<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi Houman,<br>
<br>
Similar to the Windows problem you had earlier, you don't have the
correct combination of configured algorithms. look at the logs:<br>
<br>
May 10 20:26:48 vpn-server charon: 12[IKE] DH group MODP_2048
inacceptable, requesting MODP_1024<br>
<br>
The iphone expect modp2048, but your configuration says
modp1024. Look back at the suggestion we made for Windows and just
use the same configuration.<br>
<br>
Regards,<br>
Jafar<br>
<br>
<div class="moz-cite-prefix">On 5/10/2018 2:34 PM, Houman wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CABBZOsnsS_8+4bmnNkWdeY1mmpG8hda8j_pS9B0s91XNEyD_Ow@mail.gmail.com">
<div dir="ltr">
<div>Hi guys,</div>
<div><br>
</div>
<div>Unfortunately, this isn't just limited to Windows, I have
the same issue with iPhone. I strongly believe this is
because IKEV2 traffic could have been blocked in my user's
country. My user has been utilising this server without any
issues until last week and suddenly it has stopped working.</div>
<div><br>
</div>
<div>Please see the logs, this is when he is trying to connect
from an iPhone:</div>
<div><br>
</div>
<div>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:26:45 vpn-server
charon: 01[NET] received packet: from 91.99.xxx.xx[500] to
172.31.xxx.xxx[500] (604 bytes)</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:26:45 vpn-server
charon: 01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:26:45 vpn-server
charon: 01[IKE] 91.99.xxx.xx is initiating an IKE_SA</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:26:45 vpn-server
charon: 01[IKE] local host is behind NAT, sending keep
alives</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:26:45 vpn-server
charon: 01[IKE] remote host is behind NAT</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:26:45 vpn-server
charon: 01[IKE] DH group MODP_2048 inacceptable, requesting
MODP_1024</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:26:45 vpn-server
charon: 01[ENC] generating IKE_SA_INIT response 0 [
N(INVAL_KE) ]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:26:45 vpn-server
charon: 01[NET] sending packet: from 172.31.xxx.xxx[500] to
91.99.xxx.xx[500] (38 bytes)</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:26:48 vpn-server
charon: 12[NET] received packet: from 91.99.xxx.xx[500] to
172.31.xxx.xxx[500] (604 bytes)</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:26:48 vpn-server
charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:26:48 vpn-server
charon: 12[IKE] 91.99.xxx.xx is initiating an IKE_SA</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:26:48 vpn-server
charon: 12[IKE] local host is behind NAT, sending keep
alives</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:26:48 vpn-server
charon: 12[IKE] remote host is behind NAT</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:26:48 vpn-server
charon: 12[IKE] DH group MODP_2048 inacceptable, requesting
MODP_1024</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:26:48 vpn-server
charon: 12[ENC] generating IKE_SA_INIT response 0 [
N(INVAL_KE) ]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">
</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:26:48 vpn-server
charon: 12[NET] sending packet: from 172.31.xxx.xxx[500] to
91.99.xxx.xx[500] (38 bytes)</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69);min-height:14px"><br>
</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69);min-height:14px">And this
when I try to connect from my iphone:</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69);min-height:14px"><br>
</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:25 vpn-server
systemd[1]: Starting Cleanup of Temporary Directories...</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:25 vpn-server
systemd-tmpfiles[2631]: [/usr/lib/tmpfiles.d/var.conf:14]
Duplicate line for path "/var/log", ignoring.</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:25 vpn-server
systemd[1]: Started Cleanup of Temporary Directories.</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:57 vpn-server
charon: 06[NET] received packet: from 88.98.xxx.xxx[39064]
to 172.31.xxx.xxx[500] (604 bytes)</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:57 vpn-server
charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:57 vpn-server
charon: 06[IKE] 88.98.xxx.xxx is initiating an IKE_SA</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:57 vpn-server
charon: 06[IKE] local host is behind NAT, sending keep
alives</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:57 vpn-server
charon: 06[IKE] remote host is behind NAT</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:57 vpn-server
charon: 06[IKE] DH group MODP_2048 inacceptable, requesting
MODP_1024</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:57 vpn-server
charon: 06[ENC] generating IKE_SA_INIT response 0 [
N(INVAL_KE) ]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:57 vpn-server
charon: 06[NET] sending packet: from 172.31.xxx.xxx[500] to
88.98.xxx.xxx[39064] (38 bytes)</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:57 vpn-server
charon: 05[NET] received packet: from 88.98.xxx.xxx[39064]
to 172.31.xxx.xxx[500] (476 bytes)</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:57 vpn-server
charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No
N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:57 vpn-server
charon: 05[IKE] 88.98.xxx.xxx is initiating an IKE_SA</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:57 vpn-server
