[strongSwan] IKEv2 does not work on iOS9

Michael Stiller ms at 2scale.net
Wed Jun 1 15:08:39 CEST 2016 

Hi,

i guess that “non matching config” is due to the ike= and esp= lines in the config. 

Let strongswan and ios negotiate this by theirselves.

this is a working iOS 9 strongswan ike2 config using 5.3.5 on ubuntu 14.04 LTS.

conn ike2
        keyexchange=ikev2
        auto=add
        dpdaction=clear
        left=### your ip here
        leftid=### your fqdn here
        leftsubnet=0.0.0.0/0
        leftcert=serverCert.pem ### your server cert
        leftsendcert=always
        right=%any
        rightid=%any
        rightsendcert=never
        rightsourceip=%radius
        rightauth=eap-radius
        eap_identity=%identity

You have to run a radius server for this and configure it in /etc/charon/eap-radius.conf:

eap-radius {
    load = yes
    class_group = no
    eap_start = no
    servers {
        primary {
          address = ### ip of radius server
          secret = ## radius secret
          nas_identifer = strongSwan
          sockets = 20
          preference = 101
        }
    }
}

Radius server config left as an exercise.

Packages installed:

ii  libstrongswan
ii  strongswan
ii  strongswan-ike
ii  strongswan-plugin-eap-radius
ii  strongswan-plugin-openssl
ii  strongswan-plugin-vici
ii  strongswan-plugin-xauth-generic
ii  strongswan-starter

On iOS you have to install the caCert which signed the server cert (if server cert is self-signed) and a pkcs12 client cert which is signed with the caCert.
The caCert and server cert + keys should go to /etc/ipsec.d/{certs,private}

Hope this helps,

cheers Michael

> On 01.06.2016, at 14:56, Johannes Kastl <mail at ojkastl.de> wrote:
> 
> On 01.06.16 10:24 Evgeniy Ivanov wrote:
> 
>> conn %default
>> keyexchange=ikev2
>> ike=aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! # Win7 
>> is aes256, sha-1, modp1024; iOS is aes256, sha-256, modp1024; OS X is 
>> 3DES, sha-1, modp1024
>> esp=aes256-sha256,aes256-sha1,3des-sha1! # Win 7 is aes256-sha1, iOS is 
>> aes256-sha256, OS X is 3des-shal1
>> dpdaction=clear
>> dpddelay=300s
>> rekey=no
>> left=%any
>> leftid="my.left.id"
>> leftsubnet=0.0.0.0/0
>> leftcert=fullchain.pem
>> right=%any
>> rightdns=172.16.0.1
>> rightsourceip=10.168.30.0/24
>> 
>> conn IPSec-IKEv2
>> keyexchange=ikev2
> 
> That line is already in %default, you could omiss it.
> 
>> auto=add
>> 
>> conn IPSec-IKEv2-EAP
>> also="IPSec-IKEv2"
>> rightauth=eap-radius
>> rightsendcert=never
>> eap_identity=%any
> 
> I am not sure if the iphone can handle IKEv2-EAP, but as you miss auth
> settings in the first connection, it uses the EAP one.
> 
> These lines from your logs:
>> Jun 1 08:19:34 13[IKE] <IPSec-IKEv2|24> peer requested EAP, config 
>> inacceptable
>> Jun 1 08:19:34 13[CFG] <IPSec-IKEv2|24> switching to peer config 
>> 'IPSec-IKEv2-EAP'
> 
> I am not sure about iOS9, but I guess it can handler IKEv2 with
> certificates, or IKEv2 with XAuth, at least that is what I under stand
> here:
> 
> https://raymii.org/s/tutorials/IPSEC_vpn_with_CentOS_7.html
> https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/
> https://wiki.strongswan.org/projects/strongswan/wiki/IOS_%28Apple%29
> 
> 
> Johannes
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-- 
2scale GmbH, Schanzenstr. 20, 40549 Düsseldorf
Amtsgericht: 		Düsseldorf HRB 50718
Geschäftsführer: 	Georg von Zezschwitz, Dirk Vleugels
USt-IdNr.: 		DE 210936505

More information about the Users mailing list