[strongSwan] IKEv2 problems on iOS8
Milen Pankov
mail at milen.pankov.eu
Sat Feb 21 17:03:06 CET 2015
Hi,
I have a Strongswan IKEv2 connection working on Windows clients, but
failing on iOS8. I have included the CA certificate in the iOS8
configuration profile I have imported on the iOS device and the
certificate is installed under Settings > General > Profiles.
I can't figure out what was the problem is.
My config is:
conn ipsec-ikev2
type=tunnel
keyexchange=ikev2
left=1.2.3.4
leftsubnet=0.0.0.0/0
leftauth=pubkey
leftcert=co1.dir.sub.example.com.crt
leftid=co1.dir.sub.example.com
right=%any
rightsourceip=10.1.0.0/23
rightauth=eap-radius
rightsendcert=never
eap_identity=%any
auto=add
Log file says:
Feb 21 08:43:45 server1 charon: 10[NET] received packet: from
5.6.7.8[500] to 1.2.3.4[500] (284 bytes)
Feb 21 08:43:45 server1 charon: 10[ENC] parsed IKE_SA_INIT request 0 [
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 21 08:43:45 server1 charon: 10[IKE] 5.6.7.8 is initiating an IKE_SA
Feb 21 08:43:45 server1 charon: 10[IKE] remote host is behind NAT
Feb 21 08:43:45 server1 charon: 10[ENC] generating IKE_SA_INIT response
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Feb 21 08:43:45 server1 charon: 10[NET] sending packet: from
1.2.3.4[500] to 5.6.7.8[500] (308 bytes)
Feb 21 08:43:46 server1 charon: 13[NET] received packet: from
5.6.7.8[4500] to 1.2.3.4[4500] (332 bytes)
Feb 21 08:43:46 server1 charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6)
N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Feb 21 08:43:46 server1 charon: 13[CFG] looking for peer configs
matching 1.2.3.4[co1.dir.sub.example.com]...5.6.7.8[192.168.0.103]
Feb 21 08:43:46 server1 charon: 13[CFG] selected peer config 'ipsec-ikev2'
Feb 21 08:43:46 server1 charon: 13[IKE] initiating EAP_IDENTITY method
(id 0x00)
Feb 21 08:43:46 server1 charon: 13[IKE] received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Feb 21 08:43:46 server1 charon: 13[IKE] authentication of
'co1.dir.sub.example.com' (myself) with RSA signature successful
Feb 21 08:43:46 server1 charon: 13[ENC] generating IKE_AUTH response 1 [
IDr AUTH EAP/REQ/ID ]
Feb 21 08:43:46 server1 charon: 13[NET] sending packet: from
1.2.3.4[4500] to 5.6.7.8[4500] (236 bytes)
Feb 21 08:44:15 server1 charon: 11[JOB] deleting half open IKE_SA after
timeout
Regards,
Milen
More information about the Users
mailing list