03-29 19:16:56.979: I/charon(20761): 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random
nonce pubkey pkcs1 pkcs8 pem xcbc hmac socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls
03-29 19:16:56.979: I/charon(20761): 00[JOB] spawning 16 worker threads
03-29 19:16:56.984: I/CharonVpnService(20761): charon started
03-29 19:16:56.989: I/charon(20761): 07[IKE] initiating IKE_SA android[26] to 54.241.2.194
03-29 19:16:57.114: I/charon(20761): 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) ]
03-29 19:16:57.114: I/charon(20761): 07[NET] sending packet: from 10.88.0.237[39874] to 54.241.2.194[500] (1012 bytes)
03-29 19:16:57.314: I/charon(20761): 10[NET] received packet: from 54.241.2.194[500] to 10.88.0.237[39874] (456 bytes)
03-29 19:16:57.314: I/charon(20761): 10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(HASH_ALG) N(MULT_AUTH) ]
03-29 19:16:57.439: I/charon(20761): 10[IKE] local host is behind NAT, sending keep alives
03-29 19:16:57.439: I/charon(20761): 10[IKE] remote host is behind NAT
03-29 19:16:57.444: I/charon(20761): 10[IKE] sending cert request for "C=CN, O=Dingtone, CN=Dingtone CA"
03-29 19:16:57.444: I/charon(20761): 10[IKE] establishing CHILD_SA android
03-29 19:16:57.449: I/charon(20761): 10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ
CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
03-29 19:16:57.449: I/charon(20761): 10[NET] sending packet: from 10.88.0.237[49871] to 54.241.2.194[4500] (524 bytes)
03-29 19:16:57.709: I/charon(20761): 11[NET] received packet: from 54.241.2.194[4500] to 10.88.0.237[49871] (1292 bytes)
03-29 19:16:57.709: I/charon(20761): 11[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
03-29 19:16:57.719: I/charon(20761): 11[IKE] received end entity cert "C=CN, O=Dingtone, CN=vpn.dingtoneme.net"
03-29 19:16:57.724: I/charon(20761): 11[CFG] using certificate "C=CN, O=Dingtone, CN=vpn.dingtoneme.net"
03-29 19:16:57.729: I/charon(20761): 11[CFG] using trusted ca certificate "C=CN, O=Dingtone, CN=Dingtone CA"
03-29 19:16:57.729: I/charon(20761): 11[CFG] reached self-signed root ca with a path length of 0
03-29 19:16:57.734: I/charon(20761): 11[IKE] authentication of 'C=CN, O=Dingtone, CN=vpn.dingtoneme.net'
with RSA_EMSA_PKCS1_SHA256 successful
03-29 19:16:57.734: I/charon(20761): 11[CFG] constraint check failed: identity '54.241.2.194' required
03-29 19:16:57.739: I/charon(20761): 11[CFG] selected peer config 'android' inacceptable: constraint checking failed
03-29 19:16:57.739: I/charon(20761): 11[CFG] no alternative config found
03-29 19:16:57.739: I/charon(20761): 11[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
03-29 19:16:57.744: I/charon(20761): 11[NET] sending packet: from 10.88.0.237[49871] to 54.241.2.194[4500] (76 bytes)
03-29 19:16:59.999: I/CharonVpnService(20761): charon stopped
这个问题,最后发现可以通过生成证书时,多指定几个san,而得到解决:
strongswan pki --issue --outform pem --cacert caCert.pem --cakey caKey.pem \
--in serverPub.pem --dn "C=CN, O=TZ, CN=TZ Server" --san="vpn.dingtoneme.net" \
--san="54.241.2.194" --san="42.120.18.120" --san="52.79.82.23"\
--flag serverAuth --flag ikeIntermediate > serverCert.pem
https://wiki.strongswan.org/projects/strongswan/wiki/AndroidVPNClient中特别指出了(Important和Note):
There are some limitations:
1、Only IKEv2 is supported
2、EAP authentication based on username/password (EAP-MSCHAPv2, EAP-MD5), RSA/ECDSA authentication with private key/certificate
Important: The hostname/IP of the VPN gateway, as configured in the VPN profile, has to be contained as subjectAltName extension in the VPN gateway's certificate
Note: There are some serious issues on Android 4.4 before 4.4.3 (see #462)