Community discussions

MikroTik App
  4. RouterOS
  5. General

Android always-on IPSec problems

Post Reply
 
lorsungcu
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Sat Jul 09, 2011 11:11 pm

Android always-on IPSec problems

Thu Oct 09, 2014 4:58 am

Hello
I'm trying to set up some android devices with always-on IPSec VPNs, using IPSec with x-auth/psk. I can connect fine with the devices normally, but when i turn them to 'always on', I get this error in the logs:
Code: Select all
oct/08 20:12:17 ipsec,debug ipsec =>: rejected authmethod: DB(prop#1:trns#1):Peer(prop#1:trns#1) = XAuth pskey server:GSS-API on Kerberos 5
oct/08 20:12:17 ipsec,debug ipsec =>: no suitable proposal found. 
oct/08 20:12:17 ipsec,error failed to get valid proposal. 
oct/08 20:12:17 ipsec,error ipsec =>: failed to get valid proposal. 
oct/08 20:12:17 ipsec,error failed to pre-process ph1 packet (side: 1, status 1). 
oct/08 20:12:17 ipsec,error ipsec =>: failed to pre-process ph1 packet (side: 1, status 1). 
oct/08 20:12:17 ipsec,error phase1 negotiation failed. 
oct/08 20:12:17 ipsec,error ipsec =>: phase1 negotiation failed.
Here's the peer config:
Code: Select all
add auth-method=pre-shared-key-xauth enc-algorithm=aes-256 generate-policy=port-strict hash-algorithm=sha1 mode-config=xauth_mobile nat-traversal=no passive=yes policy-group=xauth_mobile
And the proposal:
Code: Select all
add enc-algorithms=aes-256-cbc lifetime=8h name=xauth_mobile pfs-group=none
Also tried using certificates and hybrid RSA/PSK, same result. Is there any hope of getting this working? Anyone done it successfully?
Top
 
lorsungcu
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Sat Jul 09, 2011 11:11 pm

Re: Android always-on IPSec problems

Sun Oct 12, 2014 11:54 pm

Anyone? Mikrotik?
Top
 
lorsungcu
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Sat Jul 09, 2011 11:11 pm

Re: Android always-on IPSec problems

Thu Oct 16, 2014 12:24 am

Last bump before I give up. Anyone have any ideas?
Top
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7198
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:
Contact mrz

Re: Android always-on IPSec problems

Thu Oct 16, 2014 12:03 pm

Look at the first line from logs. It means that client is no longer using xauth authentication.
Top
 
lorsungcu
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 81
Joined: Sat Jul 09, 2011 11:11 pm

Re: Android always-on IPSec problems

Thu Oct 16, 2014 7:51 pm

Google thinks it's the router screwing things up. I am sure it isn't, but I guess it's just not possible. Any idea if RouterOS will support any of the GSS-API stuff?
Top
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 7198
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:
Contact mrz

Re: Android always-on IPSec problems

Fri Oct 17, 2014 3:52 pm

If it is Mutual RSA+Xauth then we have plans to implement it in the future versions.
Top
Post Reply
  4. RouterOS
  5. General