[strongSwan] Users Digest, Vol 96, Issue 2

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Jan 3 14:41:05 CET 2018 

It's not.

local and remote authentication always defaults to pubkey. By specifying one side to use PSK authentication does not imply that the other does the same.

On 03.01.2018 06:00, Glen Huang wrote:
> Thanks for the help and happy new year.
>
> IIUC, ipsec.conf is used by starter, but I execute charon directly and then use swanctl to load swanctl.conf. So I’m not sure if ipsec.conf is relevant here. The secret is specified in swanctl.conf already, I’m also not sure if ipsec.secret is consulted since it’s also only used by starter.
>
> Regards
> Glen
>
>> On 3 Jan 2018, at 10:23 AM, Quaker <bigboyq at gmail.com <mailto:bigboyq at gmail.com>> wrote:
>>
>> 1. peer config is related to ipsec.conf
>> 2. As your log, AUTH_FAILED might also caused by ipsec.conf, when finished ipsec.conf, you should config ipsec.secret also
>>
>>
>> Regards
>> Quaker
>>
>> On Tue, Jan 2, 2018 at 7:00 PM, <users-request at lists.strongswan.org <mailto:users-request at lists.strongswan.org>> wrote:
>>
>>     Send Users mailing list submissions to
>>             users at lists.strongswan.org <mailto:users at lists.strongswan.org>
>>
>>     To subscribe or unsubscribe via the World Wide Web, visit
>>             https://lists.strongswan.org/mailman/listinfo/users <https://lists.strongswan.org/mailman/listinfo/users>
>>     or, via email, send a message with subject or body 'help' to
>>             users-request at lists.strongswan.org <mailto:users-request at lists.strongswan.org>
>>
>>     You can reach the person managing the list at
>>             users-owner at lists.strongswan.org <mailto:users-owner at lists.strongswan.org>
>>
>>     When replying, please edit your Subject line so it is more specific
>>     than "Re: Contents of Users digest..."
>>
>>
>>     Today's Topics:
>>
>>        1. Help needed for a basic swanctl config (Glen Huang)
>>
>>
>>     ----------------------------------------------------------------------
>>
>>     Message: 1
>>     Date: Tue, 2 Jan 2018 18:54:27 +0800
>>     From: Glen Huang <heyhgl at gmail.com <mailto:heyhgl at gmail.com>>
>>     To: users at lists.strongswan.org <mailto:users at lists.strongswan.org>
>>     Subject: [strongSwan] Help needed for a basic swanctl config
>>     Message-ID: <BC3FDE8E-B7AB-48EC-8C56-320F42C71661 at gmail.com <mailto:BC3FDE8E-B7AB-48EC-8C56-320F42C71661 at gmail.com>>
>>     Content-Type: text/plain;       charset=utf-8
>>
>>     Hi,
>>
>>     I’m trying to set up an IKEv2 VPN server using swanctl for iOS clients.
>>
>>     I have this very simple config:
>>
>>     connections {
>>         ios {
>>             version = 2
>>             pools = ios_pool
>>             remote {
>>                 id = foobar
>>                 auth = psk
>>             }
>>         }
>>     }
>>
>>     pools {
>>        ios_pool {
>>           addrs = 192.168.37.0/24 <http://192.168.37.0/24>
>>           dns = 8.8.8.8
>>        }
>>     }
>>
>>     secrets {
>>        ike-ios {
>>           secret = abc
>>        }
>>     }
>>
>>     But when connect from an iOS client using the following connection settings:
>>
>>     Remote ID: foobar
>>     Local ID: [empty]
>>     Authentication Settings: None
>>     Shared Secret: abc
>>
>>     It fails to connect, and the log shows it fails at an pretty early stage:
>>
>>     12[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (604 bytes)
>>     12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
>>     12[IKE] 2.2.2.2 is initiating an IKE_SA
>>     12[IKE] remote host is behind NAT
>>     12[IKE] sending cert request for "C=com, O=myvpn, CN=VPN CA"
>>     12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
>>     12[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (473 bytes)
>>     15[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (604 bytes)
>>     15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
>>     15[IKE] received retransmit of request with ID 0, retransmitting response
>>     15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (473 bytes)
>>     05[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (544 bytes)
>>     05[ENC] unknown attribute type (25)
>>     05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
>>     05[CFG] looking for peer configs matching 1.1.1.1[foobar]...2.2.2.2[192.168.1.251]
>>     05[CFG] no matching peer config found
>>     05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
>>     05[IKE] peer supports MOBIKE
>>     05[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>>     05[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (80 bytes)
>>
>>     I’m trying to have a firm grasp of strongswan (I have some basic understanding of ikev2 & IPsec), so a few questions:
>>
>>     1. What constitutes a "peer config” in swanctl.conf?
>>     2. The AUTH_FAILED message is caused by a secret mismatch or unable to find a connection setting or something else?
>>     3. How do I find out in the logs the kind of auth request sent by the client? The iOS Client client provides quite a few authentication settings, and I’d like to learn how charon sees them in order to provide the corresponding settings in swanctl.conf
>>
>>     Thanks in advance.
>>
>>
>>     End of Users Digest, Vol 96, Issue 2
>>     ************************************
>>
>>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180103/6bdb2602/attachment.sig>

More information about the Users mailing list