[strongSwan] iphone-to-strongswan configuration - working example.
Kamil Jońca
kjonca at o2.pl
Tue Jun 21 06:30:15 CEST 2022
Hello.
I tried to use my old iphone with strongswan.
I created profile [1]
installed on iphone and tried to connect:
But on I phone I got "User Authentication failed" and I do not how to
debug this. Any hints?
>From strongswan side everything seems to be ok.
2022-06-21T06:19:06.545474+02:00 alfa charon-systemd: 12[NET] received packet: from 5.172.255.70[4651] to 192.168.22.200[500] (432 bytes)
2022-06-21T06:19:06.546008+02:00 alfa charon-systemd: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
2022-06-21T06:19:06.546483+02:00 alfa charon-systemd: 12[IKE] 5.172.255.70 is initiating an IKE_SA
2022-06-21T06:19:06.546818+02:00 alfa charon-systemd: 12[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
2022-06-21T06:19:06.552315+02:00 alfa charon-systemd: 12[IKE] local host is behind NAT, sending keep alives
2022-06-21T06:19:06.552676+02:00 alfa charon-systemd: 12[IKE] remote host is behind NAT
2022-06-21T06:19:06.562881+02:00 alfa charon-systemd: 12[IKE] sending cert request for "C=PL, ST=Mazowieckie, L=Warszawa, O=kjonca.kjonca, OU=ipsec, CN=openswan--kjonca.kjonca"
2022-06-21T06:19:06.563275+02:00 alfa charon-systemd: 12[IKE] sending cert request for "C=PL, ST=Mazowieckie, L=Warszawa, O=alfa, OU=ipsec, CN=alfa-ipsec-client-ca"
2022-06-21T06:19:06.563724+02:00 alfa charon-systemd: 12[IKE] sending cert request for "C=PL, ST=Mazowieckie, L=Warszawa, O=alfa, OU=ipsec, CN=alfa-ipsec-ca"
2022-06-21T06:19:06.564174+02:00 alfa charon-systemd: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
2022-06-21T06:19:06.564382+02:00 alfa charon-systemd: 12[NET] sending packet: from 192.168.22.200[500] to 5.172.255.70[4651] (521 bytes)
2022-06-21T06:19:06.825283+02:00 alfa charon-systemd: 11[NET] received packet: from 5.172.255.70[4646] to 192.168.22.200[4500] (532 bytes)
2022-06-21T06:19:06.825839+02:00 alfa charon-systemd: 11[ENC] parsed IKE_AUTH request 1 [ EF(1/7) ]
2022-06-21T06:19:06.826287+02:00 alfa charon-systemd: 11[ENC] received fragment #1 of 7, waiting for complete IKE message
2022-06-21T06:19:06.826730+02:00 alfa charon-systemd: 13[NET] received packet: from 5.172.255.70[4646] to 192.168.22.200[4500] (532 bytes)
2022-06-21T06:19:06.827181+02:00 alfa charon-systemd: 13[ENC] parsed IKE_AUTH request 1 [ EF(2/7) ]
2022-06-21T06:19:06.827660+02:00 alfa charon-systemd: 13[ENC] received fragment #2 of 7, waiting for complete IKE message
2022-06-21T06:19:06.828198+02:00 alfa charon-systemd: 14[NET] received packet: from 5.172.255.70[4646] to 192.168.22.200[4500] (532 bytes)
2022-06-21T06:19:06.828666+02:00 alfa charon-systemd: 14[ENC] parsed IKE_AUTH request 1 [ EF(3/7) ]
2022-06-21T06:19:06.829262+02:00 alfa charon-systemd: 14[ENC] received fragment #3 of 7, waiting for complete IKE message
2022-06-21T06:19:06.829817+02:00 alfa charon-systemd: 09[NET] received packet: from 5.172.255.70[4646] to 192.168.22.200[4500] (532 bytes)
2022-06-21T06:19:06.830394+02:00 alfa charon-systemd: 09[ENC] parsed IKE_AUTH request 1 [ EF(4/7) ]
2022-06-21T06:19:06.831010+02:00 alfa charon-systemd: 09[ENC] received fragment #4 of 7, waiting for complete IKE message
2022-06-21T06:19:06.831574+02:00 alfa charon-systemd: 07[NET] received packet: from 5.172.255.70[4646] to 192.168.22.200[4500] (532 bytes)
2022-06-21T06:19:06.832188+02:00 alfa charon-systemd: 07[ENC] parsed IKE_AUTH request 1 [ EF(5/7) ]
2022-06-21T06:19:06.832697+02:00 alfa charon-systemd: 07[ENC] received fragment #5 of 7, waiting for complete IKE message
2022-06-21T06:19:06.833227+02:00 alfa charon-systemd: 05[NET] received packet: from 5.172.255.70[4646] to 192.168.22.200[4500] (532 bytes)
2022-06-21T06:19:06.833731+02:00 alfa charon-systemd: 05[ENC] parsed IKE_AUTH request 1 [ EF(6/7) ]
2022-06-21T06:19:06.834266+02:00 alfa charon-systemd: 05[ENC] received fragment #6 of 7, waiting for complete IKE message
2022-06-21T06:19:06.834804+02:00 alfa charon-systemd: 06[NET] received packet: from 5.172.255.70[4646] to 192.168.22.200[4500] (148 bytes)
2022-06-21T06:19:06.835059+02:00 alfa charon-systemd: 06[ENC] parsed IKE_AUTH request 1 [ EF(7/7) ]
