<div dir="ltr">1. peer config is related to ipsec.conf<div>2. As your log, AUTH_FAILED might also caused by ipsec.conf, when finished ipsec.conf, you should config ipsec.secret also</div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature">Regards<br>Quaker</div></div>
<br><div class="gmail_quote">On Tue, Jan 2, 2018 at 7:00 PM, <span dir="ltr"><<a href="mailto:users-request@lists.strongswan.org" target="_blank">users-request@lists.strongswan.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send Users mailing list submissions to<br>
<a href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.strongswan.org/<wbr>mailman/listinfo/users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:users-request@lists.strongswan.org">users-request@lists.<wbr>strongswan.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:users-owner@lists.strongswan.org">users-owner@lists.strongswan.<wbr>org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Help needed for a basic swanctl config (Glen Huang)<br>
<br>
<br>
------------------------------<wbr>------------------------------<wbr>----------<br>
<br>
Message: 1<br>
Date: Tue, 2 Jan 2018 18:54:27 +0800<br>
From: Glen Huang <<a href="mailto:heyhgl@gmail.com">heyhgl@gmail.com</a>><br>
To: <a href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a><br>
Subject: [strongSwan] Help needed for a basic swanctl config<br>
Message-ID: <<a href="mailto:BC3FDE8E-B7AB-48EC-8C56-320F42C71661@gmail.com">BC3FDE8E-B7AB-48EC-8C56-<wbr>320F42C71661@gmail.com</a>><br>
Content-Type: text/plain; charset=utf-8<br>
<br>
Hi,<br>
<br>
I’m trying to set up an IKEv2 VPN server using swanctl for iOS clients.<br>
<br>
I have this very simple config:<br>
<br>
connections {<br>
ios {<br>
version = 2<br>
pools = ios_pool<br>
remote {<br>
id = foobar<br>
auth = psk<br>
}<br>
}<br>
}<br>
<br>
pools {<br>
ios_pool {<br>
addrs = <a href="http://192.168.37.0/24" rel="noreferrer" target="_blank">192.168.37.0/24</a><br>
dns = 8.8.8.8<br>
}<br>
}<br>
<br>
secrets {<br>
ike-ios {<br>
secret = abc<br>
}<br>
}<br>
<br>
But when connect from an iOS client using the following connection settings:<br>
<br>
Remote ID: foobar<br>
Local ID: [empty]<br>
Authentication Settings: None<br>
Shared Secret: abc<br>
<br>
It fails to connect, and the log shows it fails at an pretty early stage:<br>
<br>
12[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (604 bytes)<br>
12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]<br>
12[IKE] 2.2.2.2 is initiating an IKE_SA<br>
12[IKE] remote host is behind NAT<br>
12[IKE] sending cert request for "C=com, O=myvpn, CN=VPN CA"<br>
12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]<br>
12[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (473 bytes)<br>
15[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (604 bytes)<br>
15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]<br>
15[IKE] received retransmit of request with ID 0, retransmitting response<br>
15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (473 bytes)<br>
05[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (544 bytes)<br>
05[ENC] unknown attribute type (25)<br>
05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]<br>
05[CFG] looking for peer configs matching 1.1.1.1[foobar]...2.2.2.2[192.<wbr>168.1.251]<br>
05[CFG] no matching peer config found<br>
05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding<br>
05[IKE] peer supports MOBIKE<br>
05[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]<br>
05[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (80 bytes)<br>
<br>
I’m trying to have a firm grasp of strongswan (I have some basic understanding of ikev2 & IPsec), so a few questions:<br>
<br>
1. What constitutes a "peer config” in swanctl.conf?<br>
2. The AUTH_FAILED message is caused by a secret mismatch or unable to find a connection setting or something else?<br>
3. How do I find out in the logs the kind of auth request sent by the client? The iOS Client client provides quite a few authentication settings, and I’d like to learn how charon sees them in order to provide the corresponding settings in swanctl.conf<br>
<br>
Thanks in advance.<br>
<br>
<br>
End of Users Digest, Vol 96, Issue 2<br>
******************************<wbr>******<br>
</blockquote></div><br></div>