Project

General

Profile

Issue #3340

certificate for android client

Added by Muhammad Tufail about 1 month ago. Updated about 1 month ago.

Status:
Feedback
Priority:
Normal
Category:
configuration
Affected version:
5.7.2
Resolution:

Description

Hello ,
Is it possible in android that i can connect with VPN using username and password without certificate? If no, then is it possible that i create one certificate for multiple servers?

for example i have three servers
102.22.32.12
102.22.23.13
102.43.23.44

i want to create same certificate for all of the three server so Android client need only one certificate to connect any one of these servers

i don't want to create certificate for server because i want to connect using username and password but if this is not possible then i want to generate only one certificate for multiple servers.

thanks

History

#1 Updated by Tobias Brunner about 1 month ago

  • Description updated (diff)
  • Category changed from android to configuration
  • Status changed from New to Feedback

If you use server certificates issued by a CA the clients already trust (e.g. Let's Encrypt or a commercial one), you don't have to install any certificates there.

However, if you use a custom CA, you at least have to install that CA certificate on your clients. It doesn't matter if you use a single certificate for all your servers (listing the IP addresses in additional subjectAltName extensions), or separate keys/certificates for each server (recommended), only the CA certificate has to be installed on the clients. See how the pki tool can be used to create a CA.

You could also use self-signed certificates for your servers (or just one for all of them), but you then have to install these certificates on each client, and whenever a new server is added or one is removed you'd have to update these certificates on all clients. So that won't really scale.

Installation of configs and certificates can be simplified via profile files.

#2 Updated by Muhammad Tufail about 1 month ago

i created certificate for server and add two server ip in the subjectAltName
this is the output of certificate

 subject:  "C=CH, O=PL, CN=firstServerIp CN=secondServerIp" 
 issuer:   "C=CH, O=PL, CN=firstServerIp CN=secondServerIp" 
 validity:  not before Feb 19 06:02:36 2020, ok
                not after  Oct 28 06:02:36 2033, ok (expires in 5000 days)
 serial:    20:e1:08:ed:60:86:1f:00
 altNames:  2firstServerIp,secondServerIp
 flags:     serverAuth ikeIntermediate

