[strongSwan] Can't find peer config for mobile device

Shayne Civitarese shayne.civitarese at wedgenetworks.com
Mon Jun 13 20:40:03 CEST 2016 

Hello all,

I am having some difficulty getting any mobile device to connect to my strongswan server. I am using swanctl to configure my setup, and I can connect successfully from my laptop that has strongswan installed, but my phone is having issues.

I believe the issue lies in matching the identifier for the peer config. When connecting from my phone I see the peer config match is done on ID_KEY_ID and when connected from my laptop the peer config match is ID_FQDN. I assume that I need to force an ID_FQDN match, instead of allowing a ID_KEY_ID match, but I am unsure on how I would do that or if it is what I really need to do. Using ip addresses as the id is not an option for my configuration, I need to be matching configurations on unique id as the ip will be dynamic.

I appreciate any response and help, I will post my configuration below, if you need more information I will be glad to provide it.

Thanks,
Shayne


I have replaced my server ip address with x.x.x.x and my connecting address with y.y.y.y in all log and configuration snippets below.
Here is my configuration file for this connection
connections {
   foo {
      local_addrs  = x.x.x.x
      local {
        auth = psk
        id = server
     }
      remote {
        auth = psk
        id = bob
      }
      children {
         net {
            local_ts = 0.0.0.0/0[udp/1701]
            remote_ts = 0.0.0.0/0[udp/1701]
            mode = tunnel
         }
      }
      aggressive = yes
      version = 1
   }
}

secrets {
      ike-client {
      id = bob
      secret = thisisapassword
   }
}

Here the output from debug on my configuration load.
Jun 13 11:12:38 05[CFG] vici client 1 requests: load-conn
Jun 13 11:12:38 05[CFG]  conn foo:
Jun 13 11:12:38 05[CFG]   child net:
Jun 13 11:12:38 05[CFG]    rekey_time = 3600
Jun 13 11:12:38 05[CFG]    life_time = 3960
Jun 13 11:12:38 05[CFG]    rand_time = 360
Jun 13 11:12:38 05[CFG]    rekey_bytes = 166020696663385963
Jun 13 11:12:38 05[CFG]    life_bytes = 184467440737095515
Jun 13 11:12:38 05[CFG]    rand_bytes = 18446744073709552
Jun 13 11:12:38 05[CFG]    rekey_packets = 166020696663385963
Jun 13 11:12:38 05[CFG]    life_packets = 184467440737095515
Jun 13 11:12:38 05[CFG]    rand_packets = 18446744073709552
Jun 13 11:12:38 05[CFG]    updown = (null)
Jun 13 11:12:38 05[CFG]    hostaccess = 0
Jun 13 11:12:38 05[CFG]    ipcomp = 0
Jun 13 11:12:38 05[CFG]    mode = TUNNEL
Jun 13 11:12:38 05[CFG]    policies = 1
Jun 13 11:12:38 05[CFG]    dpd_action = clear
Jun 13 11:12:38 05[CFG]    start_action = clear
Jun 13 11:12:38 05[CFG]    close_action = clear
Jun 13 11:12:38 05[CFG]    reqid = 0
Jun 13 11:12:38 05[CFG]    tfc = 0
Jun 13 11:12:38 05[CFG]    mark_in = 0/0
Jun 13 11:12:38 05[CFG]    mark_out = 0/0
Jun 13 11:12:38 05[CFG]    inactivity = 0
Jun 13 11:12:38 05[CFG]    proposals = ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Jun 13 11:12:38 05[CFG]    local_ts = 0.0.0.0/0[udp/l2f]
Jun 13 11:12:38 05[CFG]    remote_ts = 0.0.0.0/0[udp/l2f]
Jun 13 11:12:38 05[CFG]   version = 1
Jun 13 11:12:38 05[CFG]   local_addrs = x.x.x.x
Jun 13 11:12:38 05[CFG]   remote_addrs = %any
Jun 13 11:12:38 05[CFG]   local_port = 500
Jun 13 11:12:38 05[CFG]   remote_port = 500
Jun 13 11:12:38 05[CFG]   send_certreq = 1
Jun 13 11:12:38 05[CFG]   send_cert = CERT_SEND_IF_ASKED
Jun 13 11:12:38 05[CFG]   mobike = 1
Jun 13 11:12:38 05[CFG]   aggressive = 1
Jun 13 11:12:38 05[CFG]   encap = 0
Jun 13 11:12:38 05[CFG]   dpd_delay = 0
Jun 13 11:12:38 05[CFG]   dpd_timeout = 0
Jun 13 11:12:38 05[CFG]   fragmentation = 0
Jun 13 11:12:38 05[CFG]   unique = UNIQUE_NO
Jun 13 11:12:38 05[CFG]   keyingtries = 1
Jun 13 11:12:38 05[CFG]   reauth_time = 0
Jun 13 11:12:38 05[CFG]   rekey_time = 14400
Jun 13 11:12:38 05[CFG]   over_time = 1440
Jun 13 11:12:38 05[CFG]   rand_time = 1440
Jun 13 11:12:38 05[CFG]   proposals = IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP, IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
Jun 13 11:12:38 05[CFG]   local:
Jun 13 11:12:38 05[CFG]    id = server
Jun 13 11:12:38 05[CFG]    class = pre-shared key
Jun 13 11:12:38 05[CFG]   remote:
Jun 13 11:12:38 05[CFG]    id = bob
Jun 13 11:12:38 05[CFG]    class = pre-shared key
Jun 13 11:12:38 05[CFG] added vici connection: foo

