[strongSwan] Help needed for a basic swanctl config

Glen Huang heyhgl at gmail.com
Wed Jan 3 07:27:16 CET 2018 

I made some progress.

I can fix the "no matching peer config found” error by deleting "id = foobar” in remote.

I’m not sure why I shouldn’t specify an IKE identity. I assume the Remote ID in iOS client specifies the IKE identity. Should I only specify the id when authenticating using a certificate?

After fixing it, the peer config “ios” was selected (now I understand peer config denotes a connection), but I got a new error saying no private key found for ‘foobar’.

I don’t quite understand it. Since I don’t have any certificates configured in strongswan, and don’t ask the iOS client to send one. Why is charon looking for a private key for ‘foobar’?

Regards,
Glen


> On 2 Jan 2018, at 6:54 PM, Glen Huang <heyhgl at gmail.com> wrote:
> 
> Hi,
> 
> I’m trying to set up an IKEv2 VPN server using swanctl for iOS clients.
> 
> I have this very simple config:
> 
> connections {
>    ios {
>        version = 2
>        pools = ios_pool
>        remote {
>            id = foobar
>            auth = psk
>        }
>    }
> }
> 
> pools {
>   ios_pool {
>      addrs = 192.168.37.0/24
>      dns = 8.8.8.8
>   }
> }
> 
> secrets {
>   ike-ios {
>      secret = abc
>   }
> }
> 
> But when connect from an iOS client using the following connection settings:
> 
> Remote ID: foobar
> Local ID: [empty]
> Authentication Settings: None
> Shared Secret: abc
> 
> It fails to connect, and the log shows it fails at an pretty early stage:
> 
> 12[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (604 bytes)
> 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
> 12[IKE] 2.2.2.2 is initiating an IKE_SA
> 12[IKE] remote host is behind NAT
> 12[IKE] sending cert request for "C=com, O=myvpn, CN=VPN CA"
> 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
> 12[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (473 bytes)
> 15[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (604 bytes)
> 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
> 15[IKE] received retransmit of request with ID 0, retransmitting response
> 15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (473 bytes)
> 05[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (544 bytes)
> 05[ENC] unknown attribute type (25)
> 05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
> 05[CFG] looking for peer configs matching 1.1.1.1[foobar]...2.2.2.2[192.168.1.251]
> 05[CFG] no matching peer config found
> 05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> 05[IKE] peer supports MOBIKE
> 05[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
> 05[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (80 bytes)
> 
> I’m trying to have a firm grasp of strongswan (I have some basic understanding of ikev2 & IPsec), so a few questions:
> 
> 1. What constitutes a "peer config” in swanctl.conf?
> 2. The AUTH_FAILED message is caused by a secret mismatch or unable to find a connection setting or something else?
> 3. How do I find out in the logs the kind of auth request sent by the client? The iOS Client client provides quite a few authentication settings, and I’d like to learn how charon sees them in order to provide the corresponding settings in swanctl.conf
> 
> Thanks in advance.

More information about the Users mailing list