Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Android Always ON VPN (How to use the Always ON VPN option?)
  •  
RMCholewa

Messages: 9
Karma: 0
Send a private message to this user
Hi there,

I am trying to setup Kerio Control VPN server to receive Android IPSec VPN connections with the always on feature.

The always on feature enables the device to keep the VPN connection on all times and only allow traffic through it. The big issue here is the fact that Android only enables this option if I use the IPsec xauth RSA option.

I already exported Kerio Control certificates in PKCS#12 format, along with the CA and user certificates and imported them in the device (it is a Sony xperia Z3 D6633 Dual, running Android 5.0.2).

Then, while setting up the ipsec xauth rsa connection, chose the server external IP and internal DNS servers.

When I try to connect to the server without the "use certificate for clients", "use preshared key" and "enable MSCHAP v2 authentication" options disabled, I get the following from the debug log:

[16/May/2015 19:43:07] {charon} charon: 11[NET] received packet: from x.y.z.w[500] to a.b.c.d[500] (720 bytes)
[16/May/2015 19:43:07] {charon} charon: 11[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
[16/May/2015 19:43:07] {charon} charon: 11[IKE] no IKE config found for a.b.c.d...x.y.z.w, sending NO_PROPOSAL_CHOSEN
[16/May/2015 19:43:07] {charon} charon: 11[ENC] generating INFORMATIONAL_V1 request 3226241301 [ N(NO_PROP) ]

When I try to connect with the "use certificate for clients" enabled and the VPN configured in Android to use the respective certificates, I receive the following from the debug log:

[16/May/2015 19:46:22] {charon} charon: 10[NET] received packet: from x.y.z.w[500] to a.b.c.d[500] (720 bytes)
[16/May/2015 19:46:22] {charon} charon: 10[ENC] parsed ID_PROT request 0 [ SA V V V V V V V V ]
[16/May/2015 19:46:22] {charon} charon: 10[IKE] received NAT-T (RFC 3947) vendor ID
[16/May/2015 19:46:22] {charon} charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
[16/May/2015 19:46:22] {charon} charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
[16/May/2015 19:46:22] {charon} charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
[16/May/2015 19:46:22] {charon} charon: 10[IKE] received XAuth vendor ID
[16/May/2015 19:46:22] {charon} charon: 10[IKE] received Cisco Unity vendor ID
[16/May/2015 19:46:22] {charon} charon: 10[IKE] received FRAGMENTATION vendor ID
[16/May/2015 19:46:22] {charon} charon: 10[IKE] received DPD vendor ID
[16/May/2015 19:46:22] {charon} charon: 10[IKE] x.y.z.w is initiating a Main Mode IKE_SA
[16/May/2015 19:46:22] {charon} charon: 10[IKE] x.y.z.w is initiating a Main Mode IKE_SA
[16/May/2015 19:46:22] {charon} charon: 10[ENC] generating ID_PROT response 0 [ SA V V V ]
[16/May/2015 19:46:22] {charon} charon: 10[NET] sending packet: from a.b.c.d[500] to x.y.z.w[500] (136 bytes)
[16/May/2015 19:46:23] {charon} charon: 03[NET] received packet: from x.y.z.w[500] to a.b.c.d[500] (252 bytes)
[16/May/2015 19:46:23] {charon} charon: 03[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
[16/May/2015 19:46:23] {charon} charon: 03[IKE] Sending 1 CERTREQ payloads (max is 5)
[16/May/2015 19:46:23] {charon} charon: 03[IKE] sending cert request for "CN=kerio.domain.com, OU=domain.com, O=Intranet, L=city, ST=state, C=CN"
[16/May/2015 19:46:23] {charon} charon: 03[ENC] generating ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
[16/May/2015 19:46:23] {charon} charon: 03[NET] sending packet: from a.b.c.d[500] to x.y.z.w[500] (398 bytes)
[16/May/2015 19:46:24] {charon} charon: 11[NET] received packet: from x.y.z.w[500] to a.b.c.d[500] (1404 bytes)
[16/May/2015 19:46:24] {charon} charon: 11[ENC] parsed ID_PROT request 0 [ ID CERT SIG ]
[16/May/2015 19:46:24] {charon} charon: 11[IKE] received end entity cert "CN=kerio.domain.com, OU=domain.com, O=Org, L=city, ST=state, C=CN"
[16/May/2015 19:46:24] {charon} charon: 11[CFG] looking for XAuthInitRSA peer configs matching a.b.c.d...x.y.z.w[CN=kerio.domain.com, OU=domain.com, O=Org, L=city, ST=state, C=CN]
[16/May/2015 19:46:24] {charon} charon: 11[IKE] no peer config found
[16/May/2015 19:46:24] {charon} charon: 11[ENC] generating INFORMATIONAL_V1 request 1292230040 [ HASH N(AUTH_FAILED) ]
[16/May/2015 19:46:24] {charon} charon: 11[NET] sending packet: from a.b.c.d[500] to x.y.z.w[500] (108 bytes)

Any ideas?
  •  
RMCholewa

Messages: 9
Karma: 0
Send a private message to this user
Update:

changed to L2TP/ipsec RSA and it connected manually. To my surprise, Andoid 5.0.2 accepts this VPN mode for the always on feature.

Now, the funny part: I am able to successfully connect the vpn manually (if I choose to connect) and traffic is ok, working without a problem.

Once I choose the always on feature, it stops connecting.

Does any1 have an android device with the always on feature working with kerio control?

Thanks.
Previous Topic: Why SMTP scanning is not compatible whith greylisting?
Next Topic: Block TEAMVIEWER
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Aug 19 03:46:35 CEST 2017

Total time taken to generate the page: 0.00369 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.