Here is the output from a successful connection with my laptop and strongswan.
Jun 13 10:39:20 02[CFG] <14> looking for an ike config for x.x.x.x...y.y.y.y
Jun 13 10:39:20 02[CFG] <14> ike config match: 1052 (x.x.x.x y.y.y.y IKEv1)
Jun 13 10:39:20 02[CFG] <14>   candidate: x.x.x.x...%any, prio 1052
Jun 13 10:39:20 02[CFG] <14> found matching ike config: x.x.x.x...%any with prio 1052
Jun 13 10:39:20 07[JOB] next event in 29s 999ms, waiting
Jun 13 10:39:20 02[IKE] <14> received XAuth vendor ID
Jun 13 10:39:20 02[IKE] <14> received DPD vendor ID
Jun 13 10:39:20 02[IKE] <14> received NAT-T (RFC 3947) vendor ID
Jun 13 10:39:20 02[IKE] <14> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jun 13 10:39:20 02[IKE] <14> y.y.y.y is initiating a Aggressive Mode IKE_SA
Jun 13 10:39:20 02[IKE] <14> IKE_SA (unnamed)[14] state change: CREATED => CONNECTING
Jun 13 10:39:20 02[CFG] <14> selecting proposal:
Jun 13 10:39:20 02[CFG] <14>   proposal matches
Jun 13 10:39:20 02[CFG] <14> received proposals: IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048, IKE:MODP_2048
Jun 13 10:39:20 02[CFG] <14> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA
_CTR_192/CAMELLIA_CTR_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PR
F_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512
_BP, IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192
/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_1
6_192/CAMELLIA_CCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_
8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
Jun 13 10:39:20 02[CFG] <14> selected proposal: IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048
Jun 13 10:39:20 02[LIB] <14> size of DH secret exponent: 2047 bits
Jun 13 10:39:20 02[CFG] <14> looking for pre-shared key peer configs matching x.x.x.x...y.y.y.y[bob]
Jun 13 10:39:20 02[CFG] <14> peer config match local: 1 (ID_ANY)
Jun 13 10:39:20 02[CFG] <14> peer config match remote: 20 (ID_FQDN -> 62:6f:62)
Jun 13 10:39:20 02[CFG] <14> ike config match: 1052 (x.x.x.x y.y.y.y IKEv1)
Jun 13 10:39:20 02[CFG] <14>   candidate "foo", match: 1/20/1052 (me/other/ike)
Jun 13 10:39:20 02[CFG] <14> selected peer config "foo"

Here is the output from a unsuccessful connection on my Android device, though I get stuck at the same spot using an iOS device.
Jun 13 11:09:46 14[CFG] <4> looking for an ike config for x.x.x.x...y.y.y.y
Jun 13 11:09:46 14[CFG] <4> ike config match: 1052 (x.x.x.x y.y.y.y IKEv1)
Jun 13 11:09:46 14[CFG] <4>   candidate: x.x.x.x...%any, prio 1052
Jun 13 11:09:46 14[CFG] <4> found matching ike config: x.x.x.x...%any with prio 1052
Jun 13 11:09:46 07[JOB] next event in 26s 754ms, waiting
Jun 13 11:09:46 14[IKE] <4> received FRAGMENTATION vendor ID
Jun 13 11:09:46 14[IKE] <4> received NAT-T (RFC 3947) vendor ID
Jun 13 11:09:46 14[IKE] <4> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Jun 13 11:09:46 14[IKE] <4> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Jun 13 11:09:46 14[IKE] <4> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
Jun 13 11:09:46 14[IKE] <4> received DPD vendor ID
Jun 13 11:09:46 14[IKE] <4> y.y.y.y is initiating a Aggressive Mode IKE_SA
Jun 13 11:09:46 14[IKE] <4> IKE_SA (unnamed)[4] state change: CREATED => CONNECTING
Jun 13 11:09:46 14[CFG] <4> selecting proposal:
Jun 13 11:09:46 14[CFG] <4>   proposal matches
Jun 13 11:09:46 14[CFG] <4> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Jun 13 11:09:46 14[CFG] <4> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP, IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP
Jun 13 11:09:46 14[CFG] <4> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Jun 13 11:09:46 14[LIB] <4> size of DH secret exponent: 1023 bits
Jun 13 11:09:46 14[CFG] <4> looking for pre-shared key peer configs matching x.x.x.x...y.y.y.y[bob]
Jun 13 11:09:46 14[CFG] <4> peer config match local: 1 (ID_ANY)
Jun 13 11:09:46 14[CFG] <4> peer config match remote: 0 (ID_KEY_ID -> 62:6f:62)
Jun 13 11:09:46 14[CFG] <4> ike config match: 1052 (x.x.x.x y.y.y.y IKEv1)
Jun 13 11:09:46 14[IKE] <4> no peer config found

How I connect with my phone
Settings -> More Connection Settings ->  VPN -> Add VPN

Name : bob
Type : L2TP/IPSec PSK
Server Address: x.x.x.x
L2TP secret: not used
IPSec identifier: bob
IPSec pre-shared key: thisisapassword

Try to connect with added VPN
Username: bob
Password: thisisapassword



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160613/ca77a9b7/attachment-0001.html>

More information about the Users mailing list