when i install this certificate on the Android client side it says


Feb 19 12:06:37 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Feb 19 12:06:37 00[JOB] spawning 16 worker threads
Feb 19 12:06:37 08[IKE] initiating IKE_SA android[1] to 23.105.39.37
Feb 19 12:06:37 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Feb 19 12:06:37 08[NET] sending packet: from 192.168.137.87[44938] to 23.105.39.37[500] (716 bytes)
Feb 19 12:06:37 11[NET] received packet: from 23.105.39.37[500] to 192.168.137.87[44938] (272 bytes)
Feb 19 12:06:37 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Feb 19 12:06:37 11[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Feb 19 12:06:37 11[IKE] local host is behind NAT, sending keep alives
Feb 19 12:06:37 11[IKE] remote host is behind NAT
Feb 19 12:06:37 11[IKE] establishing CHILD_SA android{1}
Feb 19 12:06:37 11[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Feb 19 12:06:37 11[NET] sending packet: from 192.168.137.87[38758] to 23.105.39.37[4500] (432 bytes)
Feb 19 12:06:38 12[NET] received packet: from 23.105.39.37[4500] to 192.168.137.87[38758] (1236 bytes)
Feb 19 12:06:38 12[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Feb 19 12:06:38 12[ENC] received fragment #1 of 2, waiting for complete IKE message
Feb 19 12:06:38 13[NET] received packet: from 23.105.39.37[4500] to 192.168.137.87[38758] (452 bytes)
Feb 19 12:06:38 13[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Feb 19 12:06:38 13[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1600 bytes)
Feb 19 12:06:38 13[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Feb 19 12:06:38 13[IKE] received end entity cert "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:06:38 13[CFG] no issuer certificate found for "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:06:38 13[CFG]   issuer is "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:06:38 13[CFG]   using trusted certificate "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:06:38 13[IKE] signature validation failed, looking for another key
Feb 19 12:06:38 13[CFG]   using certificate "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:06:38 13[CFG] no issuer certificate found for "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:06:38 13[CFG]   issuer is "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:06:38 13[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Feb 19 12:06:38 13[NET] sending packet: from 192.168.137.87[38758] to 23.105.39.37[4500] (80 bytes)
Feb 19 12:06:43 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Feb 19 12:06:43 00[DMN] Starting IKE service (strongSwan 5.8.2dr1, Android 10 - ONEPLUS A6010_41_200115/2019-12-01, ONEPLUS A6010 - OnePlus/OnePlus6T/OnePlus, Linux 4.9.179-perf+, aarch64)
Feb 19 12:06:43 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Feb 19 12:06:43 00[JOB] spawning 16 worker threads
Feb 19 12:06:43 07[IKE] initiating IKE_SA android[2] to 23.105.39.37
Feb 19 12:06:43 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Feb 19 12:06:43 07[NET] sending packet: from 192.168.137.87[41192] to 23.105.39.37[500] (716 bytes)
Feb 19 12:06:44 10[NET] received packet: from 23.105.39.37[500] to 192.168.137.87[41192] (272 bytes)
Feb 19 12:06:44 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Feb 19 12:06:44 10[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Feb 19 12:06:44 10[IKE] local host is behind NAT, sending keep alives
Feb 19 12:06:44 10[IKE] remote host is behind NAT
Feb 19 12:06:44 10[IKE] establishing CHILD_SA android{2}
Feb 19 12:06:44 10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Feb 19 12:06:44 10[NET] sending packet: from 192.168.137.87[48547] to 23.105.39.37[4500] (432 bytes)
Feb 19 12:06:44 12[NET] received packet: from 23.105.39.37[4500] to 192.168.137.87[48547] (1236 bytes)
Feb 19 12:06:44 12[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Feb 19 12:06:44 12[ENC] received fragment #1 of 2, waiting for complete IKE message
Feb 19 12:06:44 11[NET] received packet: from 23.105.39.37[4500] to 192.168.137.87[48547] (452 bytes)
Feb 19 12:06:44 11[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Feb 19 12:06:44 11[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1600 bytes)
Feb 19 12:06:44 11[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Feb 19 12:06:44 11[IKE] received end entity cert "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:06:44 11[CFG] no issuer certificate found for "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:06:44 11[CFG]   issuer is "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:06:44 11[CFG]   using trusted certificate "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:06:44 11[IKE] signature validation failed, looking for another key
Feb 19 12:06:44 11[CFG]   using certificate "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:06:44 11[CFG] no issuer certificate found for "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:06:44 11[CFG]   issuer is "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:06:44 11[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Feb 19 12:06:44 11[NET] sending packet: from 192.168.137.87[48547] to 23.105.39.37[4500] (80 bytes)
Feb 19 12:06:54 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Feb 19 12:06:54 00[DMN] Starting IKE service (strongSwan 5.8.2dr1, Android 10 - ONEPLUS A6010_41_200115/2019-12-01, ONEPLUS A6010 - OnePlus/OnePlus6T/OnePlus, Linux 4.9.179-perf+, aarch64)
Feb 19 12:06:54 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Feb 19 12:06:54 00[JOB] spawning 16 worker threads
Feb 19 12:06:54 10[IKE] initiating IKE_SA android[3] to 23.105.39.37
Feb 19 12:06:54 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Feb 19 12:06:54 10[NET] sending packet: from 192.168.137.87[39127] to 23.105.39.37[500] (716 bytes)
Feb 19 12:06:55 08[NET] received packet: from 23.105.39.37[500] to 192.168.137.87[39127] (272 bytes)
Feb 19 12:06:55 08[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Feb 19 12:06:55 08[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Feb 19 12:06:55 08[IKE] local host is behind NAT, sending keep alives
Feb 19 12:06:55 08[IKE] remote host is behind NAT
Feb 19 12:06:55 08[IKE] establishing CHILD_SA android{3}
Feb 19 12:06:55 08[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Feb 19 12:06:55 08[NET] sending packet: from 192.168.137.87[38395] to 23.105.39.37[4500] (432 bytes)
Feb 19 12:06:55 11[NET] received packet: from 23.105.39.37[4500] to 192.168.137.87[38395] (1236 bytes)
Feb 19 12:06:55 11[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Feb 19 12:06:55 11[ENC] received fragment #1 of 2, waiting for complete IKE message
Feb 19 12:06:55 09[NET] received packet: from 23.105.39.37[4500] to 192.168.137.87[38395] (452 bytes)
Feb 19 12:06:55 09[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Feb 19 12:06:55 09[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1600 bytes)
Feb 19 12:06:55 09[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Feb 19 12:06:55 09[IKE] received end entity cert "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:06:55 09[CFG] no issuer certificate found for "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:06:55 09[CFG]   issuer is "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:06:55 09[CFG]   using trusted certificate "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:06:55 09[IKE] signature validation failed, looking for another key
Feb 19 12:06:55 09[CFG]   using certificate "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:06:55 09[CFG] no issuer certificate found for "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:06:55 09[CFG]   issuer is "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:06:55 09[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Feb 19 12:06:55 09[NET] sending packet: from 192.168.137.87[38395] to 23.105.39.37[4500] (80 bytes)
Feb 19 12:07:15 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Feb 19 12:07:15 00[DMN] Starting IKE service (strongSwan 5.8.2dr1, Android 10 - ONEPLUS A6010_41_200115/2019-12-01, ONEPLUS A6010 - OnePlus/OnePlus6T/OnePlus, Linux 4.9.179-perf+, aarch64)
Feb 19 12:07:15 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Feb 19 12:07:15 00[JOB] spawning 16 worker threads
Feb 19 12:07:15 06[IKE] initiating IKE_SA android[4] to 23.105.39.37
Feb 19 12:07:15 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Feb 19 12:07:15 06[NET] sending packet: from 192.168.137.87[37798] to 23.105.39.37[500] (716 bytes)
Feb 19 12:07:16 09[NET] received packet: from 23.105.39.37[500] to 192.168.137.87[37798] (272 bytes)
Feb 19 12:07:16 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Feb 19 12:07:16 09[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
Feb 19 12:07:16 09[IKE] local host is behind NAT, sending keep alives
Feb 19 12:07:16 09[IKE] remote host is behind NAT
Feb 19 12:07:16 09[IKE] establishing CHILD_SA android{4}
Feb 19 12:07:16 09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Feb 19 12:07:16 09[NET] sending packet: from 192.168.137.87[38607] to 23.105.39.37[4500] (432 bytes)
Feb 19 12:07:16 10[NET] received packet: from 23.105.39.37[4500] to 192.168.137.87[38607] (1236 bytes)
Feb 19 12:07:16 10[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Feb 19 12:07:16 10[ENC] received fragment #1 of 2, waiting for complete IKE message
Feb 19 12:07:16 11[NET] received packet: from 23.105.39.37[4500] to 192.168.137.87[38607] (452 bytes)
Feb 19 12:07:16 11[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Feb 19 12:07:16 11[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1600 bytes)
Feb 19 12:07:16 11[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Feb 19 12:07:16 11[IKE] received end entity cert "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:07:16 11[CFG] no issuer certificate found for "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:07:16 11[CFG]   issuer is "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:07:16 11[CFG]   using trusted certificate "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:07:16 11[IKE] signature validation failed, looking for another key
Feb 19 12:07:16 11[CFG]   using certificate "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:07:16 11[CFG] no issuer certificate found for "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:07:16 11[CFG]   issuer is "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
Feb 19 12:07:16 11[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Feb 19 12:07:16 11[NET] sending packet: from 192.168.137.87[38607] to 23.105.39.37[4500] (80 bytes)

