[strongSwan] strongSwan 5 IKEv1 tunnel (iOS or StrongSwan client)

Max Allan max_allan at hotmail.com
Wed Jul 25 11:58:58 CEST 2012


Hello,


I'm a newb to strongSwan so please be gentle if I miss something obvious!


I followed the instruction on the Wiki :
http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)


Except with version 5 not 4 (don't know if that will be relevant)


I couldn't get it working with an iOS device so went back to having a Linux box at either end so I can get some decent log file entries. So, please bear in mind that although it says "iPhone" in the key names etc, it is actually strongSwan at both ends now. So hopefully anything weird and iOS specific is not relevant /yet/.(All public IP addresses here have been obfuscated, so don't bother trying to connect to me!)


First, server config :
conn ios
        keyexchange=ikev1
        authby=xauthrsasig
        xauth=server
        left=%defaultroute
        leftsubnet=10.66.0.0/16
        leftfirewall=yes
        leftcert=serverCert.pem
        leftid="C=GB, O=Company, CN=176.34.100.100"
        right=%any
        rightsubnet=10.0.0.0/24
        rightsourceip=10.100.255.0/28
        rightcert=clientCert.pem
        auto=add


Then client config :
conn us-east-1-vpc
    left=%any
    leftsourceip=%config
    leftid=iphone
    leftcert=clientCert.pem
    leftfirewall=yes
    rightid="C=GB, O=Company, CN=176.34.100.100"
    right=176.34.100.100
    rightsubnet=10.66.0.0/16
    authby=xauthrsasig
    xauth=client
    xauth_identity=iphone
    keyexchange=ikev1
    auto=start




The relevant passwords/keys are in the secrets files and the client and CA certs are installed at both ends. Server cert on the server etc...




The tunnel establishes but not completely, I can't pass any traffic. The IPSec part seems to not be working. The same results come from using an iPhone to connect or using another strongSwan.

Log file on the client (after the initial cert exchange and Xauth) :

Jul 25 10:35:59 centos1 charon: 07[IKE] XAuth authentication of 'iphone' (myself) successful
Jul 25 10:35:59 centos1 charon: 07[IKE] IKE_SA us-east-1-vpc[1] established between 192.168.1.101[C=GB, O=Company, CN=Maxs iPhone]...176.34.100.100[C=GB, O=Company, CN=176.34.100.100]
Jul 25 10:35:59 centos1 charon: 07[IKE] scheduling reauthentication in 10120s
Jul 25 10:35:59 centos1 charon: 07[IKE] maximum IKE_SA lifetime 10660s
Jul 25 10:35:59 centos1 charon: 07[ENC] generating TRANSACTION response 2626266634 [ HASH CP ]
Jul 25 10:35:59 centos1 charon: 07[NET] sending packet: from 192.168.1.101[4500] to 176.34.100.100[4500]
Jul 25 10:35:59 centos1 charon: 07[ENC] generating TRANSACTION request 3715724063 [ HASH CP ]
Jul 25 10:35:59 centos1 charon: 07[NET] sending packet: from 192.168.1.101[4500] to 176.34.100.100[4500]
Jul 25 10:35:59 centos1 charon: 05[NET] received packet: from 176.34.100.100[4500] to 192.168.1.101[4500]
Jul 25 10:35:59 centos1 charon: 05[ENC] parsed TRANSACTION response 3715724063 [ HASH CP ]
Jul 25 10:35:59 centos1 charon: 05[IKE] installing new virtual IP 10.100.255.1
Jul 25 10:35:59 centos1 charon: 05[ENC] generating QUICK_MODE request 2376593287 [ HASH SA No KE ID ID ]
Jul 25 10:35:59 centos1 charon: 05[NET] sending packet: from 192.168.1.101[4500] to 176.34.100.100[4500]
Jul 25 10:35:59 centos1 charon: 04[NET] received packet: from 176.34.100.100[4500] to 192.168.1.101[4500]
Jul 25 10:35:59 centos1 charon: 04[ENC] parsed INFORMATIONAL_V1 request 918202651 [ HASH N(INVAL_ID) ]
Jul 25 10:35:59 centos1 charon: 04[IKE] received INVALID_ID_INFORMATION error notify
Jul 25 10:36:23 centos1 charon: 07[IKE] sending keep alive
Jul 25 10:36:23 centos1 charon: 07[NET] sending packet: from 192.168.1.101[4500] to 176.34.100.100[4500]






