[strongSwan] IKEv2 problems on iOS8

Sat Feb 21 19:17:38 CET 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Milen,

Without any information from the iOS device, it is impossible to pin down what
the problem is. You might want to try sending the DN of the certificate as ID and/or
check the settings on your iOS device. Also, checking the certificate flags might be needed.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 21.02.2015 um 17:03 schrieb Milen Pankov:
> Hi,
>
> I have a Strongswan IKEv2 connection working on Windows clients, but
> failing on iOS8. I have included the CA certificate in the iOS8
> configuration profile I have imported on the iOS device and the
> certificate is installed under Settings > General > Profiles.
> I can't figure out what was the problem is.
>
> My config is:
>
> conn ipsec-ikev2
>         type=tunnel
>         keyexchange=ikev2
>         left=1.2.3.4
>         leftsubnet=0.0.0.0/0
>         leftauth=pubkey
>     leftcert=co1.dir.sub.example.com.crt
>     leftid=co1.dir.sub.example.com
>     right=%any
>         rightsourceip=10.1.0.0/23
>         rightauth=eap-radius
>         rightsendcert=never
>         eap_identity=%any
>         auto=add
>
> Log file says:
>
> Feb 21 08:43:45 server1 charon: 10[NET] received packet: from
> 5.6.7.8[500] to 1.2.3.4[500] (284 bytes)
> Feb 21 08:43:45 server1 charon: 10[ENC] parsed IKE_SA_INIT request 0 [
> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Feb 21 08:43:45 server1 charon: 10[IKE] 5.6.7.8 is initiating an IKE_SA
> Feb 21 08:43:45 server1 charon: 10[IKE] remote host is behind NAT
> Feb 21 08:43:45 server1 charon: 10[ENC] generating IKE_SA_INIT response
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> Feb 21 08:43:45 server1 charon: 10[NET] sending packet: from
> 1.2.3.4[500] to 5.6.7.8[500] (308 bytes)
> Feb 21 08:43:46 server1 charon: 13[NET] received packet: from
> 5.6.7.8[4500] to 1.2.3.4[4500] (332 bytes)
> Feb 21 08:43:46 server1 charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi
> N(INIT_CONTACT) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6)
> N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
> Feb 21 08:43:46 server1 charon: 13[CFG] looking for peer configs
> matching 1.2.3.4[co1.dir.sub.example.com]...5.6.7.8[192.168.0.103]
> Feb 21 08:43:46 server1 charon: 13[CFG] selected peer config 'ipsec-ikev2'
> Feb 21 08:43:46 server1 charon: 13[IKE] initiating EAP_IDENTITY method
> (id 0x00)
> Feb 21 08:43:46 server1 charon: 13[IKE] received
> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> Feb 21 08:43:46 server1 charon: 13[IKE] authentication of
> 'co1.dir.sub.example.com' (myself) with RSA signature successful
> Feb 21 08:43:46 server1 charon: 13[ENC] generating IKE_AUTH response 1 [
> IDr AUTH EAP/REQ/ID ]
> Feb 21 08:43:46 server1 charon: 13[NET] sending packet: from
> 1.2.3.4[4500] to 5.6.7.8[4500] (236 bytes)
> Feb 21 08:44:15 server1 charon: 11[JOB] deleting half open IKE_SA after
> timeout
>
>
> Regards,
> Milen
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJU6MvAAAoJEDg5KY9j7GZYtQ4QAIe7KWIjT8QKJ5QkQ3texsI/
wmNmycV0uAaDtFRpmkd7/ZQistbtm5GtGrmB7m+Zzm4X9RuAFi27Q3Jv9x7Uy910
AKKMaeClvJnGd28l0MKe4Bjr3dgkDqBAVOXJhb/8u0h8t8hMTfIFEf1GcrG/RY1H
D+mI747kzsF1xjgnz92+3u2RFOsI3nYS4nkD5j///Q/fjefeiSGX4pY/K2Y8xuvM
TnUbYQUAtijwa6Q8F7REdSst7qQecA8e/5hhSGosoUIBO1m0+XH1MWz5gbxBnO1l
W9lYJRbNnd4twnSgSagYAKM4gq/JOQSUOVrtdgfxuWdyQaGsQjTGFyT/M7rHoWN1
eApqzB1bL8o5i1dLKJzEU/2DtUz4pT6hoCn6hwMqz9IwXoTLERt6FQ8vWWeHGShR
SKRMk13kHsrjmes5p02umIDZg2p7FXLA4T8u0/WpGXuT7bJOZOxQ5skKuyHce+mI
VyIjq2goXs5BAwoClbyZvZAwcLQyTsK0G/D+oakUOo1aCpmqWpjEQylN+Y74Lkrj
HUzM2UBAOeAH9WFsXv6e//3WS9LumsUCtrr9H+Yk08+EeabkqaJxQ5orhVYvBNtN
aXbLrvHPZIXilzYdNaSGnUhlNHtmstE1vbxrwfgKh7DlBO/8oj/aSkW5A9ZCtD1X
MMcU6j0zVcCA+o53Xwx+
=KGaJ
-----END PGP SIGNATURE-----