[strongSwan] IKEv2 does not work on iOS9
Evgeniy Ivanov
e601809 at gmail.com
Wed Jun 1 10:24:33 CEST 2016
Hello guys.
I'm trying to run IKEv2 on iphpne with iOS 9, on Windows 7 and on
Android (with strongswan app from google play).
On Win7 and android all working well, but it can't connect on iphone.
Can anyone help me?
config:
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
conn %default
keyexchange=ikev2
ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! # Win7
is aes256, sha-1, modp1024; iOS is aes256, sha-256, modp1024; OS X is
3DES, sha-1, modp1024
esp=aes256-sha256,aes256-sha1,3des-sha1! # Win 7 is aes256-sha1, iOS is
aes256-sha256, OS X is 3des-shal1
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid="my.left.id"
leftsubnet=0.0.0.0/0
leftcert=fullchain.pem
right=%any
rightdns=172.16.0.1
rightsourceip=10.168.30.0/24
conn IPSec-IKEv2
keyexchange=ikev2
auto=add
conn IPSec-IKEv2-EAP
also="IPSec-IKEv2"
rightauth=eap-radius
rightsendcert=never
eap_identity=%any
Logs when iphone is connectiong:
Jun 1 08:19:34 11[NET] <24> received packet: from 49.229.100.33[32585]
to 185.80.222.44[500] (476 bytes)
Jun 1 08:19:34 11[ENC] <24> parsed IKE_SA_INIT request 0 [ SA KE No
N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Jun 1 08:19:34 11[IKE] <24> 49.229.100.33 is initiating an IKE_SA
Jun 1 08:19:34 11[IKE] <24> remote host is behind NAT
Jun 1 08:19:34 11[IKE] <24> sending cert request for "C=US, O=Let's
Encrypt, CN=Let's Encrypt Authority X3"
Jun 1 08:19:34 11[ENC] <24> generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Jun 1 08:19:34 11[NET] <24> sending packet: from 185.80.222.44[500] to
49.229.100.33[32585] (337 bytes)
Jun 1 08:19:34 13[NET] <24> received packet: from 49.229.100.33[4500] to
185.80.222.44[4500] (508 bytes)
Jun 1 08:19:34 13[ENC] <24> parsed IKE_AUTH request 1 [ IDi
N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6
DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Jun 1 08:19:34 13[CFG] <24> looking for peer configs matching
185.80.222.44[my.left.id]...49.229.100.33[100.99.124.203]
Jun 1 08:19:34 13[CFG] <IPSec-IKEv2|24> selected peer config 'IPSec-IKEv2'
Jun 1 08:19:34 13[IKE] <IPSec-IKEv2|24> peer requested EAP, config
inacceptable
Jun 1 08:19:34 13[CFG] <IPSec-IKEv2|24> switching to peer config
'IPSec-IKEv2-EAP'
Jun 1 08:19:34 13[IKE] <IPSec-IKEv2-EAP|24> initiating EAP_IDENTITY
method (id 0x00)
Jun 1 08:19:34 13[IKE] <IPSec-IKEv2-EAP|24> received
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jun 1 08:19:34 13[IKE] <IPSec-IKEv2-EAP|24> peer supports MOBIKE
Jun 1 08:19:34 13[IKE] <IPSec-IKEv2-EAP|24> authentication of '*****'
(myself) with RSA signature successful
Jun 1 08:19:34 13[ENC] <IPSec-IKEv2-EAP|24> generating IKE_AUTH response
1 [ IDr AUTH EAP/REQ/ID ]
Jun 1 08:19:34 13[NET] <IPSec-IKEv2-EAP|24> sending packet: from
185.80.222.44[4500] to 49.229.100.33[4500] (364 bytes)
Jun 1 08:19:42 03[NET] ignoring IKE_SA setup from 49.229.100.33, peer
too aggressive
More information about the Users
mailing list