On Sat, 22 Jul 2023, Heting Wang wrote:
Iām now migrating from StrongSwan to LibreSwan, it seems like it will never work with iOS
Your error is not related to iOS.
conn cert ikev2=insist left=%defaultroute
tail -f /var/log/pluto.log Jul 22 19:49:36.532020: adding UDP interface eth0 [2406:da14:5db:f400::e60]:500 Jul 22 19:49:36.532049: adding UDP interface eth0 [2406:da14:5db:f400::e60]:4500 Jul 22 19:49:36.532072: adding UDP interface eth0 [2406:da14:5db:f400š”:]:500 Jul 22 19:49:36.532096: adding UDP interface eth0 [2406:da14:5db:f400š”:]:4500 Jul 22 19:49:36.532119: adding UDP interface eth0 [2406:da14:5db:f400:e9d7:64ca:b008:4182]:500 Jul 22 19:49:36.532142: adding UDP interface eth0 [2406:da14:5db:f400:e9d7:64ca:b008:4182]:4500 Jul 22 19:49:36.532165: adding UDP interface eth1 [2406:da14:5db:f400:810a:b1ea:b7d5:47bd]:500 Jul 22 19:49:36.532188: adding UDP interface eth1 [2406:da14:5db:f400:810a:b1ea:b7d5:47bd]:4500
It seems you are not listening on IPv4 IP addresses. Meaning libreswan got started before the IP 172.31.2.1 was configured on the system?
Jul 22 19:50:03.652462: packet from 114.246.198.250:500: ISAKMP_v2_IKE_SA_INIT message received on 172.31.2.1:500 but no suitable connection found with IKEv2 policy Jul 22 19:50:03.652512: packet from 114.246.198.250:500: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification NO_PROPOSAL_CHOSEN
As a workaround, you can try after the boot to issue "ipsec whack --listen" which should redo the IP binding and pick up the now added 172.31.2.1 IP. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