#3 Updated by Tobias Brunner about 1 month ago

Looks like you messed something up (maybe keys don't match).

#4 Updated by Muhammad Tufail about 1 month ago

Thanks for the response

I use the same way to create certificate for only one server then the certificate work fine.
but when i add two server ip in the CN then the certificate is not working..
can you please let me know whats my error
thanks.

#5 Updated by Tobias Brunner about 1 month ago

I use the same way to create certificate for only one server then the certificate work fine.
but when i add two server ip in the CN then the certificate is not working..
can you please let me know whats my error

Don't know. The problem are not really the IP addresses (the error happens before these would become relevant). Maybe you mixed up the certificates/keys (if this certificate is not self-signed, it's definitely not ideal that the CA uses the same subject DN). Also, you don't have to use multiple CNs in the DN. You could just use something generic there and add the IP addresses as SAN. But that's not really related to the error. Try verifying that the certificate/chain is actually valid by using pki --verify and also make sure the certificate you installed on the client is actually the correct one.

#6 Updated by Muhammad Tufail about 1 month ago

i think the certificate is valid
run the command pki --verify output is

no issuer certificate found for "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
  issuer is "C=CH, O=Pentaloop, CN=23.105.39.37, CN=108.62.123.64" 
  using trusted certificate "C=CH, O=PL, CN=23.105.39.37, CN=108.62.123.64" 
certificate trusted, lifetimes valid

#7 Updated by Tobias Brunner about 1 month ago

i think the certificate is valid
run the command pki --verify output is

It's not the same certificate you used before (different issuer). And it will only be trusted if you have the issuer certificate ("C=CH, O=Pentaloop, CN=23.105.39.37, CN=108.62.123.64") installed on the client. The tool could be a bit misleading if you don't specify any CA certificates (via --cacert) as end-entity certificates are trusted as long as that certificate itself is used as trust anchor (i.e. is installed on the client).

Also available in: Atom PDF