[strongSwan] IOS connection only working over ipv6
Lewis Robson
robsonl at conscious.co.uk
Mon Jul 4 16:01:09 CEST 2022
Hello all,
I am having issues under certain conditions with IOS devices not
correctly connecting into my ipsec solution.
my full set up consists of two parts:
An android connection using the strongswan application which works as
expected, the device connects and the server / client can ping each other.
The device can fully access the servers listening ports and the solution
works.
An Iphone connection which connects and works on mobile data that is
only provided an ipv6 address, however, does not work on ipv4 addresses,
including the same network that the android solution works on.
Iphone 11, software version: 15.5
In addition to this and worth a mention in case it's related:
when attempting connection from a macbook (Monterey 12.3.1), the device
connects and gets assigned an IP, the server can then ping the device
and receive a response, however, the device cant ping the server
directly or connect to any of the ports, we dont require for the mac to
be a part of the final solution currently so this isnt an issue however
maybe this is a clue?
I believe it is likely I am missing a policy rule in one of the
strongswan config files because the android device works without issue
and the iphone works over mobile data with only an ipv6 address (the
provider using nat64 translate to ipv4).
the ipsec.conf is as follows:
config setup
charondebug="all"
uniqueids=no
conn android
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@cerberus.conscious.co.uk
leftcert=cerberus.conscious.co.uk.crt
leftsendcert=always
leftsubnet=156.67.0.0/16
right=%any
rightid=%any
rightauth=pubkey
rightsourceip=10.10.10.0/16
rightdns=10.1.0.50,8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!
conn apple
inactivity = 6000
dpdtimeout =6000s
dpddelay = 30
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@cerberus.conscious.co.uk
leftcert=cerberus.conscious.co.uk.crt
leftsendcert=always
leftsubnet=156.67.0.0/16
right=%any
rightid=%any
rightauth=eap-tls #pubkey didnt work so using eap-tls
rightsourceip=10.10.10.0/24
rightdns=10,1,0,50,8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
here is the last few lines from the logs when connection is attempted
from the iphone over wifi / with an ipv4 address.
Jul 4 14:22:43 cerberus charon[3945804]: 05[ENC] parsed IKE_AUTH
request 9 [ EAP/RES/TLS ]
Jul 4 14:22:43 cerberus charon[3945804]: 05[IKE] EAP method EAP_TLS
succeeded, MSK established
Jul 4 14:22:43 cerberus charon[3945804]: 05[ENC] generating IKE_AUTH
response 9 [ EAP/SUCC ]
Jul 4 14:22:43 cerberus charon[3945804]: 05[NET] sending packet: from
external-ip[4500] to clients-ip[4500] (76 bytes)
Jul 4 14:22:43 cerberus charon[3945804]: 07[NET] received packet: from
clients-ip[4500] to external-ip[4500] (92 bytes)
Jul 4 14:22:43 cerberus charon[3945804]: 07[ENC] parsed IKE_AUTH
request 10 [ AUTH ]
Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] authentication of
'user at conscious.co.uk' with EAP successful
Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] authentication of
'cerberus.conscious.co.uk' (myself) with EAP
Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] IKE_SA apple[4]
established between
external-ip[cerberus.conscious.co.uk]...clients-ip[user at conscious.co.uk]
Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] peer requested virtual
IP %any
Jul 4 14:22:43 cerberus charon[3945804]: 07[CFG] reassigning offline
lease to 'user at conscious.co.uk'
Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] assigning virtual IP
10.10.10.1 to peer 'user at conscious.co.uk'
Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] peer requested virtual
IP %any6
Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] no virtual IP found
for %any6 requested by 'user at conscious.co.uk'
Jul 4 14:22:43 cerberus charon[3945804]: 07[CFG] selected proposal:
ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] CHILD_SA apple{2}
established with SPIs c1c88d8d_i 0e330f25_o and TS external-ip/32 ===
10.10.10.1/32
Jul 4 14:22:43 cerberus charon[3945804]: 07[ENC] generating IKE_AUTH
response 10 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jul 4 14:22:43 cerberus charon[3945804]: 07[NET] sending packet: from
external-ip[4500] to clients-ip[4500] (252 bytes)
Jul 4 14:22:43 cerberus charon[3945804]: 07[ENC] generating IKE_AUTH
response 10 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jul 4 14:22:43 cerberus charon[3945804]: 07[NET] sending packet: from
external-ip[4500] to clients-ip[4500] (252 bytes)
Jul 4 14:23:29 cerberus charon[3945804]: 01[NET] received packet: from
clients-ip[4500] to external-ip[4500] (76 bytes)
Jul 4 14:23:29 cerberus charon[3945804]: 01[ENC] parsed INFORMATIONAL
request 11 [ D ]
Jul 4 14:23:29 cerberus charon[3945804]: 01[IKE] received DELETE for
IKE_SA apple[4]
Jul 4 14:23:29 cerberus charon[3945804]: 01[IKE] deleting IKE_SA
apple[4] between
external-ip[cerberus.conscious.co.uk]...clients-ip[andy at conscious.co.uk]
Jul 4 14:23:29 cerberus charon[3945804]: 01[IKE] IKE_SA deleted
Jul 4 14:23:29 cerberus charon[3945804]: 01[ENC] generating
INFORMATIONAL response 11 [ ]
Jul 4 14:23:29 cerberus charon[3945804]: 01[NET] sending packet: from
external-ip[4500] to clients-ip4500] (76 bytes)
Jul 4 14:23:29 cerberus charon[3945804]: 01[CFG] lease 10.10.10.1 by
'user at conscious.co.uk' went offline
==> /var/log/secure <==
Jul 4 14:22:43 cerberus charon[3945804]: 15[IKE] clients-ip is
initiating an IKE_SA
Jul 4 14:22:43 cerberus charon[3945804]: 06[IKE] clients-ip is
initiating an IKE_SA
Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] IKE_SA apple[4]
established between
external-ip[cerberus.conscious.co.uk]...clients-ip[user at conscious.co.uk]
Jul 4 14:22:43 cerberus charon[3945804]: 07[IKE] CHILD_SA apple{2}
established with SPIs c1c88d8d_i 0e330f25_o and TS external-ip/32 ===
10.10.10.1/32
does anyone have any thoughts and / or suggestions as to what I could be
missing or guidance on where to look to fix this?
Thankyou
--
Lewis Robson
Systems Administrator
Conscious Solutions Limited
Tel: 0117 325 0200
Web: https://www.conscious.co.uk
More information about the Users
mailing list