<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Gateway has an external IP address of 70.169.168.7, is FreeBSD 9.x
with IPSEC in the kernel. Strongswan 5.0.1 from the ports
compilation. This is my first (yeah, I know) attempt getting
StrongSwan and IKEv2 set up; I have a working LT2P configuration
that other clients use but is not IPSEC-specific (and did not
require the kernel recompile.) Firewall has both UDP 500 and 4500
permitted both directions, and logging shows no problems with the
firewall or any packets blocked.<br>
<br>
Configuration on the phone and intended use is PSK only on the
connection, no certificate validation for either end.<br>
<br>
ipsec.conf:<br>
<br>
# ipsec.conf - strongSwan IPsec configuration file<br>
<br>
# basic configuration<br>
<br>
config setup<br>
# strictcrlpolicy=yes<br>
# uniqueids = no<br>
<br>
# Add connections here.<br>
<br>
conn %default<br>
keyingtries=1<br>
keyexchange=ikev2<br>
authby=secret<br>
<br>
conn remote<br>
left=70.169.168.7<br>
leftsubnet=192.168.1.0/24<br>
right=%any<br>
rightsourceip=192.168.2.0/24<br>
auto=add<br>
<br>
ipsec.secrets:<br>
<br>
%any : PSK "mysecretisinhere"<br>
<br>
<br>
Z-10 phone is set up for an IKEv2 generic gateway, the DNS hostname.
When attempting to connect I get this in /var/log/daemon:<br>
<br>
<br>
Apr 19 09:01:26 NewFS charon: 12[NET] received packet: from
192.168.1.21[500] to 70.169.168.7[500]<br>
Apr 19 09:01:26 NewFS charon: 12[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
Apr 19 09:01:26 NewFS charon: 12[IKE] 192.168.1.21 is initiating an
IKE_SA<br>
Apr 19 09:01:26 NewFS charon: 12[ENC] generating IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]<br>
Apr 19 09:01:26 NewFS charon: 12[NET] sending packet: from
70.169.168.7[500] to 192.168.1.21[500]<br>
Apr 19 09:01:26 NewFS charon: 10[NET] received packet: from
192.168.1.21[4500] to 70.169.168.7[4500]<br>
Apr 19 09:01:26 NewFS charon: 10[ENC] parsed IKE_AUTH request 1 [
IDi AUTH CP(ADDR MASK DNS DNS NBNS NBNS VER) N(INIT_CONTACT)
N(MOBIKE_SUP) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]<br>
Apr 19 09:01:26 NewFS charon: 10[CFG] looking for peer configs
matching 70.169.168.7[%any]...192.168.1.21[107.97.114.108]<br>
Apr 19 09:01:26 NewFS charon: 10[CFG] selected peer config 'remote'<br>
Apr 19 09:01:26 NewFS charon: 10[IKE] authentication of
'107.97.114.108' with pre-shared key successful<br>
Apr 19 09:01:26 NewFS charon: 10[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding<br>
Apr 19 09:01:26 NewFS charon: 10[IKE] peer supports MOBIKE<br>
Apr 19 09:01:26 NewFS charon: 10[IKE] authentication of
'70.169.168.7' (myself) with pre-shared key<br>
Apr 19 09:01:26 NewFS charon: 10[IKE] IKE_SA remote[9] established
between 70.169.168.7[70.169.168.7]...192.168.1.21[107.97.114.108]<br>
Apr 19 09:01:26 NewFS charon: 10[IKE] scheduling reauthentication in
9799s<br>
Apr 19 09:01:26 NewFS charon: 10[IKE] maximum IKE_SA lifetime 10339s<br>
Apr 19 09:01:26 NewFS charon: 10[IKE] peer requested virtual IP %any<br>
Apr 19 09:01:26 NewFS charon: 10[CFG] reassigning offline lease to
'107.97.114.108'<br>
Apr 19 09:01:26 NewFS charon: 10[IKE] assigning virtual IP
192.168.2.2 to peer '107.97.114.108'<br>
Apr 19 09:01:26 NewFS charon: 10[IKE] CHILD_SA remote{7} established
with SPIs c46a0659_i 394d837a_o and TS 192.168.1.0/24 ===
192.168.2.2/32 <br>
Apr 19 09:01:26 NewFS charon: 10[ENC] generating IKE_AUTH response 1
[ IDr AUTH CP(ADDR) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP)
N(ADD_4_ADDR) N(ADD_4_ADDR) ]<br>
Apr 19 09:01:26 NewFS charon: 10[NET] sending packet: from
70.169.168.7[4500] to 192.168.1.21[4500]<br>
Apr 19 09:01:36 NewFS charon: 11[NET] received packet: from
192.168.1.21[4500] to 70.169.168.7[4500]<br>
Apr 19 09:01:36 NewFS charon: 11[IKE] ignoring IKE_AUTH in
established IKE_SA state<br>
Apr 19 09:01:46 NewFS charon: 13[NET] received packet: from
192.168.1.21[4500] to 70.169.168.7[4500]<br>
Apr 19 09:01:46 NewFS charon: 13[IKE] ignoring IKE_AUTH in
established IKE_SA state<br>
<br>
It doesn't matter if I am connected via WiFi on the local LAN (which
should work but is a degenerate case) or over the cellular network.
I tried it on WiFi to eliminate the possibility that the carrier was
interfering with the passing of the IKE_AUTH response back to the
phone.<br>
<br>
It appears that the phone is either never seeing the AUTH response.
<br>
<br>
If I'm reading this correctly the authentication against the PSK
succeeds, and I have this in the security associations on the host:<br>
<br>
root@NewFS:/var/log # ipsec status<br>
Security Associations (1 up, 0 connecting):<br>
remote[9]: ESTABLISHED 3 minutes ago,
70.169.168.7[70.169.168.7]...192.168.1.21[107.97.114.108]<br>
remote{7}: INSTALLED, TUNNEL, ESP SPIs: c46a0659_i 394d837a_o<br>
remote{7}: 192.168.1.0/24 === 192.168.2.2/32 <br>
<br>
So it appears that we have a valid tunnel and connection, but the
phone never gets the authentication response and thus keeps trying
to resubmit the request.<br>
<br>
Any ideas on where to start trying to get this thing operational?
Once I have this working I'll worry about multi-client (e.g.
PAM-based) authentication -- right now I'm just trying to get ANY
connection operational.<br>
<br>
Thanks in advance.<br>
<br>
<div class="moz-signature">-- <br>
-- Karl Denninger<br>
<a href="http://market-ticker.org"><i>The Market Ticker ®</i></a><br>
Cuda Systems LLC</div>
</body>
</html>