[strongSwan] Need help setting up IKEv2: "no matching peer config found"

Markus Reiter me at reitermark.us
Fri Feb 5 16:02:27 CET 2016 

Hi,

I’m just starting out with StrongSwan and I just can’t get my iPhone to connect, I hope someone can help me.

First of all, here are my configs:


ipsec.secrets

: RSA server-key.pem



ipsec.conf

config setup
  # strictcrlpolicy=yes
  # uniqueids = no
  charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default
  keyexchange=ikev2
  esp=aes-aes256-sha-modp1024,aes256-sha512-modp4096
  ike=aes-aes256-sha-modp1024,aes256-sha512-modp4096

conn home
  mobike=yes
  left=%any
  leftid=server.example.com
  leftauth=pubkey
  leftcert=server-cert.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0,::/0
  leftfirewall=yes
  right=%any
  rightid=server.example.com
# rightsourceip=%dhcp
  rightauth=pubkey
  rightcert=client-cert.pem
  rightauth2=eap-mschapv2
  auto=add



strongswan.conf

charon {

  threads = 16

  dns1 = 10.0.0.1
  nbns1 = 10.0.0.1

  load_modular = yes

  plugins {
    include strongswan.d/charon/*.conf

    dhcp {
      server = 10.0.0.1
    }
  }

}


On my iPhone, I set the Remote ID to server.example.com <http://server.example.com/>.


This is the log output, when I try to connect:

Fri Feb  5 15:51:33 2016 daemon.info : 03[NET] received packet: from 212.95.7.23[41484] to 210.33.47.77[500]
Fri Feb  5 15:51:33 2016 daemon.info : 03[NET] waiting for data on sockets
Fri Feb  5 15:51:33 2016 daemon.info : 14[NET] received packet: from 212.95.7.23[41484] to 210.33.47.77[500] (388 bytes)
Fri Feb  5 15:51:33 2016 daemon.info : 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Fri Feb  5 15:51:33 2016 daemon.info : 14[CFG] looking for an ike config for 210.33.47.77...212.95.7.23
Fri Feb  5 15:51:33 2016 daemon.info : 14[CFG]   candidate: %any...%any, prio 28
Fri Feb  5 15:51:33 2016 daemon.info : 14[CFG] found matching ike config: %any...%any with prio 28
Fri Feb  5 15:51:33 2016 daemon.info : 14[IKE] 212.95.7.23 is initiating an IKE_SA
Fri Feb  5 15:51:33 2016 authpriv.info : 14[IKE] 212.95.7.23 is initiating an IKE_SA
Fri Feb  5 15:51:33 2016 daemon.info : 14[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Fri Feb  5 15:51:33 2016 daemon.info : 14[CFG] selecting proposal:
Fri Feb  5 15:51:33 2016 daemon.info : 14[CFG]   proposal matches
Fri Feb  5 15:51:33 2016 daemon.info : 14[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Fri Feb  5 15:51:33 2016 daemon.info : 14[CFG] configured proposals: IKE:AES_CBC_128/AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMACFri Feb  5 15:51:33 2016 daemon.info : 14[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Fri Feb  5 15:51:33 2016 daemon.info : 14[IKE] remote host is behind NAT
Fri Feb  5 15:51:33 2016 daemon.info : 14[IKE] sending cert request for "C=AT, O=Organisation, CN=server.example.com (Root CA)"
Fri Feb  5 15:51:33 2016 daemon.info : 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Fri Feb  5 15:51:33 2016 daemon.info : 14[NET] sending packet: from 210.33.47.77[500] to 212.95.7.23[41484] (337 bytes)
Fri Feb  5 15:51:33 2016 daemon.info : 01[NET] sending packet: from 210.33.47.77[500] to 212.95.7.23[41484]
Fri Feb  5 15:51:33 2016 daemon.info : 03[NET] received packet: from 212.95.7.23[41122] to 210.33.47.77[4500]
Fri Feb  5 15:51:33 2016 daemon.info : 03[NET] waiting for data on sockets
Fri Feb  5 15:51:33 2016 daemon.info : 13[NET] received packet: from 212.95.7.23[41122] to 210.33.47.77[4500] (428 bytes)
Fri Feb  5 15:51:33 2016 daemon.info : 13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Fri Feb  5 15:51:33 2016 daemon.info : 13[CFG] looking for peer configs matching 210.33.47.77[server.example.com]...212.95.7.23[10.2.219.224]
Fri Feb  5 15:51:33 2016 daemon.info : 13[CFG] no matching peer config found
Fri Feb  5 15:51:33 2016 daemon.info : 13[IKE] processing INTERNAL_IP4_ADDRESS attribute
Fri Feb  5 15:51:33 2016 daemon.info : 13[IKE] processing INTERNAL_IP4_DHCP attribute
Fri Feb  5 15:51:33 2016 daemon.info : 13[IKE] processing INTERNAL_IP4_DNS attribute
Fri Feb  5 15:51:33 2016 daemon.info : 13[IKE] processing INTERNAL_IP4_NETMASK attribute
Fri Feb  5 15:51:33 2016 daemon.info : 13[IKE] processing INTERNAL_IP6_ADDRESS attribute
Fri Feb  5 15:51:33 2016 daemon.info : 13[IKE] processing INTERNAL_IP6_DHCP attribute
Fri Feb  5 15:51:33 2016 daemon.info : 13[IKE] processing INTERNAL_IP6_DNS attribute
Fri Feb  5 15:51:33 2016 daemon.info : 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Fri Feb  5 15:51:33 2016 daemon.info : 13[IKE] peer supports MOBIKE
Fri Feb  5 15:51:33 2016 daemon.info : 13[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Fri Feb  5 15:51:33 2016 daemon.info : 13[NET] sending packet: from 210.33.47.77[4500] to 212.95.7.23[41122] (76 bytes)
Fri Feb  5 15:51:33 2016 daemon.info : 13[IKE] IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING
Fri Feb  5 15:51:33 2016 daemon.info : 01[NET] sending packet: from 210.33.47.77[4500] to 212.95.7.23[41122]



I have read every "no matching peer“ post on this mailing list, but haven’t found a solution that worked for me.

Best wishes,
Markus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160205/d82bbb35/attachment-0001.html>

More information about the Users mailing list