[strongSwan] Having Trouble with Macbook VPN Configuration

Ian McLauchlan ianmac at miton.co.uk
Wed May 15 11:35:59 CEST 2019


I have setup StrongSwan successfully to allow IKEv2 access from a 
Windows10 client.

I also need to allow Macbook users native IKEv2 access, but I have run 
into a problem. The Macbook attempts a connection and fails and displays 
a 'VPN Connection - An unexpected error occurred'. It is a bit cryptic, 
there are no errors reported in the Macbook logs.

I am using IKEv2-EAP-MSCHAPv2 authentication. This works fine on the 
Windows 10 client. So, it seems there is a discrepancy between the 
Windows 10 and Mac configuration. I am having trouble pin-pointing it.

The VPN connects to a limited IP address range on my private LAN.

I have tried various ike/esp variations from advice pages. I have now 
for the purposes of testing the connection, allowed all - the link still 

Here is my configuration:


CentOS release 6.10 (Final)

strongSwan swanctl 5.4.0


macOS Mojave Ver 10.14.4


Macbook is behind a NAT with a fixed ip address. Rule allows all from 
the Macbook NAT.

# strongswan.conf - strongSwan configuration file
# Refer to the strongswan.conf(5) manpage for details
# Configuration changes should be made in the included files
charon {
         load_modular = yes
         plugins {
                 include strongswan.d/charon/*.conf
libstrongswan {
         plugins {
                 openssl {
                         fips_mode = 0
include strongswan.d/*.conf

config setup
         # strictcrlpolicy=yes
         # uniqueids = no
         charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
conn %default

# Test Config 1
#       ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
#       esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!

# Test Config 2
#       ike=aes256-aes192-aes128-3des-sha384-sha256-sha1-modp3072-modp2048-modp1536-modp1024!
#       esp=aes256-aes192-aes128-3des-sha384-sha256-sha1!

# Test Config 3
#       ike=aes256-sha1-modp1024,aes128-sha1-modp1024! # Win7 is aes256, 
sha-1, modp1024; iOS is aes256, sha-256, modp1024; OS X is 3DES, sha-1, 
#       esp=aes256-sha256,aes256-sha1,aes128-sha1! # Win 7 is 
aes256-sha1, iOS is aes256-sha256, OS X is 3des-shal1

# Test Config 4 - No restriction - Still failing


conn IPSec-IKEv2-EAP

# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA mitondcVPNServerKey.der
abcdef : EAP "pppppppppppppppp"

Test traces:

*StrongSwan Server Tcpdump*
[root at miton-strongswan ~]# tcpdump -s 0 -n -i eth0 'esp or udp and (port 
500 or port 4500)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
08:50:05.910826 IP 92.27.xxx.xxx.isakmp > 87.238.yyy.yyy.isakmp: isakmp: 
parent_sa ikev2_init[I]
08:50:05.982896 IP 87.238.yyy.yyy.isakmp > 92.27.xxx.xxxx.isakmp: 
isakmp: parent_sa ikev2_init[R]
08:50:06.016609 IP 92.27.xxx.xxx.ipsec-nat-t > 
87.238.yyy.yyy.ipsec-nat-t: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
08:50:06.028581 IP 87.238.yyy.yyy.ipsec-nat-t > 
92.27.xxx.xxx.ipsec-nat-t: NONESP-encap: isakmp: child_sa  ikev2_auth[R]
*StrongSwan Server Swanctl*

[root at miton-strongswan ~]# swanctl -T
04[NET] received packet: from 92.27.xxx.xxx[500] to 87.238.yyy.yyy[500] 
(604 bytes)
04[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) 
04[IKE] 92.27.xxx.xxx is initiating an IKE_SA
04[IKE] remote host is behind NAT
04[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) 
04[NET] sending packet: from 87.238.yyy.yyy[500] to 92.27.xxx.xxx[500] 
(440 bytes)
05[NET] received packet: from 92.27.xxx.xxx[4500] to 
87.238.yyy.yyy[4500] (512 bytes)
05[ENC] unknown attribute type (25)
05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) 
05[CFG] looking for peer configs matching 
05[CFG] selected peer config 'IPSec-IKEv2-EAP'
05[IKE] initiating EAP_IDENTITY method (id 0x00)
05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
05[IKE] peer supports MOBIKE
05[IKE] authentication of 'miton2.miton.co.uk' (myself) with RSA 
signature successful
05[ENC] generating IKE_AUTH response 1 [ IDr AUTH EAP/REQ/ID ]
05[NET] sending packet: from 87.238.yyy.yyy[4500] to 92.27.xxx.xxx[4500] 
(368 bytes)
04[JOB] deleting half open IKE_SA after timeout

*Tcpdump Macbook-Pro*

Ians-MacBook-Pro:~ ianmac$ sudo tcpdump -s 0 -n -i en0 'esp or udp and 
(port 500 or port 4500)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:50:05.904121 IP > 87.238.yyy.yyy.500: isakmp: 
parent_sa ikev2_init[I]
08:50:05.990893 IP 87.238.yyy.yyy.500 > isakmp: 
parent_sa ikev2_init[R]
08:50:06.009888 IP > 87.238.yyy.yyy.4500: 
NONESP-encap: isakmp: child_sa  ikev2_auth[I]
08:50:06.036478 IP 87.238.yyy.yyy.4500 > 
NONESP-encap: isakmp: child_sa  ikev2_auth[R]

I think it looks like the Macbook is unhappy with the ikev2_auth[R] 
response from the miton-strongswan server?

Can anyone give me any pointers?

Best regards,


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190515/1df12d92/attachment.html>

More information about the Users mailing list