Project

General

Profile

Issue #3504

Amazon FireStick StrongSwan VPN

Added by Kevin Doherty 4 months ago. Updated 28 days ago.

Status:
Closed
Priority:
Normal
Category:
android
Affected version:
5.7.2
Resolution:
No change required

Description

Hi,
I have a Dedicated Server running Debian 10 Buster.
StrongSwan is running on it fine, I have a IKEv1 to Meraki MX and IKEv2 Road Warrior with 3 devices working OK (IOS 13 iPhone, iPad & Windows 10 Laptop)

I wanted to install StrongSwan VPN to my FireStick Model 2, I had NordVPN App installed and working OK, so the WiFi and Internet is good. Have removed NordVPN.
I installed v2.3.0 Android APK via Downloader/Side Loading.
App runs OK.
I imported profile (see below)
I have added user to ipsec.secrets and reloaded ipsec
But I keep getting Unable to connect.
Screenshot attached of Log from FireStick
Looks like traffic getting to server OK.

Main Error: parsed IKE_SA_INIT response 0 [ n(NO)PROP) ]
received NO_PROPOSAL_CHOSEN notify error

Any good solutions that don't break my existing clients?

Profile:

{
    "uuid": "619eb893-1cee-5296-8b97-67065e039e91",
    "name": "UK-VPN",
    "type": "ikev2-mschapv2",
    "remote": {
        "addr": "vpn.domain.net",
        "id": "vpn.domain.net",
        "cert": "MIIE_____removed__" 
    },
    "local": {
        "eap_id": "firegr1",
        "nat-keepalive": "60" 
    }
}

ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file
config setup
        charondebug="all" 
        uniqueids=never
        strictcrlpolicy=no
# VPN Client
conn clients
        auto=add
        compress=no
        mobike=yes
        type=tunnel
        keyexchange=ikev2
        fragmentation=yes
        forceencaps=yes
        dpdaction=clear
        dpddelay=300s
        rekey=no
        left=%any
        leftid=@vpn.domain.net
        leftcert=server-cert.pem
        leftsendcert=always
        leftsubnet=0.0.0.0/0
        right=%any
        rightid=%any
        rightauth=eap-mschapv2
        rightsourceip=172.16.98.0/24
        rightdns=172.16.98.222
        rightsendcert=never
        eap_identity=%any
        ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
        esp=aes256-sha256,aes256-sha1,aes128-sha1,3des-sha1!

Thanks

IMG_0617.JPG (3.32 MB) IMG_0617.JPG Error Log Kevin Doherty, 03.07.2020 19:32

History

#1 Updated by Kevin Doherty 4 months ago

Update:

I removed the below from config:

  1. ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
  2. esp=aes256-sha256,aes256-sha1,aes128-sha1,3des-sha1!

And FireStick can connect now, but had some trouble with Windows 10 Client getting "Policy Match Error", had to REGEDIT:

By adding the DWORD 32bit key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\NegotiateDH2048_AES256 ; Decimal: to 1

My question now is: With removing those entries, am I more or less secure?

Can I see what methods IOS, Win10 and FireStick use to add those in and stay secure?

Thanks

Windows 10, IOS & FireStick now working through VPN.

#2 Updated by Tobias Brunner 4 months ago

  • Description updated (diff)
  • Category changed from android to configuration
  • Status changed from New to Feedback

I imported profile (see below)

Interesting, so the FireStick actually implements the SAN API that allows the app to browse for profile files? Or were you able to download the profile and then open it via app from a web/file browser?

    "type": "ikev2-mschapv2",

That's not a valid value, see AndroidVPNClientProfiles. But lucky for you, the default is ikev2-eap if the parsed value is invalid.

My question now is: With removing those entries, am I more or less secure?

More secure. The modp1024 DH group should not be used anymore (see SecurityRecommendations).

Can I see what methods IOS, Win10 and FireStick use to add those in and stay secure?

While you could query the algorithms negotiated in the established SAs via ipsec statusall, it might be preferable to check in the log what algorithms the clients actually propose and then select the strongest out of them (you need to increase the log level for cfg to 2 to see the proposals). Or you could just configure your preferred proposals in a way that lists strong algorithms first in order to select those with clients that support them (strongSwan prefers its own configuration over the client's unless charon.prefer_configured_proposals is disabled).

#3 Updated by Kevin Doherty 4 months ago

Hi,

I had to use Downloader to pull in the .sswan profile file from my http server then Open it and it imported ok.
Was going to use ES File Explorer but they charge now to even open the app.

I have changed that to ikev2-eap - Still all working ok

root@vpn:~# ipsec statusall

Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-9-amd64, x86_64):
uptime: 43 hours, since Jul 04 15:12:29 2020
malloc: sbrk 1789952, mmap 0, used 1093168, free 696784
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 10
loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Virtual IP pools (size/online/offline):
172.16.98.0/24: 254/1/2
Listening IP addresses:
77.237.248.xx
172.16.99.1
172.16.98.222
Connections:
meraki: %any...homenet-xxx.dynamic-m.com IKEv1, dpddelay=30s
meraki: local: [77.237.248.xx] uses pre-shared key authentication
meraki: remote: [] uses pre-shared key authentication
meraki: child: 0.0.0.0/0 === 192.168.0.0/24 TUNNEL, dpdaction=restart
clients: %any...%any IKEv2, dpddelay=300s
clients: local: [vpn.domain.net] uses public key authentication
clients: cert: "CN=vpn.domain.net"
clients: remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
clients: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (2 up, 0 connecting):
clients18: ESTABLISHED 2 hours ago, 77.237.248.xx[vpn.domain.net]...45.139.213.yy[firegr1]
clients18: IKEv2 SPIs: f2c84d533748b32d_i a6b9720111b273c3_r*, rekeying disabled
clients18: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/ECP_256
clients{59}: INSTALLED, TUNNEL, reqid 6, ESP in UDP SPIs: c8936366_i b69f394f_o
clients{59}: AES_CBC_128/HMAC_SHA2_256_128, 85661 bytes_i (358 pkts, 2s ago), 34453 bytes_o (201 pkts, 2s ago), rekeying disabled
clients{59}: 0.0.0.0/0 === 172.16.98.3/32
meraki17: ESTABLISHED 2 hours ago, 77.237.248.xx[77.237.248.xx]...92.14.156.yy[]
meraki17: IKEv1 SPIs: e1cf4e5e2b472a40_i 7cbb96b827b8c818_r*, pre-shared key reauthentication in 21 hours
meraki17: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
meraki{58}: REKEYED, TUNNEL, reqid 1, expires in 5 minutes
meraki{58}: 0.0.0.0/0 === 192.168.0.0/24
meraki{60}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c44a1468_i cf84dc2d_o
meraki{60}: AES_CBC_128/HMAC_SHA1_96, 49345 bytes_i (250 pkts, 1s ago), 39446 bytes_o (281 pkts, 0s ago), rekeying in 48 minutes
meraki{60}: 0.0.0.0/0 === 192.168.0.0/24

#4 Updated by Tobias Brunner 4 months ago

I had to use Downloader to pull in the .sswan profile file from my http server then Open it and it imported ok.
Was going to use ES File Explorer but they charge now to even open the app.

Thanks for the info, might help other users.

I have changed that to ikev2-eap - Still all working ok

Yeah, shouldn't make a difference, just wasn't fully correct.

#5 Updated by Tobias Brunner 28 days ago

  • Category changed from configuration to android
  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

Also available in: Atom PDF