[strongSwan] IKEv2 on iPhone

Mark Smith markalansmithuk at gmail.com
Mon Jun 1 17:44:36 CEST 2015


Hi,

I am trying to start a connection using IKEv2, from an iPhone (iOS 8) to 
Ubuntu. The server basically works - using an Android device I can connect 
and use the network.

I suspect the problem is in my .mobileconfig - I was not able to find an 
example I understood.

My mobileconfig for the iOS device:

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" 
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>PayloadDisplayName</key>
        <string>Mark Test Profile</string>
        <key>PayloadIdentifier</key>
        <string>uk.co.mycompany.myhost</string>
        <key>PayloadUUID</key>
        <string>7fb8cc12-225b-4b30-8fed-f8c827153a0b</string>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>PayloadContent</key>
        <array>
            <dict>
                <key>PayloadIdentifier</key>
                <string>uk.co.mycompany.myhost.shared-configuration</string>
                <key>PayloadUUID</key>
                <string>e914d1ce-8eac-41a3-bbad-5005f63b4e78</string>
                <key>PayloadType</key>
                <string>com.apple.vpn.managed</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>UserDefinedName</key>
                <string>Mark IKEv2 VPN</string>
                <key>VPNType</key>
                <string>IKEv2</string>
                <key>IKEv2</key>
                <dict>
                    <!-- Hostname or IP address of the VPN server -->
                    <key>RemoteAddress</key>
                    <string>192.168.196.191</string>
                    <key>RemoteIdentifier</key>
                    <string>192.168.196.191</string>
                    <key>LocalIdentifier</key>
                    <string></string>
                    <key>OnDemandEnabled</key>
                    <integer>1</integer>
                    <key>OnDemandRules</key>
                    <array>
                        <dict>
                            <key>Action</key>
                            <string>Connect</string>
                        </dict>
                    </array>
                    <key>AuthenticationMethod</key>
                    <string>Certificate</string>
                    <key>ExtendedAuthEnabled</key>
                    <integer>0</integer>
                    <key>PayloadCertificateUUID</key>
                    <string>747281f0-e370-493c-83ef-aea219cc0a10</string>
                    <key>IKESecurityAssociationParameters</key>
                    <dict>
                        <key>EncryptionAlgorithm</key>
                        <string>AES-128</string>
                        <key>IntegrityAlgorithm</key>
                        <string>SHA1-96</string>
                        <key>DiffieHellmanGroup</key>
                        <integer>14</integer>
                    </dict>
                    <key>ChildSecurityAssociationParameters</key>
                    <dict>
                        <key>EncryptionAlgorithm</key>
                        <string>AES-128</string>
                        <key>IntegrityAlgorithm</key>
                        <string>SHA1-96</string>
                        <key>DiffieHellmanGroup</key>
                        <integer>14</integer>
                    </dict>
                </dict>
            </dict>
            <dict>
                <key>PayloadIdentifier</key>
                <string>uk.co.mycompany.myhost</string>
                <key>PayloadUUID</key>
                <string>747281f0-e370-493c-83ef-aea219cc0a10</string>
                <key>PayloadType</key>
                <string>com.apple.security.pkcs12</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>Password</key>
                <string>a</string>
                <key>PayloadContent</key>
                <data>
                    MIIM [...]
                    qijlBvHwDQoCAggA
                </data>
            </dict>
            <dict>
                <key>PayloadIdentifier</key>
                <string>uk.co.mycompany.myhost</string>
                <key>PayloadUUID</key>
                <string>b561ad76-43a3-433b-ba2d-9cf7e5070b5c</string>
                <key>PayloadType</key>
                <string>com.apple.security.root</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
                <key>PayloadContent</key>
                <data>
                    MIIDM [...]
                    kVgYtExC
                </data>
            </dict>
        </array>
    </dict>
</plist>

The resulting StrongSwan log:

charon: 15[NET] received packet: from 192.168.198.33[500] to 
192.168.196.191[500] (416 bytes)
charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) 
N(NATD_D_IP) ]
charon: 15[CFG] looking for an ike config for 
192.168.196.191...192.168.198.33
charon: 15[CFG] ike config match: 1052 (192.168.196.191 192.168.198.33 
IKEv2)
charon: 15[CFG]   candidate: 192.168.196.191...%any, prio 1052
charon: 15[CFG] found matching ike config: 192.168.196.191...%any with prio 
1052
charon: 15[IKE] 192.168.198.33 is initiating an IKE_SA
charon: 15[CFG] selecting proposal:
charon: 15[CFG]   proposal matches
charon: 15[CFG] received proposals: 
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
charon: 15[CFG] configured proposals: 
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, 
IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, 
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA1_96/HMAC_MD5_96/HM
AC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/PRF_HMAC_SHA
1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES
128_XCBC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096
/MODP_8192/MODP_1024/MODP_1024_160
charon: 15[CFG] selected proposal: 
IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
charon: 15[IKE] remote host is behind NAT
charon: 15[IKE] sending cert request for "C=UK, O=CTS, CN=SSCA"
charon: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) 
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
charon: 15[NET] sending packet: from 192.168.196.191[500] to 
192.168.198.33[500] (465 bytes)
charon: 14[NET] received packet: from 192.168.198.33[4500] to 
192.168.196.191[4500] (332 bytes)
charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr 
CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) 
SA TSi TSr ]
charon: 14[CFG] looking for peer configs matching 
192.168.196.191[192.168.196.191]...192.168.198.33[10.0.3.2]
charon: 14[CFG] peer config match local: 0 (ID_IPV4_ADDR -> c0:a8:c4:bf)
charon: 14[CFG] peer config match remote: 1 (ID_IPV4_ADDR -> 0a:00:03:02)
charon: 14[CFG] ike config match: 1052 (192.168.196.191 192.168.198.33 
IKEv2)
charon: 14[CFG] no matching peer config found
charon: 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC 
padding
charon: 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
charon: 14[NET] sending packet: from 192.168.196.191[4500] to 
192.168.198.33[4500] (76 bytes)

I don't honestly understand this stuff very well, but comparing this log to 
a (working) log (when I connect an Android device) is looks like the iPhone 
is not sending a CERT during IKE_AUTH.

Thanks!
-Mark



More information about the Users mailing list