2022-06-21T06:19:06.835318+02:00 alfa charon-systemd: 06[ENC] received fragment #7 of 7, reassembled fragmented IKE message (2912 bytes)
2022-06-21T06:19:06.835581+02:00 alfa charon-systemd: 06[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
2022-06-21T06:19:06.835861+02:00 alfa charon-systemd: 06[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) IDr AUTH CPRQ(ADDR MASK DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
2022-06-21T06:19:06.836124+02:00 alfa charon-systemd: 06[IKE] received end entity cert "C=PL, ST=Mazowieckie, O=alfa, OU=ipsec, OU=Iphone 8, CN=jaszczurka"
2022-06-21T06:19:06.836370+02:00 alfa charon-systemd: 06[CFG] looking for peer configs matching 192.168.22.200[my-server.hopto.org]...5.172.255.70[jaszczurka.kjonca]
2022-06-21T06:19:06.836613+02:00 alfa charon-systemd: 06[CFG] selected peer config 'rw-dhcp'
2022-06-21T06:19:06.836894+02:00 alfa charon-systemd: 06[CFG] using certificate "C=PL, ST=Mazowieckie, O=alfa, OU=ipsec, OU=Iphone 8, CN=jaszczurka"
2022-06-21T06:19:06.837151+02:00 alfa charon-systemd: 06[CFG] using trusted ca certificate "C=PL, ST=Mazowieckie, L=Warszawa, O=alfa, OU=ipsec, CN=alfa-ipsec-ca"
2022-06-21T06:19:06.837416+02:00 alfa charon-systemd: 06[CFG] checking certificate status of "C=PL, ST=Mazowieckie, O=alfa, OU=ipsec, OU=Iphone 8, CN=jaszczurka"
2022-06-21T06:19:06.837669+02:00 alfa charon-systemd: 06[CFG] certificate status is not available
2022-06-21T06:19:06.837924+02:00 alfa charon-systemd: 06[CFG] reached self-signed root ca with a path length of 0
2022-06-21T06:19:06.838168+02:00 alfa charon-systemd: 06[IKE] authentication of 'jaszczurka.kjonca' with RSA signature successful
2022-06-21T06:19:06.838408+02:00 alfa charon-systemd: 06[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
2022-06-21T06:19:06.838638+02:00 alfa charon-systemd: 06[IKE] peer supports MOBIKE
2022-06-21T06:19:06.838883+02:00 alfa charon-systemd: 06[IKE] authentication of 'my-server.hopto.org' (myself) with RSA signature successful
2022-06-21T06:19:06.839134+02:00 alfa charon-systemd: 06[IKE] destroying duplicate IKE_SA for peer 'jaszczurka.kjonca', received INITIAL_CONTACT
2022-06-21T06:19:06.850410+02:00 alfa charon-systemd: 06[CFG] sending DHCP RELEASE for 192.168.22.245 to 192.168.22.200
2022-06-21T06:19:06.850912+02:00 alfa charon-systemd: 06[IKE] IKE_SA rw-dhcp[8] established between 192.168.22.200[my-server.hopto.org]...5.172.255.70[jaszczurka.kjonca]
2022-06-21T06:19:06.851392+02:00 alfa charon-systemd: 06[IKE] scheduling rekeying in 13134s
2022-06-21T06:19:06.851879+02:00 alfa charon-systemd: 06[IKE] maximum IKE_SA lifetime 14574s
2022-06-21T06:19:06.852112+02:00 alfa charon-systemd: 06[IKE] peer requested virtual IP %any
2022-06-21T06:19:06.852325+02:00 alfa charon-systemd: 06[CFG] sending DHCP DISCOVER for 7a:a7:b1:87:2e:dd to 192.168.22.200
2022-06-21T06:19:06.852555+02:00 alfa charon-systemd: 06[CFG] received DHCP OFFER 192.168.22.245 from 192.168.22.200
2022-06-21T06:19:06.853021+02:00 alfa charon-systemd: 06[CFG] sending DHCP REQUEST for 192.168.22.245 to 192.168.22.200
2022-06-21T06:19:06.853927+02:00 alfa charon-systemd: 06[CFG] received DHCP ACK for 192.168.22.245
2022-06-21T06:19:06.854243+02:00 alfa charon-systemd: 06[IKE] assigning virtual IP 192.168.22.245 to peer 'jaszczurka.kjonca'
2022-06-21T06:19:06.854648+02:00 alfa charon-systemd: 06[IKE] peer requested virtual IP %any6
2022-06-21T06:19:06.855138+02:00 alfa charon-systemd: 06[IKE] no virtual IP found for %any6 requested by 'jaszczurka.kjonca'
2022-06-21T06:19:06.855467+02:00 alfa charon-systemd: 06[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
2022-06-21T06:19:06.855691+02:00 alfa charon-systemd: 06[IKE] CHILD_SA net-alfa-server{7} established with SPIs c342fbc2_i 02a72a68_o and TS 192.168.22.0/24 === 192.168.22.245/32
2022-06-21T06:19:06.877474+02:00 alfa charon-systemd: 06[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
2022-06-21T06:19:06.877930+02:00 alfa charon-systemd: 06[NET] sending packet: from 192.168.22.200[4500] to 5.172.255.70[4646] (400 bytes)
below (little redacted) profile:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>Password</key>
<string>.......</string>
<key>PayloadCertificateFileName</key>
<string>jaszczurka.p12</string>
<key>PayloadContent</key>
<data>
[...]
