[strongSwan] iOS 8 VPN API + strongswan 5.3.2, deleting half-opened connection

Aleksey Arakelyan aleksey.arakelyan at hmn.me
Wed Sep 16 16:34:43 CEST 2015


Hello. I’m trying to setup strongswan for iOS app with VPN API. Here is my strongswan configuration.

Here is what i got in logs. I was trying to change all options in my config but no luck. As i’m new in strongswan i don’t know what to search for.

Can someone help with this?

==========
2015-09-16T14:20:13.881974+00:00  charon: 02[NET] received packet: from 178.159.28.49[4500] to 94.242.232.178[4500]
2015-09-16T14:20:13.881977+00:00  charon: 02[NET] waiting for data on sockets
2015-09-16T14:20:13.881980+00:00  charon: 06[NET] received packet: from 178.159.28.49[4500] to 94.242.232.178[4500] (316 bytes)
2015-09-16T14:20:13.882095+00:00  charon: 06[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
2015-09-16T14:20:13.882106+00:00  charon: 06[CFG] looking for peer configs matching 94.242.232.178[lu135.hmn.me]...178.159.28.49[VPN]
2015-09-16T14:20:13.882111+00:00  charon: 06[CFG] peer config match local: 20 (ID_FQDN -> 6c:75:31:33:35:2e:68:6d:6e:2e:6d:65)
2015-09-16T14:20:13.882115+00:00  charon: 06[CFG] peer config match remote: 1 (ID_FQDN -> 56:50:4e)
2015-09-16T14:20:13.882121+00:00  charon: 06[CFG] ike config match: 1052 (94.242.232.178 178.159.28.49 IKEv2)
2015-09-16T14:20:13.882127+00:00  charon: 06[CFG]   candidate "ikev2", match: 20/1/1052 (me/other/ike)
2015-09-16T14:20:13.882134+00:00  charon: 06[CFG] selected peer config 'ikev2'
2015-09-16T14:20:13.882153+00:00  charon: 06[IKE] initiating EAP_IDENTITY method (id 0x00)
2015-09-16T14:20:13.882166+00:00  charon: 06[IKE] processing INTERNAL_IP4_ADDRESS attribute
2015-09-16T14:20:13.882171+00:00  charon: 06[IKE] processing INTERNAL_IP4_DHCP attribute
2015-09-16T14:20:13.882180+00:00  charon: 06[IKE] processing INTERNAL_IP4_DNS attribute
2015-09-16T14:20:13.882183+00:00  charon: 06[IKE] processing INTERNAL_IP4_NETMASK attribute
2015-09-16T14:20:13.882187+00:00  charon: 06[IKE] processing INTERNAL_IP6_ADDRESS attribute
2015-09-16T14:20:13.882196+00:00  charon: 06[IKE] processing INTERNAL_IP6_DHCP attribute
2015-09-16T14:20:13.882202+00:00  charon: 06[IKE] processing INTERNAL_IP6_DNS attribute
2015-09-16T14:20:13.882214+00:00  charon: 06[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
2015-09-16T14:20:13.882266+00:00  charon: 06[IKE] IDx' => 16 bytes @ 0x7fa281236940
2015-09-16T14:20:13.882273+00:00  charon: 06[IKE]    0: 02 00 00 00 6C 75 31 33 35 2E 68 6D 6E 2E 6D 65  ....lu135.hmn.me
2015-09-16T14:20:13.882277+00:00  charon: 06[IKE] SK_p => 20 bytes @ 0x7fa24c003430
2015-09-16T14:20:13.882282+00:00  charon: 06[IKE]    0: 45 A5 6E C1 FA 17 82 BF 81 13 71 3A 94 EC 46 A1  E.n.......q:..F.
2015-09-16T14:20:13.882288+00:00  charon: 06[IKE]   16: 73 A6 F7 47                                      s..G
2015-09-16T14:20:13.882318+00:00  charon: 06[IKE] octets = message + nonce + prf(Sk_px, IDx') => 344 bytes 
…. SOME BYTES HERE ….
2015-09-16T14:20:13.884696+00:00  charon: 06[IKE] authentication of 'lu135.hmn.me' (myself) with RSA signature successful
2015-09-16T14:20:13.884706+00:00  charon: 06[IKE] sending end entity cert "C=GB, O=COMPANY, CN=lu135.hmn.me"
2015-09-16T14:20:13.884718+00:00  charon: 06[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
2015-09-16T14:20:13.884897+00:00  charon: 06[NET] sending packet: from 94.242.232.178[4500] to 178.159.28.49[4500] (1220 bytes)
2015-09-16T14:20:13.884924+00:00  charon: 03[NET] sending packet: from 94.242.232.178[4500] to 178.159.28.49[4500]
2015-09-16T14:20:43.786966+00:00  charon: 09[JOB] deleting half open IKE_SA after timeout
2015-09-16T14:20:43.786983+00:00 charon: 09[IKE] IKE_SA ikev2[2] state change: CONNECTING => DESTROYING
==========

