[strongSwan] iOS IKEv2

Sam Johnson sam at 80pct.com
Sat Sep 12 02:37:26 CEST 2015


Hello All,

Disregard last message, got it to work minutes after I typed that all out.

Sam

On Fri, Sep 11, 2015 at 8:23 PM, Sam Johnson <sam at 80pct.com> wrote:

> Hello,
>
> I have been running into trouble getting IKEv2 setup with iOS 8.3. I am
> using the VICI python library to insert connections.
>
> An example connection dict: http://pastebin.com/NSuq5zGg
>
> The error I'm running into is that for some reason the iOS device is not
> responding to one of strongswans requests:
>
> Sep 12 00:16:47 07[IKE] <1> xx.xx.xx.xx is initiating an IKE_SA
> Sep 12 00:16:47 07[IKE] <1> local host is behind NAT, sending keep alives
> Sep 12 00:16:47 07[IKE] <1> remote host is behind NAT
> Sep 12 00:16:47 07[IKE] <1> sending cert request for "<CERT NAME>"
> Sep 12 00:16:47 07[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> Sep 12 00:16:47 07[NET] <1> sending packet: from xx.xx.xx.xx[500]
> to xx.xx.xx.xx[500] (465 bytes)
> Sep 12 00:16:47 02[NET] <1> received packet: from xx.xx.xx.xx[4500]
> to xx.xx.xx.xx[4500] (380 bytes)
> Sep 12 00:16:47 02[ENC] <1> parsed IKE_AUTH request 1 [ IDi
> N(INIT_CONTACT) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6)
> N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
> Sep 12 00:16:47 02[CFG] <1> looking for peer configs matching xx.xx.xx.xx[
> dev-vpn-ios.frdm.to]...xx.xx.xx.xx[
> 98cece22c11940c1bef812dc161f51e6 at xxxxxxxx.com]
> Sep 12 00:16:47 02[CFG] <98cece22c11940c1bef812dc161f51e6|1> selected peer
> config '98cece22c11940c1bef812dc161f51e6'
> Sep 12 00:16:47 02[IKE] <98cece22c11940c1bef812dc161f51e6|1> initiating
> EAP_MSCHAPV2 method (id 0xC0)
> Sep 12 00:16:47 02[IKE] <98cece22c11940c1bef812dc161f51e6|1> received
> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> Sep 12 00:16:47 02[IKE] <98cece22c11940c1bef812dc161f51e6|1>
> authentication of 'xxxx.com' (myself) with RSA signature successful
> Sep 12 00:16:47 02[IKE] <98cece22c11940c1bef812dc161f51e6|1> sending end
> entity cert "<CERT_NAME>"
> Sep 12 00:16:47 02[ENC] <98cece22c11940c1bef812dc161f51e6|1> generating
> IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
> Sep 12 00:16:47 02[NET] <98cece22c11940c1bef812dc161f51e6|1> sending
> packet: from xx.xx.xx.xx[4500] to xx.xx.xx.xx[4500] (1260 bytes)
>
> Then is just hangs, times out, and closes the half open connection.
>
> My iOS configuration is here: http://pastebin.com/QpFP3cGp
>
> I had IKEv1 working....but would like to switch over to IKEv2. Any help
> would be greatly appreciated!
>
> Best,
> Sam
>



-- 
Sam Johnson | Lead Software Engineer
sam at 80pct.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150911/bb0a2eac/attachment.html>


More information about the Users mailing list