[strongSwan] IKEv2 problems on iOS8

Milen Pankov mail at milen.pankov.eu
Sat Feb 21 17:03:06 CET 2015


Hi,

I have a Strongswan IKEv2 connection working on Windows clients, but
failing on iOS8. I have included the CA certificate in the iOS8
configuration profile I have imported on the iOS device and the
certificate is installed under Settings > General > Profiles.
I can't figure out what was the problem is.

My config is:

conn ipsec-ikev2
        type=tunnel
        keyexchange=ikev2
        left=1.2.3.4
        leftsubnet=0.0.0.0/0
        leftauth=pubkey
	leftcert=co1.dir.sub.example.com.crt
	leftid=co1.dir.sub.example.com
	right=%any
        rightsourceip=10.1.0.0/23
        rightauth=eap-radius
        rightsendcert=never
        eap_identity=%any
        auto=add

Log file says:

Feb 21 08:43:45 server1 charon: 10[NET] received packet: from
5.6.7.8[500] to 1.2.3.4[500] (284 bytes)
Feb 21 08:43:45 server1 charon: 10[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 21 08:43:45 server1 charon: 10[IKE] 5.6.7.8 is initiating an IKE_SA
Feb 21 08:43:45 server1 charon: 10[IKE] remote host is behind NAT
Feb 21 08:43:45 server1 charon: 10[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Feb 21 08:43:45 server1 charon: 10[NET] sending packet: from
1.2.3.4[500] to 5.6.7.8[500] (308 bytes)
Feb 21 08:43:46 server1 charon: 13[NET] received packet: from
5.6.7.8[4500] to 1.2.3.4[4500] (332 bytes)
Feb 21 08:43:46 server1 charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6)
N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Feb 21 08:43:46 server1 charon: 13[CFG] looking for peer configs
matching 1.2.3.4[co1.dir.sub.example.com]...5.6.7.8[192.168.0.103]
Feb 21 08:43:46 server1 charon: 13[CFG] selected peer config 'ipsec-ikev2'
Feb 21 08:43:46 server1 charon: 13[IKE] initiating EAP_IDENTITY method
(id 0x00)
Feb 21 08:43:46 server1 charon: 13[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Feb 21 08:43:46 server1 charon: 13[IKE] authentication of
'co1.dir.sub.example.com' (myself) with RSA signature successful
Feb 21 08:43:46 server1 charon: 13[ENC] generating IKE_AUTH response 1 [
IDr AUTH EAP/REQ/ID ]
Feb 21 08:43:46 server1 charon: 13[NET] sending packet: from
1.2.3.4[4500] to 5.6.7.8[4500] (236 bytes)
Feb 21 08:44:15 server1 charon: 11[JOB] deleting half open IKE_SA after
timeout


Regards,
Milen


More information about the Users mailing list