https://play.google.com/store/apps/deta ... an.android
sollte diese auch den VPN-Tunnelaufbau (IKEv2/IPSec) mit dem sichereren Verfahren RSASSA-PSS nach RFC 7427 unterstützen:
https://tools.ietf.org/html/rfc7427
https://www.bsi.bund.de/SharedDocs/Down ... 102-3.html
Der VPN-Tunnel zwischen einem Android-Mobilgerät und dem LANCOM-Router (LCOS 10.12 RU7) kann erfolgreich ohne RSASSA-PSS gemäss der Anleitung unter:
viewtopic.php?f=41&t=16074&p=90462#p90462
aufgebaut werden. Mit RSASSA-PSS:
RSA/PSS Signaturen verwenden: Ja
Code: Alles auswählen
> ls /Setup/VPN/IKEv2/Auth/Digital-Signatur-Profile/
Name Auth-Methode Hash-Algorithmen
----------------------------------------------------------------------
ANDROID RSASSA-PSS SHA-384
Code: Alles auswählen
[VPN-IKE] 2018/07/30 14:46:17,122
[DEFAULT] Received packet after decryption:
IKE 2.0 Header:
Source/Port : 178.197.236.168:63517
Destination/Port : 80.218.29.42:4500
VLAN-ID : 0
HW switch port : 0
Routing-tag : 0
Com-channel : 1
Loopback : NO
| Initiator cookie : 9E 0A 4F BB DD 82 4D D2
| Responder cookie : 64 4F 8C BF CC 3F 74 D8
| Next Payload : ENCR
| Version : 2.0
| Exchange type : IKE_AUTH
| Flags : 0x08 Initiator
| Msg-ID : 1
| Length : 2399 Bytes
--- schnipp-schnapp ---
AUTH Payload
| Next Payload : CP
| CRITICAL : NO
| Reserved : 0x00
| Length : 588 Bytes
| Auth. Method : DIGITAL_SIGNATURE
| Reserved : 0x000000
| ASN.1 Length : 0x67
| ASN.1 Object : 30 41 06 09 2A 86 48 86 F7 0D 01 01 0A 30 34 A0
| 0F 30 0D 06 09 60 86 48 01 65 03 04 02 02 05 00
| A1 1C 30 1A 06 09 2A 86 48 86 F7 0D 01 01 08 30
| 0D 06 09 60 86 48 01 65 03 04 02 02 05 00 A2 03
| 02 01 30
| Signature Data : 83 3C 85 5C D6 20 C8 5E 6B ED 48 0B 08 50 16 DC
| A2 30 26 F8 F9 85 B3 AF 55 5A 22 C0 B0 08 2F 95
| 9E 4A B9 7B 80 47 88 EF FF A7 BD E7 3B 53 2E 0B
| 43 2B 47 00 33 22 CE 10 C5 BD 8A D8 38 17 55 3A
| 05 55 79 89 FA 21 03 31 E4 84 51 5E 8C 0A 97 9D
| E9 5A 8C 94 B5 8E 70 2C DC 9C D0 29 E3 88 09 8E
| 43 C0 63 A4 A7 1E CD C3 D2 67 C4 CD 0C A9 45 CE
| 40 B6 B4 2D 16 F1 4B BE 11 C8 D1 42 7C AF 52 13
| D1 61 09 58 A5 82 DC 26 BE 2B 82 FF 13 16 88 97
| 69 45 15 39 3C 65 29 4C 5D ED D5 00 FD C3 BA 82
| 87 EC FF EC A7 B7 CE 48 24 3A 0E F6 D8 20 76 DF
| B0 AF 97 9F 35 AD 44 62 C8 32 FC 40 7B 25 27 D9
| E0 64 21 48 60 6B DC 02 4E 0E 63 A6 66 F4 6A FD
| 79 08 FF 45 C4 B4 E8 3A 29 A3 73 64 F8 46 37 A0
