[strongSwan] IKEv2 problems on iOS8

Milen Pankov mail at milen.pankov.eu
Mon Feb 23 08:05:24 CET 2015 

Hi,

The problem was that I forgot to include the
ServerCertificateIssuerCommonName in the iOS profile.

Thank you for your help.

Milen



On 02/21/2015 08:17 PM, Noel Kuntze wrote:
> 
> Hello Milen,
> 
> Without any information from the iOS device, it is impossible to 
> pin down what the problem is. You might want to try sending the DN 
> of the certificate as ID and/or check the settings on your iOS 
> device. Also, checking the certificate flags might be needed.
> 
> Mit freundlichen Grüßen/Regards, Noel Kuntze
> 
> GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 
> 3839 298F 63EC 6658
> 
> Am 21.02.2015 um 17:03 schrieb Milen Pankov:
>> Hi,
> 
>> I have a Strongswan IKEv2 connection working on Windows clients, 
>> but failing on iOS8. I have included the CA certificate in the 
>> iOS8 configuration profile I have imported on the iOS device and 
>> the certificate is installed under Settings > General > Profiles.
>> I can't figure out what was the problem is.
> 
>> My config is:
> 
>> conn ipsec-ikev2 type=tunnel keyexchange=ikev2 left=1.2.3.4 
>> leftsubnet=0.0.0.0/0 leftauth=pubkey 
>> leftcert=co1.dir.sub.example.com.crt 
>> leftid=co1.dir.sub.example.com right=%any 
>> rightsourceip=10.1.0.0/23 rightauth=eap-radius 
>> rightsendcert=never eap_identity=%any auto=add
> 
>> Log file says:
> 
>> Feb 21 08:43:45 server1 charon: 10[NET] received packet: from 
>> 5.6.7.8[500] to 1.2.3.4[500] (284 bytes) Feb 21 08:43:45 server1 
>> charon: 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No 
>> N(NATD_S_IP) N(NATD_D_IP) ] Feb 21 08:43:45 server1 charon: 
>> 10[IKE] 5.6.7.8 is initiating an IKE_SA Feb 21 08:43:45 server1 
>> charon: 10[IKE] remote host is behind NAT Feb 21 08:43:45
>> server1 charon: 10[ENC] generating IKE_SA_INIT response 0 [ SA KE
>> No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] Feb 21 08:43:45
>> server1 charon: 10[NET] sending packet: from 1.2.3.4[500] to
>> 5.6.7.8[500] (308 bytes) Feb 21 08:43:46 server1 charon: 13[NET]
>> received packet: from 5.6.7.8[4500] to 1.2.3.4[4500] (332 bytes)
>> Feb 21 08:43:46 server1 charon: 13[ENC] parsed IKE_AUTH request 1
>> [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6
>> DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] Feb 21
>> 08:43:46 server1 charon: 13[CFG] looking for peer configs
>> matching 
>> 1.2.3.4[co1.dir.sub.example.com]...5.6.7.8[192.168.0.103] Feb 21 
>> 08:43:46 server1 charon: 13[CFG] selected peer config 
>> 'ipsec-ikev2' Feb 21 08:43:46 server1 charon: 13[IKE] initiating 
>> EAP_IDENTITY method (id 0x00) Feb 21 08:43:46 server1 charon: 
>> 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 
>> TFC padding Feb 21 08:43:46 server1 charon: 13[IKE] 
>> authentication of 'co1.dir.sub.example.com' (myself) with RSA 
>> signature successful Feb 21 08:43:46 server1 charon: 13[ENC] 
>> generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ] Feb 21 
>> 08:43:46 server1 charon: 13[NET] sending packet: from 
>> 1.2.3.4[4500] to 5.6.7.8[4500] (236 bytes) Feb 21 08:44:15 
>> server1 charon: 11[JOB] deleting half open IKE_SA after timeout
> 
> 
>> Regards, Milen _______________________________________________ 
>> Users mailing list Users at lists.strongswan.org 
>> https://lists.strongswan.org/mailman/listinfo/users
> 
> 
> 
> _______________________________________________ Users mailing list
>  Users at lists.strongswan.org 
> https://lists.strongswan.org/mailman/listinfo/users
>

More information about the Users mailing list