Project

General

Profile

Bug #1510

Failed to create ciphers with BoringSSL in Android client

Added by Alexander Semenov about 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Category:
android
Target version:
Start date:
13.06.2016
Due date:
Estimated time:
Affected version:
dr|rc|master
Resolution:
Fixed

Description

We're trying to use StrongSwan android client with BoringSSL, instead of OpenSSL.

We use latest available tarball - 5.4.1dr4. All compiles fine, but when I try to connect VPN - I receive an error, see below.
All works fine, if I switch back to OpenSSL. Our admin says, client rejects any proposed encryption algorithm, while sends a lot of them as proposals.
Thanks in advance.

Error text as follows.

06-07 16:56:26.226 I/charon: 07[IKE] initiating IKE_SA android[1] to <ip hidden>
06-07 16:56:26.228 I/charon: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
06-07 16:56:26.229 I/charon: 07[NET] sending packet: from 10.16.1.46[46178] to <ip hidden>[500] (732 bytes)
06-07 16:56:26.349 I/charon: 11[NET] received packet: from <ip hidden>[500] to 10.16.1.46[46178] (38 bytes)
06-07 16:56:26.350 I/charon: 11[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
06-07 16:56:26.351 I/charon: 11[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
06-07 16:56:26.377 I/charon: 11[IKE] initiating IKE_SA android[1] to <ip hidden>
06-07 16:56:26.378 I/charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
06-07 16:56:26.378 I/charon: 11[NET] sending packet: from 10.16.1.46[46178] to <ip hidden>[500] (924 bytes)
06-07 16:56:26.527 I/charon: 13[NET] received packet: from <ip hidden>[500] to 10.16.1.46[46178] (440 bytes)
06-07 16:56:26.528 I/charon: 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
06-07 16:56:26.560 I/charon: 13[IKE] ENCRYPTION_ALGORITHM AES_CBC (key size 128) not supported!
06-07 16:56:26.561 I/charon: 13[IKE] key derivation failed

Here is server config:

config setup
        uniqueids=never
conn radius
        rekey=no
        dpdaction=clear
        aggressive=no
        keyexchange=ikev1
        rightauth=psk
        compress=no
        rightauth2=xauth-eap
        left=%defaultroute
        leftsubnet=0.0.0.0/0
        leftauth=psk
        right=%any
        rightsourceip=10.2.0.0/16
        auto=add
        type=tunnel
        esp=aes128-sha1-modp2048
conn ipsec-l2tp
        left=%defaultroute
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any
        auto=add
        keyexchange=ikev1
        authby=psk
        type=transport
        esp=aes128-sha1-modp2048
conn android
        rekey=no
        dpdaction=clear
        aggressive=no
        keyexchange=ikev2
        compress=no
        rightauth=eap-radius
    left=%any
        leftsubnet=0.0.0.0/0,192.168.0.0/24
        leftcert=vpnCert.der
        leftid=@test.vpnshieldapp.com
        right=%any
    eap_identity=%any
        rightsourceip=10.2.0.0/16
        rightsendcert=never
        auto=add
        type=tunnel
    fragmentation=yes
    esp=aes128-sha1-modp2048

Associated revisions

Revision a046f929 (diff)
Added by Tobias Brunner about 4 years ago

android: Use non-aliased cipher identifiers

Some of these are also understood by BoringSSL.

Fixes #1510.

History

#1 Updated by Tobias Brunner about 4 years ago

  • Tracker changed from Issue to Bug
  • Subject changed from BoringSSL in Android client to Failed to create ciphers with BoringSSL in Android client
  • Category set to android
  • Status changed from New to Closed
  • Assignee set to Tobias Brunner
  • Target version set to 5.5.0
  • Resolution set to Fixed

Fixed with the referenced commit.

Also available in: Atom PDF