============= Server cert =================
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 6619988021187675067 (0x5bdeec07f43b83bb)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, O=COMPANY, CN=CERTROOT
        Validity
            Not Before: Sep 16 13:57:53 2015 GMT
            Not After : Sep 15 13:57:53 2018 GMT
        Subject: C=GB, O=COMPANY, CN=lu135.hmn.me
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                      … BYTES …

    Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                keyid:8B:88:DA:1A:76:18:F4:F8:64:51:9C:BB:54:48:C6:3C:2E:5B:E9:8C

            X509v3 Subject Alternative Name:
                DNS:lu135.hmn.me, IP Address:94.242.232.178, DNS:94.242.232.178
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2
    Signature Algorithm: sha256WithRSAEncryption
                     … BYTES ….

=============== Server cert end ==============

============= CONFIG  ipsec.conf ===========
   config setup
           charondebug="cfg 7, dmn 7, ike 7, net 7"
           uniqueids=no
  
   conn %default
           left=%defaultroute
           leftsubnet=0.0.0.0/0
           right=%any
           auto=add
          dpdaction=clear
          dpddelay=300s
 
   conn ikev2
           keyexchange=ikev2
           fragmentation = yes
           forceencaps = yes
           ike=aes256-sha1-modp1024,aes256-sha1-modp2048
          esp=aes256-sha1,aes128-sha1
          left={{ ansible_default_ipv4.address }}
          leftid={{ dnsname }}
          leftcert=server_cert.pem
          leftsendcert=always
          leftauth=pubkey
          mobike=yes
          right=%any
          rightid=%any
          rightsendcert=never
          rightauth=eap-radius
          rightsourceip=172.16.198.0/24
          rightfirewall=yes
          eap_identity=%identity
          rightdns=8.8.8.8,8.8.4.4
          dpaction=clear
          auto=add
============= CONFIG END ================

============= Ansible variables ==============
 cakey:   /etc/strongswan/ipsec.d/private/ios.pem
 cacert:  /etc/strongswan/ipsec.d/cacerts/ios.pem
 srvkey:  /etc/strongswan/ipsec.d/private/server.pem
 srvcert: /etc/strongswan/ipsec.d/certs/server_cert.pem
 clnkey:  /etc/strongswan/ipsec.d/private/client.pem
 clncert: /etc/strongswan/ipsec.d/certs/client.pem
 p12:     /etc/strongswan/ipsec.d/private/client.p12
 issuer: CERTROOT
 org: COMPANY
============ Ansible Variables End ===========

============ Playbook role =================
---
- name: Installing strongswan config
  template: src=ipsec.conf dest=/etc/strongswan/ipsec.conf

- name: Ipsec secrets
  template: src=ipsec.secrets dest=/etc/strongswan/ipsec.secrets

- name: Generating CA KEY
  shell: strongswan pki --gen --outform pem > {{ cakey }} creates={{ cakey }}

- name: Generate CA Cert
  shell: strongswan pki --self --in {{ cakey }} --dn "C=GB, O={{ org }}, CN={{ issuer }}" --ca --outform pem > {{ cacert }} creates={{ cacert }}

- name: Generate server key
  shell: strongswan pki --gen --outform pem > {{ srvkey }} creates={{ srvkey }}

- name: Create server cert
  shell: strongswan pki --pub --in {{ srvkey }} | strongswan pki --issue --cacert {{ cacert }} --cakey {{ cakey }} --dn "C=GB, O={{ org }}, CN={{ dnsname }}" --san="{{ dnsname }}" --san {{ ansible_default_ipv4.address }} --san @{{ ansible_default_ipv4.address }} --flag serverAuth --flag ikeIntermediate --outform pem > {{ srvcert }} creates={{ srvcert }}

- name: Generating client key
  shell: strongswan pki --gen --outform pem > {{ clnkey }} creates={{ clnkey }}

- name: Create client cert
  shell: strongswan pki --pub --in {{ clnkey }} | strongswan pki --issue --cacert {{ cacert }} --cakey {{ cakey }} --dn "C=GB, O={{ org }}, CN=demo" --outform pem > {{ clncert }} creates={{ clncert }}

- name: Generate p12 file for client
  shell: openssl pkcs12 -export -inkey {{ clnkey }} -in {{ clncert }} -name "demo" -certfile {{ cacert }}  -caname "{{ issuer }}" -out {{ p12 }} -password pass:hello creates={{ p12 }}

- name: Restarart strongswan
  service: name=strongswan state=restarted
============== Playbook role end ==============


More information about the Users mailing list