charon: 05[IKE] local host is behind NAT, sending keep
alives</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:57 vpn-server
charon: 05[IKE] remote host is behind NAT</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:57 vpn-server
charon: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:57 vpn-server
charon: 05[NET] sending packet: from 172.31.xxx.xxx[500] to
88.98.xxx.xxx[39064] (316 bytes)</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 04[NET] received packet: from 88.98.xxx.xxx[39065]
to 172.31.xxx.xxx[4500] (500 bytes)</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 04[ENC] unknown attribute type (25)</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 04[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK
ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA
TSi TSr ]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 04[CFG] looking for peer configs matching
172.31.xxx.xxx[<a href="http://vpn1.xxx.com"
moz-do-not-send="true">vpn1.xxx.com</a>]...88.98.xxx.xxx[<a
href="http://vpn1.xxx.com" moz-do-not-send="true">vpn1.xxx.com</a>]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 04[CFG] selected peer config 'roadwarrior'</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 04[IKE] initiating EAP_IDENTITY method (id 0x00)</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 04[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not
using ESPv3 TFC padding</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 04[IKE] peer supports MOBIKE</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 04[IKE] authentication of '<a
href="http://vpn1.xxx.com" moz-do-not-send="true">vpn1.xxx.com</a>'
(myself) with RSA signature successful</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 04[IKE] sending end entity cert "CN=<a
href="http://vpn1.xxx.com" moz-do-not-send="true">vpn1.xxx.com</a>"</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 04[IKE] sending issuer cert "C=US, O=Let's Encrypt,
CN=Let's Encrypt Authority X3"</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 04[ENC] generating IKE_AUTH response 1 [ IDr CERT
CERT AUTH EAP/REQ/ID ]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 04[ENC] splitting IKE message with length of 3596
bytes into 8 fragments</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 04[ENC] generating IKE_AUTH response 1 [ EF(1/8) ]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 04[ENC] generating IKE_AUTH response 1 [ EF(2/8) ]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 04[ENC] generating IKE_AUTH response 1 [ EF(3/8) ]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 04[ENC] generating IKE_AUTH response 1 [ EF(4/8) ]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 04[ENC] generating IKE_AUTH response 1 [ EF(5/8) ]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 04[ENC] generating IKE_AUTH response 1 [ EF(6/8) ]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 04[ENC] generating IKE_AUTH response 1 [ EF(7/8) ]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 04[ENC] generating IKE_AUTH response 1 [ EF(8/8) ]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 04[NET] sending packet: from 172.31.xxx.xxx[4500] to
88.98.xxx.xxx[39065] (544 bytes)</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: message repeated 6 times: [ 04[NET] sending packet:
from 172.31.xxx.xxx[4500] to 88.98.xxx.xxx[39065] (544
bytes)]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 04[NET] sending packet: from 172.31.xxx.xxx[4500] to
88.98.xxx.xxx[39065] (192 bytes)</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 03[NET] received packet: from 88.98.xxx.xxx[39065]
to 172.31.xxx.xxx[4500] (76 bytes)</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 03[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 03[IKE] received EAP identity 'houmie'</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 03[IKE] initiating EAP_MSCHAPV2 method (id 0xAE)</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 03[ENC] generating IKE_AUTH response 2 [
EAP/REQ/MSCHAPV2 ]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 03[NET] sending packet: from 172.31.xxx.xxx[4500] to
88.98.xxx.xxx[39065] (100 bytes)</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 02[NET] received packet: from 88.98.xxx.xxx[39065]
to 172.31.xxx.xxx[4500] (124 bytes)</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 02[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2
]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 02[ENC] generating IKE_AUTH response 3 [
EAP/REQ/MSCHAPV2 ]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 02[NET] sending packet: from 172.31.xxx.xxx[4500] to
88.98.xxx.xxx[39065] (132 bytes)</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 01[NET] received packet: from 88.98.xxx.xxx[39065]
to 172.31.xxx.xxx[4500] (68 bytes)</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 01[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2
]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 01[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK
established</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 01[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 01[NET] sending packet: from 172.31.xxx.xxx[4500] to
88.98.xxx.xxx[39065] (68 bytes)</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 12[NET] received packet: from 88.98.xxx.xxx[39065]
to 172.31.xxx.xxx[4500] (84 bytes)</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 12[ENC] parsed IKE_AUTH request 5 [ AUTH ]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 12[IKE] authentication of '<a
