[strongSwan] vpn server for iOS devices fails with no peer config found

gandalf istari erestor.elensar at gmail.com
Tue Oct 23 12:46:31 CEST 2012 

Hi,

This is my first attempt to get Strongswan 5.0.0-2 to work.

As like most people I have also a need to connect iOS devices to the
corporate lan, but until now without success. For now i'm working with
shared secrets, until i got the certificate problem working.

I'm struggling with two problems:
First:
looking for XAuthInitPSK peer configs matching
10.16.1.3...81.83.206.8[192.168.17.121]
Oct 23 12:18:37 fw-01 charon: 13[IKE] no peer config found

Second
When following the "iOS (Apple iPhone, iPad...) and Mac OS X "
documentation I must run following command to create the certificates:
# ipsec pki --gen --outform pem > caKey.pem
# ipsec command not found

But there is no ipsec on my system( find / -name ipsec -print)
installed from elpel: yum install --enablerepo=epel-testing strongswan

So some help to get this working would be fine, thanks in advance.

my configs:
ipsec.conf
# basic configuration

config setup
        charonstart=yes
	plutostart=no
        nat_traversal=yes

conn ios
        authby=secret
        xauth=server
	left=10.16.1.3
	leftsubnet=10.16.1.0/27
        leftfirewall=yes
	keyexchange=ikev1
        ike=3des-sha-modp1024
        keyingtries=0
        keylife=1800s
        ikelifetime=1800s
        rekeymargin=4m
        compress=no
	right=%any
        rightsubnet=192.168.17.0/28
        rightsourceip=192.168.17.2
        auto=add


ipsec.secrets
10.16.1.3 %any : PSK "abc123"


syslog:
Oct 23 12:18:37 fw-01 charon: 11[IKE] received XAuth vendor ID
Oct 23 12:18:37 fw-01 charon: 11[IKE] received Cisco Unity vendor ID
Oct 23 12:18:37 fw-01 charon: 11[ENC] received unknown vendor ID:
40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:80:00:00:00
Oct 23 12:18:37 fw-01 charon: 11[IKE] received DPD vendor ID
Oct 23 12:18:37 fw-01 charon: 11[IKE] 81.83.206.8 is initiating a Main
Mode IKE_SA
Oct 23 12:18:37 fw-01 charon: 11[ENC] generating ID_PROT response 0 [ SA V V V ]
Oct 23 12:18:37 fw-01 charon: 11[NET] sending packet: from
10.16.1.3[500] to 81.83.206.8[500]
Oct 23 12:18:37 fw-01 charon: 12[NET] received packet: from
81.83.206.8[500] to 10.16.1.3[500]
Oct 23 12:18:37 fw-01 charon: 12[ENC] parsed ID_PROT request 0 [ KE No
NAT-D NAT-D ]
Oct 23 12:18:37 fw-01 charon: 12[IKE] local host is behind NAT,
sending keep alives
Oct 23 12:18:37 fw-01 charon: 12[IKE] remote host is behind NAT
Oct 23 12:18:37 fw-01 charon: 12[ENC] generating ID_PROT response 0 [
KE No NAT-D NAT-D ]
Oct 23 12:18:37 fw-01 charon: 12[NET] sending packet: from
10.16.1.3[500] to 81.83.206.8[500]
Oct 23 12:18:37 fw-01 charon: 13[NET] received packet: from
81.83.206.8[4500] to 10.16.1.3[4500]
Oct 23 12:18:37 fw-01 charon: 13[ENC] parsed ID_PROT request 0 [ ID
HASH N(INITIAL_CONTACT) ]
Oct 23 12:18:37 fw-01 charon: 13[CFG] looking for XAuthInitPSK peer
configs matching 10.16.1.3...81.83.206.8[192.168.17.121]
Oct 23 12:18:37 fw-01 charon: 13[IKE] no peer config found
Oct 23 12:18:37 fw-01 charon: 13[ENC] generating INFORMATIONAL_V1
request 4116286233 [ HASH N(AUTH_FAILED) ]
Oct 23 12:18:37 fw-01 charon: 13[NET] sending packet: from
10.16.1.3[4500] to 81.83.206.8[4500]

More information about the Users mailing list