www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

Problem using L2TP/IPSec with Android phone

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> VPN
View previous topic :: View next topic  
Author Message
agdyer



Joined: 08 Jun 2017
Posts: 2

PostPosted: Thu Jun 08, 2017 10:22 am    Post subject: Problem using L2TP/IPSec with Android phone Reply with quote

I'm trying to set up a Host-to-LAN VPN connection from my Android phone to my ZeroShell using L2TP/IPSec. When I try to connect, the server logs show:
ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
ERROR: the peer's certificate is not verified.

and the connection fails.
Please advise on how to diagnose / what I'm doing wrong.

Details
ZeroShell 3.7.1
Phone:
Samsung Galaxy On5, Android 5.1.1

This is my first attempt at using L2TP. I used Zeroshell's CA to issue a cert for the phone, initially I tried to use .pem files to import the certs and key to my phone, but eventually I worked out it wanted a PKCS#12 file, so I used openssl at the command line to create one. When I attempted to connect, it failed with this error, so I looked again and realised I could export a PKCS#12 file from Zeroshell directly, so I did that, imported to my phone and still got the error. The full IPSec Log for a connection attempt is:

Code:
17:50:59    INFO: respond new phase 1 negotiation: 172.16.16.252[500]<=>172.16.128.14[500]
17:50:59    INFO: begin Identity Protection mode.
17:50:59    INFO: received Vendor ID: RFC 3947
17:50:59    INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
17:50:59    INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
17:50:59    INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
17:50:59    INFO: received broken Microsoft ID: FRAGMENTATION
17:50:59    INFO: received Vendor ID: DPD
17:50:59    INFO: Selected NAT-T version: RFC 3947
17:50:59    INFO: Hashing 172.16.16.252[500] with algo #1
17:50:59    INFO: NAT-D payload #0 verified
17:50:59    INFO: Hashing 172.16.128.14[500] with algo #1
17:50:59    INFO: NAT-D payload #1 verified
17:50:59    INFO: NAT not detected
17:50:59    INFO: Hashing 172.16.128.14[500] with algo #1
17:50:59    INFO: Hashing 172.16.16.252[500] with algo #1
17:50:59    INFO: Adding remote and local NAT-D payloads.
17:50:59    ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
17:50:59    ERROR: the peer's certificate is not verified.
17:51:02    ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
17:51:02    ERROR: the peer's certificate is not verified.
17:51:05    ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
17:51:05    ERROR: the peer's certificate is not verified.
17:51:08    ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
17:51:08    ERROR: the peer's certificate is not verified.
17:51:09    ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
17:51:09    ERROR: the peer's certificate is not verified.
17:51:11    ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
17:51:11    ERROR: the peer's certificate is not verified.
17:51:14    ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
17:51:14    ERROR: the peer's certificate is not verified.
17:51:17    ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
17:51:17    ERROR: the peer's certificate is not verified.
17:51:19    ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
17:51:19    ERROR: the peer's certificate is not verified.
17:51:20    ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
17:51:20    ERROR: the peer's certificate is not verified.
17:51:23    ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
17:51:23    ERROR: the peer's certificate is not verified.
17:51:26    ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
17:51:26    ERROR: the peer's certificate is not verified.
17:51:59    ERROR: phase1 negotiation failed due to time up. 22fc3d5118875b69:a99e37161cabc4d4

The L2TP/IPSec configuration on Zeroshell is set to trust the local CA, and the client certificate was issued directly from the local CA, and the pfx file was generated by Zeroshell, so I don't understand why the certificate isn't being accepted.
Thanks for any help.
Allan[/code]
Back to top
View user's profile Send private message
jtaylor



Joined: 14 Feb 2013
Posts: 4

PostPosted: Tue Nov 07, 2017 9:25 am    Post subject: Reply with quote

Hi Allan,

I was wondering if you managed to get this working in the end, as we are experiencing the same problem.

Any help appreciated.

James
Back to top
View user's profile Send private message
agdyer



Joined: 08 Jun 2017
Posts: 2

PostPosted: Sat Nov 11, 2017 7:14 am    Post subject: Reply with quote

Sorry, I didn't have a clue how to proceed, so I abandoned my attempt.If I get round to trying again, I'll update with my progress.
Back to top
View user's profile Send private message
jtaylor



Joined: 14 Feb 2013
Posts: 4

PostPosted: Sat Nov 11, 2017 8:06 am    Post subject: Reply with quote

OK thanks anyway for replying, I'll do the same.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> VPN All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group