[strongSwan] IKEv2 does not work on iOS9
Johannes Kastl
mail at ojkastl.de
Wed Jun 1 14:56:15 CEST 2016
On 01.06.16 10:24 Evgeniy Ivanov wrote:
> conn %default
> keyexchange=ikev2
> ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! # Win7
> is aes256, sha-1, modp1024; iOS is aes256, sha-256, modp1024; OS X is
> 3DES, sha-1, modp1024
> esp=aes256-sha256,aes256-sha1,3des-sha1! # Win 7 is aes256-sha1, iOS is
> aes256-sha256, OS X is 3des-shal1
> dpdaction=clear
> dpddelay=300s
> rekey=no
> left=%any
> leftid="my.left.id"
> leftsubnet=0.0.0.0/0
> leftcert=fullchain.pem
> right=%any
> rightdns=172.16.0.1
> rightsourceip=10.168.30.0/24
>
> conn IPSec-IKEv2
> keyexchange=ikev2
That line is already in %default, you could omiss it.
> auto=add
>
> conn IPSec-IKEv2-EAP
> also="IPSec-IKEv2"
> rightauth=eap-radius
> rightsendcert=never
> eap_identity=%any
I am not sure if the iphone can handle IKEv2-EAP, but as you miss auth
settings in the first connection, it uses the EAP one.
These lines from your logs:
> Jun 1 08:19:34 13[IKE] <IPSec-IKEv2|24> peer requested EAP, config
> inacceptable
> Jun 1 08:19:34 13[CFG] <IPSec-IKEv2|24> switching to peer config
> 'IPSec-IKEv2-EAP'
I am not sure about iOS9, but I guess it can handler IKEv2 with
certificates, or IKEv2 with XAuth, at least that is what I under stand
here:
https://raymii.org/s/tutorials/IPSEC_vpn_with_CentOS_7.html
https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/
https://wiki.strongswan.org/projects/strongswan/wiki/IOS_%28Apple%29
Johannes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 244 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160601/f6f58603/attachment.sig>
More information about the Users
mailing list