Problem using L2TP/IPSec with Android phone

Home Page Forums Network Management VPN Problem using L2TP/IPSec with Android phone

This topic contains 2 replies, has 0 voices, and was last updated by  agdyer 1 year ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #44816

    agdyer
    Member

    I’m trying to set up a Host-to-LAN VPN connection from my Android phone to my ZeroShell using L2TP/IPSec. When I try to connect, the server logs show:
    ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
    ERROR: the peer’s certificate is not verified.

    and the connection fails.
    Please advise on how to diagnose / what I’m doing wrong.

    Details
    ZeroShell 3.7.1
    Phone:
    Samsung Galaxy On5, Android 5.1.1

    This is my first attempt at using L2TP. I used Zeroshell’s CA to issue a cert for the phone, initially I tried to use .pem files to import the certs and key to my phone, but eventually I worked out it wanted a PKCS#12 file, so I used openssl at the command line to create one. When I attempted to connect, it failed with this error, so I looked again and realised I could export a PKCS#12 file from Zeroshell directly, so I did that, imported to my phone and still got the error. The full IPSec Log for a connection attempt is:

    17:50:59 	INFO: respond new phase 1 negotiation: 172.16.16.252[500]< =>172.16.128.14[500]
    17:50:59 INFO: begin Identity Protection mode.
    17:50:59 INFO: received Vendor ID: RFC 3947
    17:50:59 INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    17:50:59 INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    17:50:59 INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    17:50:59 INFO: received broken Microsoft ID: FRAGMENTATION
    17:50:59 INFO: received Vendor ID: DPD
    17:50:59 INFO: Selected NAT-T version: RFC 3947
    17:50:59 INFO: Hashing 172.16.16.252[500] with algo #1
    17:50:59 INFO: NAT-D payload #0 verified
    17:50:59 INFO: Hashing 172.16.128.14[500] with algo #1
    17:50:59 INFO: NAT-D payload #1 verified
    17:50:59 INFO: NAT not detected
    17:50:59 INFO: Hashing 172.16.128.14[500] with algo #1
    17:50:59 INFO: Hashing 172.16.16.252[500] with algo #1
    17:50:59 INFO: Adding remote and local NAT-D payloads.
    17:50:59 ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
    17:50:59 ERROR: the peer's certificate is not verified.
    17:51:02 ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
    17:51:02 ERROR: the peer's certificate is not verified.
    17:51:05 ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
    17:51:05 ERROR: the peer's certificate is not verified.
    17:51:08 ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
    17:51:08 ERROR: the peer's certificate is not verified.
    17:51:09 ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
    17:51:09 ERROR: the peer's certificate is not verified.
    17:51:11 ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
    17:51:11 ERROR: the peer's certificate is not verified.
    17:51:14 ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
    17:51:14 ERROR: the peer's certificate is not verified.
    17:51:17 ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
    17:51:17 ERROR: the peer's certificate is not verified.
    17:51:19 ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
    17:51:19 ERROR: the peer's certificate is not verified.
    17:51:20 ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
    17:51:20 ERROR: the peer's certificate is not verified.
    17:51:23 ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
    17:51:23 ERROR: the peer's certificate is not verified.
    17:51:26 ERROR: unable to get local issuer certificate(20) at depth:0 SubjectName:/OU=Hosts/CN=sting.dyer.yuikee.com.hk
    17:51:26 ERROR: the peer's certificate is not verified.
    17:51:59 ERROR: phase1 negotiation failed due to time up. 22fc3d5118875b69:a99e37161cabc4d4

    The L2TP/IPSec configuration on Zeroshell is set to trust the local CA, and the client certificate was issued directly from the local CA, and the pfx file was generated by Zeroshell, so I don’t understand why the certificate isn’t being accepted.
    Thanks for any help.
    Allan[/code]

    #54470

    jtaylor
    Member

    Hi Allan,

    I was wondering if you managed to get this working in the end, as we are experiencing the same problem.

    Any help appreciated.

    James

    #54471

    agdyer
    Member

    Sorry, I didn’t have a clue how to proceed, so I abandoned my attempt.If I get round to trying again, I’ll update with my progress.

    #54472

    jtaylor
    Member

    OK thanks anyway for replying, I’ll do the same.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.