Bug #1510
Failed to create ciphers with BoringSSL in Android client
Start date:
13.06.2016
Due date:
Estimated time:
Affected version:
dr|rc|master
Resolution:
Fixed
Description
We're trying to use StrongSwan android client with BoringSSL, instead of OpenSSL.
We use latest available tarball - 5.4.1dr4. All compiles fine, but when I try to connect VPN - I receive an error, see below.
All works fine, if I switch back to OpenSSL. Our admin says, client rejects any proposed encryption algorithm, while sends a lot of them as proposals.
Thanks in advance.
Error text as follows.
06-07 16:56:26.226 I/charon: 07[IKE] initiating IKE_SA android[1] to <ip hidden> 06-07 16:56:26.228 I/charon: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] 06-07 16:56:26.229 I/charon: 07[NET] sending packet: from 10.16.1.46[46178] to <ip hidden>[500] (732 bytes) 06-07 16:56:26.349 I/charon: 11[NET] received packet: from <ip hidden>[500] to 10.16.1.46[46178] (38 bytes) 06-07 16:56:26.350 I/charon: 11[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] 06-07 16:56:26.351 I/charon: 11[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048 06-07 16:56:26.377 I/charon: 11[IKE] initiating IKE_SA android[1] to <ip hidden> 06-07 16:56:26.378 I/charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] 06-07 16:56:26.378 I/charon: 11[NET] sending packet: from 10.16.1.46[46178] to <ip hidden>[500] (924 bytes) 06-07 16:56:26.527 I/charon: 13[NET] received packet: from <ip hidden>[500] to 10.16.1.46[46178] (440 bytes) 06-07 16:56:26.528 I/charon: 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] 06-07 16:56:26.560 I/charon: 13[IKE] ENCRYPTION_ALGORITHM AES_CBC (key size 128) not supported! 06-07 16:56:26.561 I/charon: 13[IKE] key derivation failed
Here is server config:
config setup
uniqueids=never
conn radius
rekey=no
dpdaction=clear
aggressive=no
keyexchange=ikev1
rightauth=psk
compress=no
rightauth2=xauth-eap
left=%defaultroute
leftsubnet=0.0.0.0/0
leftauth=psk
right=%any
rightsourceip=10.2.0.0/16
auto=add
type=tunnel
esp=aes128-sha1-modp2048
conn ipsec-l2tp
left=%defaultroute
leftprotoport=17/1701
right=%any
rightprotoport=17/%any
auto=add
keyexchange=ikev1
authby=psk
type=transport
esp=aes128-sha1-modp2048
conn android
rekey=no
dpdaction=clear
aggressive=no
keyexchange=ikev2
compress=no
rightauth=eap-radius
left=%any
leftsubnet=0.0.0.0/0,192.168.0.0/24
leftcert=vpnCert.der
leftid=@test.vpnshieldapp.com
right=%any
eap_identity=%any
rightsourceip=10.2.0.0/16
rightsendcert=never
auto=add
type=tunnel
fragmentation=yes
esp=aes128-sha1-modp2048
History
#1 Updated by Tobias Brunner over 9 years ago
- Tracker changed from Issue to Bug
- Subject changed from BoringSSL in Android client to Failed to create ciphers with BoringSSL in Android client
- Category set to android
- Status changed from New to Closed
- Assignee set to Tobias Brunner
- Target version set to 5.5.0
- Resolution set to Fixed
Fixed with the referenced commit.