[strongSwan] Users Digest, Vol 96, Issue 2
Quaker
bigboyq at gmail.com
Wed Jan 3 03:23:14 CET 2018
1. peer config is related to ipsec.conf
2. As your log, AUTH_FAILED might also caused by ipsec.conf, when finished
ipsec.conf, you should config ipsec.secret also
Regards
Quaker
On Tue, Jan 2, 2018 at 7:00 PM, <users-request at lists.strongswan.org> wrote:
> Send Users mailing list submissions to
> users at lists.strongswan.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.strongswan.org/mailman/listinfo/users
> or, via email, send a message with subject or body 'help' to
> users-request at lists.strongswan.org
>
> You can reach the person managing the list at
> users-owner at lists.strongswan.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Users digest..."
>
>
> Today's Topics:
>
> 1. Help needed for a basic swanctl config (Glen Huang)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 2 Jan 2018 18:54:27 +0800
> From: Glen Huang <heyhgl at gmail.com>
> To: users at lists.strongswan.org
> Subject: [strongSwan] Help needed for a basic swanctl config
> Message-ID: <BC3FDE8E-B7AB-48EC-8C56-320F42C71661 at gmail.com>
> Content-Type: text/plain; charset=utf-8
>
> Hi,
>
> I’m trying to set up an IKEv2 VPN server using swanctl for iOS clients.
>
> I have this very simple config:
>
> connections {
> ios {
> version = 2
> pools = ios_pool
> remote {
> id = foobar
> auth = psk
> }
> }
> }
>
> pools {
> ios_pool {
> addrs = 192.168.37.0/24
> dns = 8.8.8.8
> }
> }
>
> secrets {
> ike-ios {
> secret = abc
> }
> }
>
> But when connect from an iOS client using the following connection
> settings:
>
> Remote ID: foobar
> Local ID: [empty]
> Authentication Settings: None
> Shared Secret: abc
>
> It fails to connect, and the log shows it fails at an pretty early stage:
>
> 12[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (604 bytes)
> 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP)
> N(NATD_D_IP) N(FRAG_SUP) ]
> 12[IKE] 2.2.2.2 is initiating an IKE_SA
> 12[IKE] remote host is behind NAT
> 12[IKE] sending cert request for "C=com, O=myvpn, CN=VPN CA"
> 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
> 12[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (473 bytes)
> 15[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (604 bytes)
> 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP)
> N(NATD_D_IP) N(FRAG_SUP) ]
> 15[IKE] received retransmit of request with ID 0, retransmitting response
> 15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (473 bytes)
> 05[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (544 bytes)
> 05[ENC] unknown attribute type (25)
> 05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr
> AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N)
> N(NON_FIRST_FRAG) SA TSi TSr ]
> 05[CFG] looking for peer configs matching 1.1.1.1[foobar]...2.2.2.2[192.
> 168.1.251]
> 05[CFG] no matching peer config found
> 05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> 05[IKE] peer supports MOBIKE
> 05[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> 05[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (80 bytes)
>
> I’m trying to have a firm grasp of strongswan (I have some basic
> understanding of ikev2 & IPsec), so a few questions:
>
> 1. What constitutes a "peer config” in swanctl.conf?
> 2. The AUTH_FAILED message is caused by a secret mismatch or unable to
> find a connection setting or something else?
> 3. How do I find out in the logs the kind of auth request sent by the
> client? The iOS Client client provides quite a few authentication settings,
> and I’d like to learn how charon sees them in order to provide the
> corresponding settings in swanctl.conf
>
> Thanks in advance.
>
>
> End of Users Digest, Vol 96, Issue 2
> ************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180103/91983396/attachment.html>
More information about the Users
mailing list