| 93 E2 DD ED 5D 9D 80 F1 BB 35 E8 51 0F 04 BC 90
| 14 CA 90 FB 84 5D 86 86 8A FB 5D 01 89 08 2E 6E
| 8D ED 0E 41 99 01 12 BE 82 0C 53 A9 1F 31 F5 BE
| 61 EF 4C C3 4B F4 36 B8 87 C7 EE 45 52 E2 28 9A
| F6 BF 4B D7 C7 6E EF 44 B2 C5 B2 B5 07 E0 6E 31
| 32 D7 25 66 62 AB 07 19 95 4F 18 72 C1 0B 68 8B
| 7B D3 85 C2 52 B2 71 B2 6D F3 94 24 9C 19 C6 25
| 96 03 31 09 08 20 BE 48 79 FC 2C 00 31 8B C9 91
| E8 ED 45 7A 49 68 2E EF 9A 1E 0E E5 27 D5 37 46
| FF 1D A9 11 5E F8 B4 C9 89 E5 73 5A B3 B6 9E A6
| 01 9A DA 09 E9 E9 FA F2 6B B0 2D 2D F3 7A D8 1C
| 68 93 EA 3D 2E 28 D3 32 21 58 AD D3 53 91 53 D9
| 40 17 58 06 35 D9 F7 7B E7 84 C2 C1 9B 8A 8E F2
| 28 26 26 4D 0C 97 C5 20 0C 93 F5 D6 E4 3B 50 89
| 17 BA 49 25 24 AC C0 CD AC 70 85 70 04 3A 9C 3A
| E7 15 66 8E 42 9C BF 46 88 A8 A9 77 5A 19 85 BE
| F1 91 BB 66 01 AB 5C 21 79 A4 E8 FC C3 73 27 C4
| 00 CB 39 71 16 0D CA 58 5E 47 04 52 E6 7F 1A 94
--- schnipp-schnapp ---
Received 6 notifications:
+INITIAL_CONTACT (STATUS)
+ESP_TFC_PADDING_NOT_SUPPORTED (STATUS)
+MOBIKE_SUPPORTED (STATUS)
+NO_ADDITIONAL_ADDRESSES (STATUS)
+EAP_ONLY_AUTHENTICATION (STATUS)
+MESSAGE_ID_SYNC_SUPPORTED (STATUS)
+Received-ID CN=tabletirene.invalid:DER_ASN1_DN matches the Expected-ID CN=tabletirene.invalid:DER_ASN1_DN
+Peer identified: VPN_TABLET_P
-Unknown ASN.1 Object 0x304106092A864886F70D01010A3034A00F300D06096086480165030402020500A11C301A06092A864886F70D010108300D06096086480165030402020500A203020130 => abort
--- schnipp-schnapp ---
[VPN-IKE] 2018/07/30 14:46:17,142
[VPN_TABLET_P] Sending packet before encryption:
IKE 2.0 Header:
Source/Port : 80.218.29.42:4500
Destination/Port : 178.197.236.168:63517
VLAN-ID : 0
HW switch port : 0
Routing-tag : 0
Com-channel : 1
Loopback : NO
| Initiator cookie : 9E 0A 4F BB DD 82 4D D2
| Responder cookie : 64 4F 8C BF CC 3F 74 D8
| Next Payload : ENCR
| Version : 2.0
| Exchange type : IKE_AUTH
| Flags : 0x20 Response
| Msg-ID : 1
| Length : 65 Bytes
ENCR Payload
| Next Payload : NOTIFY
| CRITICAL : NO
| Reserved : 0x00
| Length : 37 Bytes
| IV : 5E 73 1B 57 66 5C 76 45
| ICV : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
NOTIFY Payload
| Next Payload : NONE
| CRITICAL : NO
| Reserved : 0x00
| Length : 8 Bytes
| Protocol ID : IPSEC_IKE
| SPI size : 0
| Message type : AUTHENTICATION_FAILED
Rest : 00