[strongSwan] IKEv2 does not work on iOS9

Johannes Kastl mail at ojkastl.de
Wed Jun 1 14:56:15 CEST 2016

On 01.06.16 10:24 Evgeniy Ivanov wrote:

> conn %default
> keyexchange=ikev2
> ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! # Win7 
> is aes256, sha-1, modp1024; iOS is aes256, sha-256, modp1024; OS X is 
> 3DES, sha-1, modp1024
> esp=aes256-sha256,aes256-sha1,3des-sha1! # Win 7 is aes256-sha1, iOS is 
> aes256-sha256, OS X is 3des-shal1
> dpdaction=clear
> dpddelay=300s
> rekey=no
> left=%any
> leftid="my.left.id"
> leftsubnet=
> leftcert=fullchain.pem
> right=%any
> rightdns=
> rightsourceip=
> conn IPSec-IKEv2
> keyexchange=ikev2

That line is already in %default, you could omiss it.

> auto=add
> conn IPSec-IKEv2-EAP
> also="IPSec-IKEv2"
> rightauth=eap-radius
> rightsendcert=never
> eap_identity=%any

I am not sure if the iphone can handle IKEv2-EAP, but as you miss auth
settings in the first connection, it uses the EAP one.

These lines from your logs:
> Jun 1 08:19:34 13[IKE] <IPSec-IKEv2|24> peer requested EAP, config 
> inacceptable
> Jun 1 08:19:34 13[CFG] <IPSec-IKEv2|24> switching to peer config 
> 'IPSec-IKEv2-EAP'

I am not sure about iOS9, but I guess it can handler IKEv2 with
certificates, or IKEv2 with XAuth, at least that is what I under stand



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 244 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160601/f6f58603/attachment.sig>

More information about the Users mailing list