<div dir="ltr"><div>It's taken me hours but I've finally made this to work with ipvanish, I spent a long time trying the same things you did before I noticed an L2TP guide on ipvanish which said to use the PSK "ipvanish" so I gave it a go.</div><div><br></div>/etc/ipsec.conf<br>keyexchange=ikev2<br>left=%defaultroute<br>leftsourceip=%config<br>leftauth=eap-mschapv2<br>leftid=USERNAME<br>right=nqt-c01.ipvanish.com<br>rightauth=psk<br>rightsubnet=0.0.0.0/0<br>auto=start<div><div><br></div></div><div>/etc/ipsec.secrets</div><div>: PSK "ipvanish"</div><div>USERNAME : EAP "PASSWORD"<br></div><div><br></div><div><br></div>Hope it helps,<div>Mike<br><br>On Sunday, November 27, 2016 at 1:24:37 AM UTC, Carson Gaspar wrote:<blockquote class="gmail_quote" style="margin: 0;margin-left: 0.8ex;border-left: 1px #ccc solid;padding-left: 1ex;">I'm trying to set up IKEv2 to <a href="http://ipvanish.com" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Fipvanish.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG2pzvP7ICIE23QTZgogLqnGKxDGQ';return true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Fipvanish.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNG2pzvP7ICIE23QTZgogLqnGKxDGQ';return true;">ipvanish.com</a>'s VPN service. I can't manage <br>to get past authenticating their server. Log excerpt (I have a full <br>decrypted packet trace if more info would be helpful):<p>generating IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS) SA TSi TSr <br>N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]<br>sending packet: from 192.168.1.69[4500] to 81.171.97.38[4500] (476 bytes)<br>received packet: from 81.171.97.38[4500] to 192.168.1.69[4500] (1708 bytes)<br>parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID N(AUTH_FOLLOWS) ]<br>received end entity cert "OU=Domain Control Validated, <br>CN=*.<a href="http://vpn.ipvanish.com" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Fvpn.ipvanish.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF_j387gaqMrT7RStAjUWX7KKay5g';return true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Fvpn.ipvanish.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF_j387gaqMrT7RStAjUWX7KKay5g';return true;">vpn.ipvanish.com</a>"<br>no trusted RSA public key found for '81.171.97.38'<br>generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]</p><p>The packet dump show them sending an IDr of ID_IPV4_ADDR: 81.171.97.38. <br>Sadly, their cert is missing a SAN for that, as a dump of their cert shows:</p><p>         Subject: OU=Domain Control Validated, CN=*.<a href="http://vpn.ipvanish.com" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Fvpn.ipvanish.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF_j387gaqMrT7RStAjUWX7KKay5g';return true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Fvpn.ipvanish.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF_j387gaqMrT7RStAjUWX7KKay5g';return true;">vpn.ipvanish.com</a><br>             X509v3 Subject Alternative Name:<br>                 DNS:*.<a href="http://vpn.ipvanish.com" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Fvpn.ipvanish.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF_j387gaqMrT7RStAjUWX7KKay5g';return true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Fvpn.ipvanish.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF_j387gaqMrT7RStAjUWX7KKay5g';return true;">vpn.ipvanish.com</a>, DNS:<a href="http://vpn.ipvanish.com" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Fvpn.ipvanish.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF_j387gaqMrT7RStAjUWX7KKay5g';return true;" onclick="this.href='http://www.google.com/url?q\x3dhttp%3A%2F%2Fvpn.ipvanish.com\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNF_j387gaqMrT7RStAjUWX7KKay5g';return true;">vpn.ipvanish.com</a></p><p>Is there any way to override the IDr they send in my strongswan config? <br>I've tried everything I can think of in rightid/rightcert/rightsigkey <br>and always get the "no trusted RSA public key" error. I'm a strongswan <br>n00b, so apologies if I'm missing something obvious.</p><p>The only IKEv2 client they officially support is iOS, so there's really <br>no chance of getting them to fix their end :-(</p><p>-- <br>Carson</p><p>______________________________<wbr>_________________<br>Users mailing list<br><a href="javascript:" target="_blank" gdf-obfuscated-mailto="7RJ2p76VAgAJ" rel="nofollow" onmousedown="this.href='javascript:';return true;" onclick="this.href='javascript:';return true;">Us...@lists.strongswan.org</a><br><a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Flists.strongswan.org%2Fmailman%2Flistinfo%2Fusers\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHpb2EWexg7wtvkBUUWojs4DgFnHQ';return true;" onclick="this.href='https://www.google.com/url?q\x3dhttps%3A%2F%2Flists.strongswan.org%2Fmailman%2Flistinfo%2Fusers\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHpb2EWexg7wtvkBUUWojs4DgFnHQ';return true;">https://lists.strongswan.org/<wbr>mailman/listinfo/users</a></p><p></p><p></p><p></p><p></p><p></p><p></p></blockquote></div></div>