href="http://vpn1.xxx.com" moz-do-not-send="true">vpn1.xxx.com</a>'
with EAP successful</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 12[IKE] authentication of '<a
href="http://vpn1.xxx.com" moz-do-not-send="true">vpn1.xxx.com</a>'
(myself) with EAP</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 12[IKE] IKE_SA roadwarrior[2] established between
172.31.xxx.xxx[<a href="http://vpn1.xxx.com"
moz-do-not-send="true">vpn1.xxx.com</a>]...88.98.xxx.xxx[<a
href="http://vpn1.xxx.com" moz-do-not-send="true">vpn1.xxx.com</a>]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 12[IKE] peer requested virtual IP %any</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 12[CFG] assigning new lease to 'houmie'</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 12[IKE] assigning virtual IP 10.10.10.1 to peer
'houmie'</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 12[IKE] peer requested virtual IP %any6</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 12[IKE] no virtual IP found for %any6 requested by
'houmie'</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 12[IKE] CHILD_SA roadwarrior{1} established with
SPIs c0b075ce_i 0789b8c0_o and TS <a
href="http://0.0.0.0/0" moz-do-not-send="true">0.0.0.0/0</a>
=== <a href="http://10.10.10.1/32" moz-do-not-send="true">10.10.10.1/32</a></p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 12[ENC] generating IKE_AUTH response 5 [ AUTH
CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">May 10 20:10:58 vpn-server
charon: 12[NET] sending packet: from 172.31.xxx.xxx[4500] to
88.98.xxx.xxx[39065] (228 bytes)</p>
</div>
<div><br>
</div>
<div>The config that is working for my iphone is this:</div>
<div><br>
</div>
<div>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">config setup</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)"> strictcrlpolicy=yes</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)"> uniqueids=never</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">conn roadwarrior</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)"> auto=add</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)"> compress=no</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)"> type=tunnel</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)"> keyexchange=ikev2</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)"> fragmentation=yes</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)"> forceencaps=yes</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">
ike=aes256gcm16-sha256-ecp521,aes256-sha256-ecp384,aes256-3des-sha1-modp1024!</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)">
esp=aes256gcm16-sha256,aes256-3des-sha256-sha1!</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)"> dpdaction=clear</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)"> dpddelay=180s</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)"> rekey=no</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)"> left=%any</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)"> leftid=@<a
href="http://vpn1.xxx.com" moz-do-not-send="true">vpn1.xxx.com</a></p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)"> leftcert=cert.pem</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)"> leftsendcert=always</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)"> leftsubnet=<a
href="http://0.0.0.0/0" moz-do-not-send="true">0.0.0.0/0</a></p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)"> right=%any</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)"> rightid=%any</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)"> rightauth=eap-mschapv2</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)"> eap_identity=%any</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)"> rightdns=8.8.8.8,8.8.4.4</p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)"> rightsourceip=<a
href="http://10.10.10.0/24" moz-do-not-send="true">10.10.10.0/24</a></p>
<p
style="margin:0px;font-stretch:normal;font-size:12px;line-height:normal;font-family:"Helvetica
Neue";color:rgb(69,69,69)"> rightsendcert=never</p>
</div>
<div><br>
</div>
<div>Please let me know if you see any obvious problem. But I
strongly believe they have blocked the IKEV2 traffic...</div>
<div><br>
</div>
<div>Many Thanks,</div>
<div>Houman</div>
<div><br>
</div>
<div><br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 9 May 2018 at 15:40, Jafar
Al-Gharaibeh <span dir="ltr"><<a
href="mailto:jafar@atcorp.com" target="_blank"
moz-do-not-send="true">jafar@atcorp.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">Hi
Tobias,<br>
<br>
Thanks for the correction. What I meant to say is :<br>
<br>
The PRF algorithm is derived from the
integrity algorithm, but only if a DH group is also
configured.<br>
<br>
Correct?<br>
<br>
Regards,<br>
Jafar
<div class="gmail-HOEnZb">
<div class="gmail-h5"><br>
<br>
On 5/9/2018 2:21 AM, Tobias Brunner wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px
0px
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">Hi
Jafar,<br>
<br>
<blockquote class="gmail_quote" style="margin:0px
0px 0px
0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">
No need to configure a prf, it is already assumed
when you<br>
configured a DH group; so you can drop prfsha256.<br>
</blockquote>
Small correction, the PRF algorithm, if not
configured explicitly, is<br>
not derived from the DH group, but the integrity
algorithm, in this case<br>
sha256.<br>
<br>
Regards,<br>
Tobias<br>
<br>
</blockquote>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</body>
</html>