<p>hi all,</p>
<p> </p>
<p>I have a strongswan server (U5.5.0/K3.12.28+) on a raspberry pi & two devices : a windows 10 surface tab & an Ipad (10.21).</p>
<p>I want to activate ikev2/ipsec vpns. I use built-in ikev2 clients.</p>
<p> </p>
<p>So far the only working conf is with iPad and psk - I was forced to use apple configurator to generate a customized mobileconfig file. </p>
<p>On Ipad, the configuration with certificate on the device itself does not seem to work -> traces on the server show that the device asks for eap.</p>
<p>With the apple configurator mobileconfig file (with certificates this time), it's better but in negociation process the device stops responding (I can see port unreachable packets in the capture): </p>
<p> </p>
<p>10[NET] received packet: from 161.106.240.156[500] to 161.106.240.155[500] (428 bytes)<br />10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]<br />10[IKE] 161.106.240.156 is initiating an IKE_SA<br />10[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING<br />10[IKE] remote host is behind NAT<br />10[IKE] sending cert request for "C=FR, O=DreamSwanPI, CN=DreamSwanPI CA"<br />10[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]<br />10[NET] sending packet: from 161.106.240.155[500] to 161.106.240.156[500] (461 bytes)<br />07[NET] received packet: from 161.106.240.156[1293] to 161.106.240.155[4500] (1412 bytes)<br />07[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CERT CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]<br />07[IKE] received end entity cert "C=FR, O=DreamSwanPI, CN=Ipad2"<br />07[CFG] looking for peer configs matching 161.106.240.155[vpnPI.strongswan.org]...161.106.240.156[Ipad2]<br />07[CFG] selected peer config 'Ios'<br />07[CFG] using trusted ca certificate "C=FR, O=DreamSwanPI, CN=DreamSwanPI CA"<br />07[CFG] checking certificate status of "C=FR, O=DreamSwanPI, CN=Ipad2"<br />07[CFG] certificate status is not available<br />07[CFG] reached self-signed root ca with a path length of 0<br />07[CFG] using trusted certificate "C=FR, O=DreamSwanPI, CN=Ipad2"<br />07[IKE] authentication of 'Ipad2' with RSA signature successful<br />07[IKE] processing INTERNAL_IP4_ADDRESS attribute<br />07[IKE] processing INTERNAL_IP4_DHCP attribute<br />07[IKE] processing INTERNAL_IP4_DNS attribute<br />07[IKE] processing INTERNAL_IP4_NETMASK attribute<br />07[IKE] processing INTERNAL_IP6_ADDRESS attribute<br />07[IKE] processing INTERNAL_IP6_DHCP attribute<br />07[IKE] processing INTERNAL_IP6_DNS attribute<br />07[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding<br />07[IKE] peer supports MOBIKE<br />07[IKE] authentication of 'vpnPI.strongswan.org' (myself) with RSA signature successful<br />07[IKE] IKE_SA Ios[1] established between 161.106.240.155[vpnPI.strongswan.org]...161.106.240.156[Ipad2]<br />07[IKE] IKE_SA Ios[1] state change: CONNECTING => ESTABLISHED<br />07[IKE] scheduling rekeying in 13613s<br />07[IKE] maximum IKE_SA lifetime 15053s<br />07[IKE] sending end entity cert "C=FR, O=DreamSwanPI, CN=vpnPI.strongswan.org"<br />07[IKE] peer requested virtual IP %any<br />07[CFG] assigning new lease to 'Ipad2'<br />07[IKE] assigning virtual IP 10.0.2.1 to peer 'Ipad2'<br />07[IKE] peer requested virtual IP %any6<br />07[IKE] no virtual IP found for %any6 requested by 'Ipad2'<br />07[IKE] CHILD_SA default{1} established with SPIs c28e65bf_i 025b0308_o and TS 1.1.1.1/32 161.106.240.155/32 === 10.0.2.1/32<br />07[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]<br />07[NET] sending packet: from 161.106.240.155[4500] to 161.106.240.156[1293] (1380 bytes)<br />14[KNL] creating rekey job for CHILD_SA ESP/0x025b0308/161.106.240.156<br />14[IKE] queueing CHILD_REKEY task<br />14[IKE] activating new tasks<br />14[IKE] activating CHILD_REKEY task<br />14[IKE] establishing CHILD_SA default{1}<br />14[ENC] generating CREATE_CHILD_SA request 0 [ N(REKEY_SA) SA No TSi TSr ]<br />14[NET] sending packet: from 161.106.240.155[4500] to 161.106.240.156[1293] (300 bytes)<br />08[KNL] creating rekey job for CHILD_SA ESP/0xc28e65bf/161.106.240.155<br />08[IKE] queueing CHILD_REKEY task<br />08[IKE] delaying task initiation, CREATE_CHILD_SA exchange in progress<br />11[KNL] creating delete job for CHILD_SA ESP/0xc28e65bf/161.106.240.155<br />11[IKE] queueing CHILD_DELETE task<br />11[IKE] delaying task initiation, CREATE_CHILD_SA exchange in progress<br />15[KNL] creating delete job for CHILD_SA ESP/0x025b0308/161.106.240.156<br />15[IKE] queueing CHILD_DELETE task<br />15[IKE] delaying task initiation, CREATE_CHILD_SA exchange in progress<br /><strong>06[IKE] retransmit 1 of request with message ID 0</strong><br /><strong>06[NET] sending packet: from 161.106.240.155[4500] to 161.106.240.156[1293] (300 bytes)</strong><br /><strong>09[IKE] retransmit 2 of request with message ID 0</strong><br /><strong>09[NET] sending packet: from 161.106.240.155[4500] to 161.106.240.156[1293] (300 bytes)</strong><br /><strong>07[IKE] retransmit 3 of request with message ID 0</strong><br /><strong>07[NET] sending packet: from 161.106.240.155[4500] to 161.106.240.156[1293] (300 bytes)</strong><br /><strong>11[IKE] retransmit 4 of request with message ID 0</strong><br /><strong>11[NET] sending packet: from 161.106.240.155[4500] to 161.106.240.156[1293] (300 bytes)</strong><br /><strong>06[IKE] retransmit 5 of request with message ID 0</strong><br /><strong>06[NET] sending packet: from 161.106.240.155[4500] to 161.106.240.156[1293] (300 bytes)</strong><br />.</p>
<p> </p>
<p>On Surface tab (win10), I don't have any working conf. The tab keeps on asking for eap even if certificate auth is configured. </p>
<p>I've tried several configurations - eap-mschapv2 for example - with no luck.</p>
<p> </p>
<p>I've spent quite a big amount of time working on it. Writing to the list maybe my last try...</p>
<p> </p>
<p>Did anybody find running configurations to get these devices to work with certificates or at least eap (any flavors would be ok as a first step)? </p>
<p> </p>
<p>thank you,</p>
<p> </p>
<p>Régis</p>