IPSec Android client

pakjebakmeel · May 27, 2014, 8:10pm

Hi,

I am connecting from an Android 4.4 device into my LAN through a RB493g using IPSec. I have managed to make this work but not quite the way I would like it to. The modes that Android offers are:

IPSec Xauth PSK
IPSec Xauth RSA
IPSec Hybrid RSA

As far as I understand it nr 1 used pre-shared keys and on top of that Xauth. Nr2 Uses certificates for mutual authentication (clients auths server and server auths client) and on top of that Xauth. Nr 3 only verifies the server certificate and then performs Xauth.

I have managed to make IPSec Xauth PSK and IPSec Hybrid work. However, I feel that IPSec Xauth RSA is the most secure and I would like to use that but looking at the configuration options in RouterOS this is not supported? RouterOS has:

Preshared key xauth (This translates to Android’s IPSec Xauth PSK)
RSA Signature
RSA Signature Hybrid (This translates to Android’s IPSec Hybrid RSA)

Whenever I try to configure IPSec Xauth RSA (on android) I get msgs saying the authentication mode is not supported.

14:29:51 ipsec,debug,packet type=Authentication Method, flag=0x8000, lorv=XAuth RSASIG client
14:29:51 ipsec,debug auth method 65005 isn't supported.
14:29:51 ipsec,debug no Proposal found.
14:29:51 ipsec,debug failed to get valid proposal.
14:29:51 ipsec,debug failed to pre-process ph1 packet (side: 1, status 1).
14:29:51 ipsec,debug phase1 negotiation failed

So to cut a long story short I have 3 questions:

Does RouterOS support this: http://tools.ietf.org/html/draft-ietf-ipsec-isakmp-xauth-06 (IPSec Xauth RSA)
Would it be safer to use PSK+Xauth because of the strength of the PSK or does Hybrid actually use the server certificate to transfer a session key for Xauth? Security of PSK+Xauth vs Hybrid+Xauth?
I have used both transport and tunnel mode but I cannot see any ESP or AH protocols hitting the FW. Only UDP500 and UDP4500 are hitting the input chain? I though that the tunnel would use ESP and AH protocols?

11   chain=input action=accept protocol=udp in-interface=ether1 dst-port=500
12   chain=input action=accept protocol=udp in-interface=ether1 dst-port=4500
13   chain=input action=accept protocol=ipsec-esp in-interface=ether1
14   chain=input action=accept protocol=ipsec-ah in-interface=ether1

11 and 12 are being hit, not 13 or 14. Anyone who can explain this to me?

mrz · May 28, 2014, 8:46am

All supported modes you can find in the manual
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Peer_configuration

pakjebakmeel · May 29, 2014, 1:11pm

Yes, I have found that. If the naming scheme for the auth protocols is followed I would require rsa-signature-xauth which isn’t supported. Is this something that is on the list of things coming to RouterOS? I believe this would be the safest option, strange that this was not implemented.

So if I would have to choose between RSA Hybrid + Xauth and PSK + Xauth which would be the safest? My idea that if you use Hybrid then anyone can complete phase1 leaving only Xauth to keep strangers out. When you would use PSK nobody can complete phase1 unless they have the PSK.

Any thoughts?

Also I see quite a few of these attempts:

may/28 21:47:20 ipsec,debug debug: Invalid exchange type 243 from xxx.xxx.xxx.xxx[500].

Is this just ppl scanning for vulnerable IPSec servers? Something that would require blocking or just leave it?