[strongSwan] IKEv2 on iPhone
Mark Smith
markalansmithuk at gmail.com
Mon Jun 1 17:44:36 CEST 2015
Hi,
I am trying to start a connection using IKEv2, from an iPhone (iOS 8) to
Ubuntu. The server basically works - using an Android device I can connect
and use the network.
I suspect the problem is in my .mobileconfig - I was not able to find an
example I understood.
My mobileconfig for the iOS device:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadDisplayName</key>
<string>Mark Test Profile</string>
<key>PayloadIdentifier</key>
<string>uk.co.mycompany.myhost</string>
<key>PayloadUUID</key>
<string>7fb8cc12-225b-4b30-8fed-f8c827153a0b</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadIdentifier</key>
<string>uk.co.mycompany.myhost.shared-configuration</string>
<key>PayloadUUID</key>
<string>e914d1ce-8eac-41a3-bbad-5005f63b4e78</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>UserDefinedName</key>
<string>Mark IKEv2 VPN</string>
<key>VPNType</key>
<string>IKEv2</string>
<key>IKEv2</key>
<dict>
<!-- Hostname or IP address of the VPN server -->
<key>RemoteAddress</key>
<string>192.168.196.191</string>
<key>RemoteIdentifier</key>
<string>192.168.196.191</string>
<key>LocalIdentifier</key>
<string></string>
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array>
<dict>
<key>Action</key>
<string>Connect</string>
</dict>
</array>
<key>AuthenticationMethod</key>
<string>Certificate</string>
<key>ExtendedAuthEnabled</key>
<integer>0</integer>
<key>PayloadCertificateUUID</key>
<string>747281f0-e370-493c-83ef-aea219cc0a10</string>
<key>IKESecurityAssociationParameters</key>
<dict>
<key>EncryptionAlgorithm</key>
<string>AES-128</string>
<key>IntegrityAlgorithm</key>
<string>SHA1-96</string>
<key>DiffieHellmanGroup</key>
<integer>14</integer>
</dict>
<key>ChildSecurityAssociationParameters</key>
<dict>
<key>EncryptionAlgorithm</key>
<string>AES-128</string>
<key>IntegrityAlgorithm</key>
<string>SHA1-96</string>
<key>DiffieHellmanGroup</key>
<integer>14</integer>
</dict>
</dict>
</dict>
<dict>
<key>PayloadIdentifier</key>
<string>uk.co.mycompany.myhost</string>
<key>PayloadUUID</key>
<string>747281f0-e370-493c-83ef-aea219cc0a10</string>
<key>PayloadType</key>
<string>com.apple.security.pkcs12</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Password</key>
<string>a</string>
<key>PayloadContent</key>
<data>
MIIM [...]
qijlBvHwDQoCAggA
</data>
</dict>
<dict>
<key>PayloadIdentifier</key>
<string>uk.co.mycompany.myhost</string>
<key>PayloadUUID</key>
<string>b561ad76-43a3-433b-ba2d-9cf7e5070b5c</string>
<key>PayloadType</key>
<string>com.apple.security.root</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadContent</key>
<data>
MIIDM [...]
kVgYtExC
</data>
</dict>
</array>
</dict>
</plist>
The resulting StrongSwan log:
charon: 15[NET] received packet: from 192.168.198.33[500] to
192.168.196.191[500] (416 bytes)
charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
charon: 15[CFG] looking for an ike config for
192.168.196.191...192.168.198.33
charon: 15[CFG] ike config match: 1052 (192.168.196.191 192.168.198.33
IKEv2)
charon: 15[CFG] candidate: 192.168.196.191...%any, prio 1052
charon: 15[CFG] found matching ike config: 192.168.196.191...%any with prio
1052
charon: 15[IKE] 192.168.198.33 is initiating an IKE_SA
charon: 15[CFG] selecting proposal:
charon: 15[CFG] proposal matches
charon: 15[CFG] received proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
charon: 15[CFG] configured proposals:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA1_96/HMAC_MD5_96/HM
AC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/PRF_HMAC_SHA
1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES
128_XCBC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096
/MODP_8192/MODP_1024/MODP_1024_160
charon: 15[CFG] selected proposal:
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
charon: 15[IKE] remote host is behind NAT
charon: 15[IKE] sending cert request for "C=UK, O=CTS, CN=SSCA"
charon: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
charon: 15[NET] sending packet: from 192.168.196.191[500] to
192.168.198.33[500] (465 bytes)
charon: 14[NET] received packet: from 192.168.198.33[4500] to
192.168.196.191[4500] (332 bytes)
charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr
CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG)
SA TSi TSr ]
charon: 14[CFG] looking for peer configs matching
192.168.196.191[192.168.196.191]...192.168.198.33[10.0.3.2]
charon: 14[CFG] peer config match local: 0 (ID_IPV4_ADDR -> c0:a8:c4:bf)
charon: 14[CFG] peer config match remote: 1 (ID_IPV4_ADDR -> 0a:00:03:02)
charon: 14[CFG] ike config match: 1052 (192.168.196.191 192.168.198.33
IKEv2)
charon: 14[CFG] no matching peer config found
charon: 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC
padding
charon: 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
charon: 14[NET] sending packet: from 192.168.196.191[4500] to
192.168.198.33[4500] (76 bytes)
I don't honestly understand this stuff very well, but comparing this log to
a (working) log (when I connect an Android device) is looks like the iPhone
is not sending a CERT during IKE_AUTH.
Thanks!
-Mark
More information about the Users
mailing list