[strongSwan] Help needed for a basic swanctl config

Glen Huang heyhgl at gmail.com
Tue Jan 2 11:54:27 CET 2018 

Hi,

I’m trying to set up an IKEv2 VPN server using swanctl for iOS clients.

I have this very simple config:

connections {
    ios {
        version = 2
        pools = ios_pool
        remote {
            id = foobar
            auth = psk
        }
    }
}

pools {
   ios_pool {
      addrs = 192.168.37.0/24
      dns = 8.8.8.8
   }
}

secrets {
   ike-ios {
      secret = abc
   }
}

But when connect from an iOS client using the following connection settings:

Remote ID: foobar
Local ID: [empty]
Authentication Settings: None
Shared Secret: abc

It fails to connect, and the log shows it fails at an pretty early stage:

12[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (604 bytes)
12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
12[IKE] 2.2.2.2 is initiating an IKE_SA
12[IKE] remote host is behind NAT
12[IKE] sending cert request for "C=com, O=myvpn, CN=VPN CA"
12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
12[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (473 bytes)
15[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (604 bytes)
15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
15[IKE] received retransmit of request with ID 0, retransmitting response
15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (473 bytes)
05[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (544 bytes)
05[ENC] unknown attribute type (25)
05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
05[CFG] looking for peer configs matching 1.1.1.1[foobar]...2.2.2.2[192.168.1.251]
05[CFG] no matching peer config found
05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
05[IKE] peer supports MOBIKE
05[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
05[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (80 bytes)

I’m trying to have a firm grasp of strongswan (I have some basic understanding of ikev2 & IPsec), so a few questions:

1. What constitutes a "peer config” in swanctl.conf?
2. The AUTH_FAILED message is caused by a secret mismatch or unable to find a connection setting or something else?
3. How do I find out in the logs the kind of auth request sent by the client? The iOS Client client provides quite a few authentication settings, and I’d like to learn how charon sees them in order to provide the corresponding settings in swanctl.conf

Thanks in advance.

More information about the Users mailing list