</data>
<key>PayloadDescription</key>
<string>Adds a PKCS#12-formatted certificate</string>
<key>PayloadDisplayName</key>
<string>jaszczurka.p12</string>
<key>PayloadIdentifier</key>
<string>com.apple.security.pkcs12.9DDAE0AF-CBB3-43E1-8324-AEAF242CC195</string>
<key>PayloadType</key>
<string>com.apple.security.pkcs12</string>
<key>PayloadUUID</key>
<string>9DDAE0AF-CBB3-43E1-8324-AEAF242CC195</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<key>PayloadCertificateFileName</key>
<string>ca-ipsec-server.crt</string>
<key>PayloadContent</key>
<data>
[...]
</data>
<key>PayloadDescription</key>
<string>Adds a CA root certificate</string>
<key>PayloadDisplayName</key>
<string>alfa-ipsec-server-ca</string>
<key>PayloadIdentifier</key>
<string>com.apple.security.root.54701D3C-F0CB-11EC-A9E3-CB16CA9A3C74</string>
<key>PayloadType</key>
<string>com.apple.security.root</string>
<key>PayloadUUID</key>
<string>54701D3C-F0CB-11EC-A9E3-CB16CA9A3C74</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<key>PayloadCertificateFileName</key>
<string>ca-ipsec-client.crt</string>
<key>PayloadContent</key>
<data>
[....]
</data>
<key>PayloadDescription</key>
<string>Adds a CA root certificate</string>
<key>PayloadDisplayName</key>
<string>alfa-ipsec-client-ca</string>
<key>PayloadIdentifier</key>
<string>com.apple.security.root.0ECA6B37-3D06-4AA0-999C-0B85E4417F88</string>
<key>PayloadType</key>
<string>com.apple.security.root</string>
<key>PayloadUUID</key>
<string>0ECA6B37-3D06-4AA0-999C-0B85E4417F88</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
<dict>
<!-- This is an extension of the identifier given above -->
<key>PayloadIdentifier</key>
<string>jaszczurka.kjonca</string>
<!-- A globally unique identifier for this payload -->
<key>PayloadUUID</key>
<string>e0a61906-f0c0-11ec-80b1-63d2f53e7b05</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadVersion</key>
<integer>1</integer>
<!-- This is the name of the VPN connection as seen in the VPN application later -->
<key>UserDefinedName</key>
<string>my-server.hopto.org</string>
<key>VPNType</key>
<string>IKEv2</string>
<key>IKEv2</key>
<dict>
<!-- Hostname or IP address of the VPN server -->
<key>RemoteAddress</key>
<string>my-server.hopto.org</string>
<!-- Remote identity, can be a FQDN, a userFQDN, an IP or (theoretically) a certificate's subject DN. Can't be empty.
IMPORTANT: DNs are currently not handled correctly, they are always sent as identities of type FQDN -->
<key>RemoteIdentifier</key>
<string>my-server.hopto.org</string>
<!-- Local IKE identity, same restrictions as above. If it is empty the client's IP address will be used -->
<key>LocalIdentifier</key>
<string>jaszczurka.kjonca</string>
<key>PayloadCertificateUUID</key>
<string>9DDAE0AF-CBB3-43E1-8324-AEAF242CC195</string>
<!-- Optional, if it matches the CN of the root CA certificate (not the full subject DN) a certificate request will be sent
NOTE: If this is not configured make sure to configure leftsendcert=always on the server, otherwise it won't send its certificate -->
<key>ServerCertificateCommonName</key>
<string>my-server.hopto.org</string>
<!-- The server is authenticated using a certificate -->
<key>AuthenticationMethod</key>
<string>Certificate</string>
<!-- The client uses EAP to authenticate -->
</dict>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>alfa</string>
<key>PayloadIdentifier</key>
<string>KAMJON.12E5D94D-BB3A-4936-9D6D-37557FC1D9F1</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>C8E29C14-A468-4237-A8B6-BFA43924CEA6</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
--
http://stopstopnop.pl/stop_stopnop.pl_o_nas.html
More information about the Users
mailing list