[strongSwan] Users Digest, Vol 96, Issue 2

Quaker bigboyq at gmail.com
Wed Jan 3 03:23:14 CET 2018 

1. peer config is related to ipsec.conf
2. As your log, AUTH_FAILED might also caused by ipsec.conf, when finished
ipsec.conf, you should config ipsec.secret also


Regards
Quaker

On Tue, Jan 2, 2018 at 7:00 PM, <users-request at lists.strongswan.org> wrote:

> Send Users mailing list submissions to
>         users at lists.strongswan.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.strongswan.org/mailman/listinfo/users
> or, via email, send a message with subject or body 'help' to
>         users-request at lists.strongswan.org
>
> You can reach the person managing the list at
>         users-owner at lists.strongswan.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Users digest..."
>
>
> Today's Topics:
>
>    1. Help needed for a basic swanctl config (Glen Huang)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 2 Jan 2018 18:54:27 +0800
> From: Glen Huang <heyhgl at gmail.com>
> To: users at lists.strongswan.org
> Subject: [strongSwan] Help needed for a basic swanctl config
> Message-ID: <BC3FDE8E-B7AB-48EC-8C56-320F42C71661 at gmail.com>
> Content-Type: text/plain;       charset=utf-8
>
> Hi,
>
> I’m trying to set up an IKEv2 VPN server using swanctl for iOS clients.
>
> I have this very simple config:
>
> connections {
>     ios {
>         version = 2
>         pools = ios_pool
>         remote {
>             id = foobar
>             auth = psk
>         }
>     }
> }
>
> pools {
>    ios_pool {
>       addrs = 192.168.37.0/24
>       dns = 8.8.8.8
>    }
> }
>
> secrets {
>    ike-ios {
>       secret = abc
>    }
> }
>
> But when connect from an iOS client using the following connection
> settings:
>
> Remote ID: foobar
> Local ID: [empty]
> Authentication Settings: None
> Shared Secret: abc
>
> It fails to connect, and the log shows it fails at an pretty early stage:
>
> 12[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (604 bytes)
> 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP)
> N(NATD_D_IP) N(FRAG_SUP) ]
> 12[IKE] 2.2.2.2 is initiating an IKE_SA
> 12[IKE] remote host is behind NAT
> 12[IKE] sending cert request for "C=com, O=myvpn, CN=VPN CA"
> 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
> N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
> 12[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (473 bytes)
> 15[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (604 bytes)
> 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP)
> N(NATD_D_IP) N(FRAG_SUP) ]
> 15[IKE] received retransmit of request with ID 0, retransmitting response
> 15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (473 bytes)
> 05[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (544 bytes)
> 05[ENC] unknown attribute type (25)
> 05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr
> AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N)
> N(NON_FIRST_FRAG) SA TSi TSr ]
> 05[CFG] looking for peer configs matching 1.1.1.1[foobar]...2.2.2.2[192.
> 168.1.251]
> 05[CFG] no matching peer config found
> 05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> 05[IKE] peer supports MOBIKE
> 05[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> 05[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (80 bytes)
>
> I’m trying to have a firm grasp of strongswan (I have some basic
> understanding of ikev2 & IPsec), so a few questions:
>
> 1. What constitutes a "peer config” in swanctl.conf?
> 2. The AUTH_FAILED message is caused by a secret mismatch or unable to
> find a connection setting or something else?
> 3. How do I find out in the logs the kind of auth request sent by the
> client? The iOS Client client provides quite a few authentication settings,
> and I’d like to learn how charon sees them in order to provide the
> corresponding settings in swanctl.conf
>
> Thanks in advance.
>
>
> End of Users Digest, Vol 96, Issue 2
> ************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180103/91983396/attachment.html>

More information about the Users mailing list