› Forums › Network Management › VPN › Problem using L2TP/IPSec with Android phone
- This topic is empty.
-
AuthorPosts
-
June 8, 2017 at 10:22 am #44816
agdyer
MemberI’m trying to set up a Host-to-LAN VPN connection from my Android phone to my ZeroShell using L2TP/IPSec. When I try to connect, the server logs show:
ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
ERROR: the peer’s certificate is not verified.and the connection fails.
Please advise on how to diagnose / what I’m doing wrong.Details
ZeroShell 3.7.1
Phone:
Samsung Galaxy On5, Android 5.1.1This is my first attempt at using L2TP. I used Zeroshell’s CA to issue a cert for the phone, initially I tried to use .pem files to import the certs and key to my phone, but eventually I worked out it wanted a PKCS#12 file, so I used openssl at the command line to create one. When I attempted to connect, it failed with this error, so I looked again and realised I could export a PKCS#12 file from Zeroshell directly, so I did that, imported to my phone and still got the error. The full IPSec Log for a connection attempt is:
17:50:59 INFO: respond new phase 1 negotiation: 172.16.16.252[500]<=>172.16.128.14[500]
17:50:59 INFO: begin Identity Protection mode.
17:50:59 INFO: received Vendor ID: RFC 3947
17:50:59 INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
17:50:59 INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
17:50:59 INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
17:50:59 INFO: received broken Microsoft ID: FRAGMENTATION
17:50:59 INFO: received Vendor ID: DPD
17:50:59 INFO: Selected NAT-T version: RFC 3947
17:50:59 INFO: Hashing 172.16.16.252[500] with algo #1
17:50:59 INFO: NAT-D payload #0 verified
17:50:59 INFO: Hashing 172.16.128.14[500] with algo #1
17:50:59 INFO: NAT-D payload #1 verified
17:50:59 INFO: NAT not detected
17:50:59 INFO: Hashing 172.16.128.14[500] with algo #1
17:50:59 INFO: Hashing 172.16.16.252[500] with algo #1
17:50:59 INFO: Adding remote and local NAT-D payloads.
17:50:59 ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
17:50:59 ERROR: the peer's certificate is not verified.
17:51:02 ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
17:51:02 ERROR: the peer's certificate is not verified.
17:51:05 ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
17:51:05 ERROR: the peer's certificate is not verified.
17:51:08 ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
17:51:08 ERROR: the peer's certificate is not verified.
17:51:09 ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
17:51:09 ERROR: the peer's certificate is not verified.
17:51:11 ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
17:51:11 ERROR: the peer's certificate is not verified.
17:51:14 ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
17:51:14 ERROR: the peer's certificate is not verified.
17:51:17 ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
17:51:17 ERROR: the peer's certificate is not verified.
17:51:19 ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
17:51:19 ERROR: the peer's certificate is not verified.
17:51:20 ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
17:51:20 ERROR: the peer's certificate is not verified.
17:51:23 ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
17:51:23 ERROR: the peer's certificate is not verified.
17:51:26 ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
17:51:26 ERROR: the peer's certificate is not verified.
17:51:59 ERROR: phase1 negotiation failed due to time up. 22fc3d5118875b69:a99e37161cabc4d4
The L2TP/IPSec configuration on Zeroshell is set to trust the local CA, and the client certificate was issued directly from the local CA, and the pfx file was generated by Zeroshell, so I don’t understand why the certificate isn’t being accepted.
Thanks for any help.
Allan[/code]November 7, 2017 at 9:25 am #54470jtaylor
ParticipantHi Allan,
I was wondering if you managed to get this working in the end, as we are experiencing the same problem.
Any help appreciated.
James
November 11, 2017 at 7:14 am #54471agdyer
MemberSorry, I didn’t have a clue how to proceed, so I abandoned my attempt.If I get round to trying again, I’ll update with my progress.
November 11, 2017 at 8:06 am #54472jtaylor
ParticipantOK thanks anyway for replying, I’ll do the same.
-
AuthorPosts
- You must be logged in to reply to this topic.