[strongSwan] OS X 10.11 and IKEv2

Christian Huldt christian at solvare.se
Mon Apr 4 21:20:11 CEST 2016 

Den 2016-04-04 kl. 18:12, skrev Laurens Vets:
> On 2016-04-04 00:26, Christian Huldt wrote:
>> Den 2016-04-04 kl. 04:52, skrev Laurens Vets:
>>> Hello list,
>>>
>>> I have a strongSwan server configured and using IKEv2 on my iOS device
>>> (9.3.1) works perfectly with IKEv2. When I use the same settings on my
>>> Mac when I configure IKEv2, I see the following messages in
>>> /var/log/system.log when I try to connect:
>>>
>>> Apr  3 19:44:13 Cerberus nesessionmanager[40856]:
>>> NESMIKEv2VPNSession[VPN (IKEv2):33BAFDF0-6B95-4AB2-982A-A7B7B3120C85]:
>>> Received a start command from SystemUIServer[481]
>>> Apr  3 19:44:13 Cerberus nesessionmanager[40856]:
>>> NESMIKEv2VPNSession[VPN (IKEv2):33BAFDF0-6B95-4AB2-982A-A7B7B3120C85]:
>>> status changed to connecting
>>> Apr  3 19:44:13 Cerberus nesessionmanager[40856]: Failed to find the
>>> VPN app for plugin type com.apple.neplugin.IKEv2
>>> Apr  3 19:44:13 Cerberus neagent[41085]: IKEv2 Plugin:
>>> ikev2_resolve_server_name: failed to query DNS
>>> Apr  3 19:44:13 Cerberus neagent[41085]: IKEv2 Plugin: Connect:
>>> Attempt to query DNS failed
>>> Apr  3 19:44:13 Cerberus nesessionmanager[40856]:
>>> NESMIKEv2VPNSession[VPN (IKEv2):33BAFDF0-6B95-4AB2-982A-A7B7B3120C85]:
>>> status changed to disconnecting
>>> Apr  3 19:44:13 Cerberus nesessionmanager[40856]:
>>> NESMIKEv2VPNSession[VPN (IKEv2):33BAFDF0-6B95-4AB2-982A-A7B7B3120C85]:
>>> status changed to disconnected, last stop reason Failed to resolve the
>>> server address
>>>
>>> I see no connection attempt on the server at all.
>>>
>>> Any idea what might be going? For the record, I have no other
>>> connection problems on this machine.
>> Specifically, can you ping strongswan server?
>> Do you use hostname or IP address in the connection settings?
>>> ikev2_resolve_server_name: failed to query DNS
>> means your mac can't even try to connect as it doesn't find the
>> server...
>
> I was using the hostname in the "Server Address" field. I've added the
> server name and ip address to /etc/hosts, this also doesn't work.
>
> I changed the server field from the DNS name to the ip address and now
> the connection works.
>
> Pinging the server by DNS name works without issues via Terminal.
> Running Wireshark shows no outbound DNS request for the server name.
>
> I'm not sure why my mac wouldn't try to resolve the DNS name.
>
> Has anyone else seen this behaviour on OS X?

No, not me anyway...
My mac connects and disagrees with the server...

Is it something simple I have overlooked?
(I tried IPv4 and IPv6 with the same result)


setup is empty, conn section below and som logging, Are the various
"ike/peer config match ..." referring to to different conn sections? Is
there a way to propose looking at lift-/rightid first?
Exactly the same certificates worked with windows7...

conn reell
     left=%defaultroute
     leftcert=runar.pem
     leftid="C=SE, O=doman, CN=runar.hg102.se"
     leftsubnet=0.0.0.0/0
     right=%any
     authby=pubkey
     rightsourceip=%dhcp
     keyexchange=ikev2
     leftfirewall=yes
     rightid="C=SE, O=doman, OU=dev, CN=*"
     leftsendcert=always
     rightsendcert=always
     fragmentation=yes
     dpdaction=clear
     dpddelay=300s
     rekey=no
     auto=add


2016-04-04 20:14 06[ENC] <3> generating IKE_SA_INIT response 0 [ SA KE
No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
2016-04-04 20:14 06[NET] <3> sending packet: from 20a1:3b8:2720::66[500]
to 2a01:16d8:ff00:85b6:399a:d0ca:7e24:1f28[500] (440 bytes)
2016-04-04 20:14 09[NET] <3> received packet: from
2a01:16d8:ff00:85b6:399a:d0ca:7e24:1f28[4500] to 20a1:3b8:2720::66[4500]
(544 bytes)
2016-04-04 20:14 09[ENC] <3> parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6
DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
2016-04-04 20:14 09[CFG] <3> looking for peer configs matching
20a1:3b8:2720::66[C=SE, O=doman,
CN=runar.hg103.se]...2a01:16d8:ff00:85b6:399a:d0ca:7e24:1f28[C=SE,
O=doman, OU=dev, CN=mrc]
2016-04-04 20:14 09[CFG] <3> peer config match local: 1 (ID_FQDN ->
43:3d:53:45:2c:20:4f:3d:53:6f:6c:76:61:72:65:2c:20:43:4e:3d:72:75:6e:61:72:2e:68:67:31:30:33:2e:73:65)
.
.
.
2016-04-04 20:14 09[CFG] <3> ike config match: 28 (20a1:3b8:2720::66
2a01:16d8:ff00:85b6:399a:d0ca:7e24:1f28 IKEv2)
2016-04-04 20:14 09[CFG] <3> no matching peer config found
2016-04-04 20:14 09[IKE] <3> processing INTERNAL_IP4_ADDRESS attribute
2016-04-04 20:14 09[IKE] <3> processing INTERNAL_IP4_DHCP attribute
2016-04-04 20:14 09[IKE] <3> processing INTERNAL_IP4_DNS attribute
2016-04-04 20:14 09[IKE] <3> processing INTERNAL_IP4_NETMASK attribute
2016-04-04 20:14 09[IKE] <3> processing INTERNAL_IP6_ADDRESS attribute
2016-04-04 20:14 09[IKE] <3> processing INTERNAL_IP6_DHCP attribute
2016-04-04 20:14 09[IKE] <3> processing INTERNAL_IP6_DNS attribute
2016-04-04 20:14 09[IKE] <3> received ESP_TFC_PADDING_NOT_SUPPORTED, not
using ESPv3 TFC padding
2016-04-04 20:14 09[IKE] <3> peer supports MOBIKE
2016-04-04 20:14 09[ENC] <3> generating IKE_AUTH response 1 [
N(AUTH_FAILED) ]

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160404/a24026c6/attachment.pgp>

More information about the Users mailing list