Problem using L2TP/IPSec with Android phone

Forums Network Management VPN Problem using L2TP/IPSec with Android phone

  • This topic is empty.
Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • June 8, 2017 at 10:22 am #44816
    agdyer
    Member

    I’m trying to set up a Host-to-LAN VPN connection from my Android phone to my ZeroShell using L2TP/IPSec. When I try to connect, the server logs show:
    ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
    ERROR: the peer’s certificate is not verified.

    and the connection fails.
    Please advise on how to diagnose / what I’m doing wrong.

    Details
    ZeroShell 3.7.1
    Phone:
    Samsung Galaxy On5, Android 5.1.1

    This is my first attempt at using L2TP. I used Zeroshell’s CA to issue a cert for the phone, initially I tried to use .pem files to import the certs and key to my phone, but eventually I worked out it wanted a PKCS#12 file, so I used openssl at the command line to create one. When I attempted to connect, it failed with this error, so I looked again and realised I could export a PKCS#12 file from Zeroshell directly, so I did that, imported to my phone and still got the error. The full IPSec Log for a connection attempt is:

    17:50:59 	INFO: respond new phase 1 negotiation: 172.16.16.252[500]<=>172.16.128.14[500]
    
17:50:59 	INFO: begin Identity Protection mode.
    
17:50:59 	INFO: received Vendor ID: RFC 3947
    
17:50:59 	INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    
17:50:59 	INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    
17:50:59 	INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    
17:50:59 	INFO: received broken Microsoft ID: FRAGMENTATION
    
17:50:59 	INFO: received Vendor ID: DPD
    
17:50:59 	INFO: Selected NAT-T version: RFC 3947
    
17:50:59 	INFO: Hashing 172.16.16.252[500] with algo #1
    
17:50:59 	INFO: NAT-D payload #0 verified
    
17:50:59 	INFO: Hashing 172.16.128.14[500] with algo #1
    
17:50:59 	INFO: NAT-D payload #1 verified
    
17:50:59 	INFO: NAT not detected
    
17:50:59 	INFO: Hashing 172.16.128.14[500] with algo #1
    
17:50:59 	INFO: Hashing 172.16.16.252[500] with algo #1
    
17:50:59 	INFO: Adding remote and local NAT-D payloads.
    
17:50:59 	ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
    
17:50:59 	ERROR: the peer's certificate is not verified.
    
17:51:02 	ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
    
17:51:02 	ERROR: the peer's certificate is not verified.
    
17:51:05 	ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
    
17:51:05 	ERROR: the peer's certificate is not verified.
    
17:51:08 	ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
    
17:51:08 	ERROR: the peer's certificate is not verified.
    
17:51:09 	ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
    
17:51:09 	ERROR: the peer's certificate is not verified.
    
17:51:11 	ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
    
17:51:11 	ERROR: the peer's certificate is not verified.
    
17:51:14 	ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
    
17:51:14 	ERROR: the peer's certificate is not verified.
    
17:51:17 	ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
    
17:51:17 	ERROR: the peer's certificate is not verified.
    
17:51:19 	ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
    
17:51:19 	ERROR: the peer's certificate is not verified.
    
17:51:20 	ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
    
17:51:20 	ERROR: the peer's certificate is not verified.
    
17:51:23 	ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
    
17:51:23 	ERROR: the peer's certificate is not verified.
    
17:51:26 	ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
    
17:51:26 	ERROR: the peer's certificate is not verified.
    
17:51:59 	ERROR: phase1 negotiation failed due to time up. 22fc3d5118875b69:a99e37161cabc4d4

    The L2TP/IPSec configuration on Zeroshell is set to trust the local CA, and the client certificate was issued directly from the local CA, and the pfx file was generated by Zeroshell, so I don’t understand why the certificate isn’t being accepted.
    Thanks for any help.
    Allan[/code]

    November 7, 2017 at 9:25 am #54470
    jtaylor
    Participant

    Hi Allan,

    I was wondering if you managed to get this working in the end, as we are experiencing the same problem.

    Any help appreciated.

    James

    November 11, 2017 at 7:14 am #54471
    agdyer
    Member

    Sorry, I didn’t have a clue how to proceed, so I abandoned my attempt.If I get round to trying again, I’ll update with my progress.

    November 11, 2017 at 8:06 am #54472
    jtaylor
    Participant

    OK thanks anyway for replying, I’ll do the same.

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.