Logfile from the server :
Jul 25 09:36:07 ip-10-66-254-21 charon: 14[IKE] XAuth authentication of 'iphone' successful
Jul 25 09:36:07 ip-10-66-254-21 charon: 14[ENC] generating TRANSACTION request 2626266634 [ HASH CP ]
Jul 25 09:36:07 ip-10-66-254-21 charon: 14[NET] sending packet: from 10.66.254.21[4500] to 87.194.200.200[4500]
Jul 25 09:36:07 ip-10-66-254-21 charon: 04[NET] received packet: from 87.194.200.200[4500] to 10.66.254.21[4500]
Jul 25 09:36:07 ip-10-66-254-21 charon: 04[ENC] parsed TRANSACTION response 2626266634 [ HASH CP ]
Jul 25 09:36:07 ip-10-66-254-21 charon: 04[IKE] IKE_SA ios[5] established between 10.66.254.21[C=GB, O=Company, CN=176.34.100.100]...87.194.200.200[C=GB, O=Company, CN=Maxs iPhone]
Jul 25 09:36:07 ip-10-66-254-21 charon: 04[IKE] scheduling reauthentication in 10252s
Jul 25 09:36:07 ip-10-66-254-21 charon: 04[IKE] maximum IKE_SA lifetime 10792s
Jul 25 09:36:07 ip-10-66-254-21 charon: 03[NET] received packet: from 87.194.200.200[4500] to 10.66.254.21[4500]
Jul 25 09:36:07 ip-10-66-254-21 charon: 03[ENC] parsed TRANSACTION request 3715724063 [ HASH CP ]
Jul 25 09:36:07 ip-10-66-254-21 charon: 03[IKE] peer requested virtual IP %any
Jul 25 09:36:07 ip-10-66-254-21 charon: 03[CFG] reassigning offline lease to 'iphone'
Jul 25 09:36:07 ip-10-66-254-21 charon: 03[IKE] assigning virtual IP 10.100.255.1 to peer 'iphone'
Jul 25 09:36:07 ip-10-66-254-21 charon: 03[ENC] generating TRANSACTION response 3715724063 [ HASH CP ]
Jul 25 09:36:07 ip-10-66-254-21 charon: 03[NET] sending packet: from 10.66.254.21[4500] to 87.194.200.200[4500]
Jul 25 09:36:07 ip-10-66-254-21 charon: 01[NET] received packet: from 87.194.200.200[4500] to 10.66.254.21[4500]
Jul 25 09:36:07 ip-10-66-254-21 charon: 01[ENC] parsed QUICK_MODE request 2376593287 [ HASH SA No KE ID ID ]
Jul 25 09:36:07 ip-10-66-254-21 charon: 01[IKE] no matching CHILD_SA config found
Jul 25 09:36:07 ip-10-66-254-21 charon: 01[ENC] generating INFORMATIONAL_V1 request 918202651 [ HASH N(INVAL_ID) ]


root at ip-10-66-254-21:/usr/local/etc# ipsec status
Security Associations (1 up, 0 connecting):
         ios[5]: ESTABLISHED 2 minutes ago, 10.66.254.21[C=GB, O=Company, CN=176.34.100.100]...87.194.200.200[C=GB, O=Company, CN=Maxs iPhone]

Connecting from the iPhone gives the similar response but a different quick_mode:Jul 25 09:51:52 ip-10-66-254-21 charon: 16[NET] received packet: from 87.194.205.228[1473] to 10.66.254.21[4500]Jul 25 09:51:52 ip-10-66-254-21 charon: 16[ENC] parsed QUICK_MODE request 2502504197 [ HASH SA No ID ID ]Jul 25 09:51:52 ip-10-66-254-21 charon: 16[IKE] no matching CHILD_SA config found
Can anyone offer any advice?

Thanks,Max 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120725/307f3932/attachment.html>


More information about the Users mailing list