Issue #1472
ESP decryption failed with Android IKEv1 client when using SHA-256
Description
Hello!
For some reason, if android client connects to my vpn server, in logs I see next: charon: 05[ESP] ESP decryption failed: invalid length
This error rises up after connection was established, i.e, client has ip address, but any kind of traffic can't reach destination network.
With which kind of problem this error could be connected?
Piece of configuration, that android uses to establish connection:
conn ikev1-fakexauth
keyexchange=ikev1
rightauth2=xauth-noauth
auto=add
History
#1 Updated by Stanislav Yurchenko about 8 years ago
Other clients like ios and windows, connects to vpn server fine.
#2 Updated by Tobias Brunner about 8 years ago
- Description updated (diff)
- Category changed from android to interoperability
- Status changed from New to Feedback
Piece of configuration, that android uses to establish connection:
conn ikev1-fakexauth keyexchange=ikev1 rightauth2=xauth-noauth auto=add
Try adding esp=aes128-sha1 (or perhaps esp=aes128gcm16, if Android supports AES-GCM). Android apparently uses the wrong truncation for HMAC-SHA-256 (96-bit instead of 128-bit), which is the default integrity algorithm used by strongSwan since the default proposals have changed with 5.4.0.
#3 Updated by Stanislav Yurchenko about 8 years ago
Thank you! With suggested changes all works as I wanted.
#4 Updated by Tobias Brunner about 8 years ago
- Subject changed from ESP decryption failed to ESP decryption failed with Android IKEv1 client when using SHA-256
#5 Updated by Noel Kuntze about 7 years ago
- Status changed from Feedback to Closed
- Resolution set to No change required