[strongSwan] Help needed for a basic swanctl config

Glen Huang heyhgl at gmail.com
Wed Jan 3 08:40:09 CET 2018 

Nevermind, I confused local with remote.

I can connect now.

Regards,
Glen

> On 3 Jan 2018, at 2:27 PM, Glen Huang <heyhgl at gmail.com> wrote:
> 
> I made some progress.
> 
> I can fix the "no matching peer config found” error by deleting "id = foobar” in remote.
> 
> I’m not sure why I shouldn’t specify an IKE identity. I assume the Remote ID in iOS client specifies the IKE identity. Should I only specify the id when authenticating using a certificate?
> 
> After fixing it, the peer config “ios” was selected (now I understand peer config denotes a connection), but I got a new error saying no private key found for ‘foobar’.
> 
> I don’t quite understand it. Since I don’t have any certificates configured in strongswan, and don’t ask the iOS client to send one. Why is charon looking for a private key for ‘foobar’?
> 
> Regards,
> Glen
> 
> 
>> On 2 Jan 2018, at 6:54 PM, Glen Huang <heyhgl at gmail.com> wrote:
>> 
>> Hi,
>> 
>> I’m trying to set up an IKEv2 VPN server using swanctl for iOS clients.
>> 
>> I have this very simple config:
>> 
>> connections {
>>   ios {
>>       version = 2
>>       pools = ios_pool
>>       remote {
>>           id = foobar
>>           auth = psk
>>       }
>>   }
>> }
>> 
>> pools {
>>  ios_pool {
>>     addrs = 192.168.37.0/24
>>     dns = 8.8.8.8
>>  }
>> }
>> 
>> secrets {
>>  ike-ios {
>>     secret = abc
>>  }
>> }
>> 
>> But when connect from an iOS client using the following connection settings:
>> 
>> Remote ID: foobar
>> Local ID: [empty]
>> Authentication Settings: None
>> Shared Secret: abc
>> 
>> It fails to connect, and the log shows it fails at an pretty early stage:
>> 
>> 12[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (604 bytes)
>> 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
>> 12[IKE] 2.2.2.2 is initiating an IKE_SA
>> 12[IKE] remote host is behind NAT
>> 12[IKE] sending cert request for "C=com, O=myvpn, CN=VPN CA"
>> 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
>> 12[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (473 bytes)
>> 15[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (604 bytes)
>> 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
>> 15[IKE] received retransmit of request with ID 0, retransmitting response
>> 15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (473 bytes)
>> 05[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (544 bytes)
>> 05[ENC] unknown attribute type (25)
>> 05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
>> 05[CFG] looking for peer configs matching 1.1.1.1[foobar]...2.2.2.2[192.168.1.251]
>> 05[CFG] no matching peer config found
>> 05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
>> 05[IKE] peer supports MOBIKE
>> 05[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>> 05[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (80 bytes)
>> 
>> I’m trying to have a firm grasp of strongswan (I have some basic understanding of ikev2 & IPsec), so a few questions:
>> 
>> 1. What constitutes a "peer config” in swanctl.conf?
>> 2. The AUTH_FAILED message is caused by a secret mismatch or unable to find a connection setting or something else?
>> 3. How do I find out in the logs the kind of auth request sent by the client? The iOS Client client provides quite a few authentication settings, and I’d like to learn how charon sees them in order to provide the corresponding settings in swanctl.conf
>> 
>> Thanks in advance.
>

More information about the Users mailing list