN=asdf.asuscomm.com" from 'svrCert.pem'
Feb 5 19:21:50 06[CFG] added configuration 'Host-to-Netv2'

 

[rung]

I have attached my vpn log file when I successfully connect. Hopefully it will help you or others debug your issue.

 

[glsmith86]

I change loglevel for charon daemon, This is the first problem:

Feb 6 15:35:22 03[NET] received packet: from mobile_wan_ipv4[36640] to 192.168.1.1[500]
Feb 6 15:35:22 03[NET] received packet from mobile_wan_ipv4[36640] to 192.168.1.1[500] on ignored interface

After this I removed br0 from ignored interfaces. Second problem:

Feb 6 15:38:29 03[CFG] looking for an IKEv2 config for 192.168.1.1...mobile_wan_ipv4
Feb 6 15:38:29 03[CFG] ike config match: 0 (wan_ipv4...%any IKEv1)
Feb 6 15:38:29 03[CFG] ike config match: 0 (wan_ipv4...%any IKEv2)
Feb 6 15:38:29 03[CFG] ike config match: 0 (wan_ipv4...%any IKEv2)
Feb 6 15:38:29 03[IKE] no IKE config found for 192.168.1.1...mobile_wan_ipv4, sending NO_PROPOSAL_CHOSEN
Feb 6 15:38:29 03[ENC] added payload of type NOTIFY to message
Feb 6 15:38:29 03[ENC] order payloads in message
Feb 6 15:38:29 03[ENC] added payload of type NOTIFY to message
Feb 6 15:38:29 03[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]

I hva make many searching on Google, but I don't find solution for this problem.

 

[sfx2000]

MSChapV2

MSChapV2 has been deprecated for years as it's rather insecure..

 

[glsmith86]

MSChapV2 has been deprecated for years as it's rather insecure..

I have 3 options for IPSec on my phone. MSChapV2, psk and rsa. Which is the better?