Hello,
I'm a newb to strongSwan so please be gentle if I miss something obvious! I followed the instruction on the Wiki : http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple) Except with version 5 not 4 (don't know if that will be relevant) I couldn't get it working with an iOS device so went back to having a Linux box at either end so I can get some decent log file entries. So, please bear in mind that although it says "iPhone" in the key names etc, it is actually strongSwan at both ends now. So hopefully anything weird and iOS specific is not relevant /yet/.(All public IP addresses here have been obfuscated, so don't bother trying to connect to me!) First, server config : conn ios keyexchange=ikev1 authby=xauthrsasig xauth=server left=%defaultroute leftsubnet=10.66.0.0/16 leftfirewall=yes leftcert=serverCert.pem leftid="C=GB, O=Company, CN=176.34.100.100" right=%any rightsubnet=10.0.0.0/24 rightsourceip=10.100.255.0/28 rightcert=clientCert.pem auto=add Then client config : conn us-east-1-vpc left=%any leftsourceip=%config leftid=iphone leftcert=clientCert.pem leftfirewall=yes rightid="C=GB, O=Company, CN=176.34.100.100" right=176.34.100.100 rightsubnet=10.66.0.0/16 authby=xauthrsasig xauth=client xauth_identity=iphone keyexchange=ikev1 auto=start The relevant passwords/keys are in the secrets files and the client and CA certs are installed at both ends. Server cert on the server etc... The tunnel establishes but not completely, I can't pass any traffic. The IPSec part seems to not be working. The same results come from using an iPhone to connect or using another strongSwan. Log file on the client (after the initial cert exchange and Xauth) : Jul 25 10:35:59 centos1 charon: 07[IKE] XAuth authentication of 'iphone' (myself) successful Jul 25 10:35:59 centos1 charon: 07[IKE] IKE_SA us-east-1-vpc[1] established between 192.168.1.101[C=GB, O=Company, CN=Maxs iPhone]...176.34.100.100[C=GB, O=Company, CN=176.34.100.100] Jul 25 10:35:59 centos1 charon: 07[IKE] scheduling reauthentication in 10120s Jul 25 10:35:59 centos1 charon: 07[IKE] maximum IKE_SA lifetime 10660s Jul 25 10:35:59 centos1 charon: 07[ENC] generating TRANSACTION response 2626266634 [ HASH CP ] Jul 25 10:35:59 centos1 charon: 07[NET] sending packet: from 192.168.1.101[4500] to 176.34.100.100[4500] Jul 25 10:35:59 centos1 charon: 07[ENC] generating TRANSACTION request 3715724063 [ HASH CP ] Jul 25 10:35:59 centos1 charon: 07[NET] sending packet: from 192.168.1.101[4500] to 176.34.100.100[4500] Jul 25 10:35:59 centos1 charon: 05[NET] received packet: from 176.34.100.100[4500] to 192.168.1.101[4500] Jul 25 10:35:59 centos1 charon: 05[ENC] parsed TRANSACTION response 3715724063 [ HASH CP ] Jul 25 10:35:59 centos1 charon: 05[IKE] installing new virtual IP 10.100.255.1 Jul 25 10:35:59 centos1 charon: 05[ENC] generating QUICK_MODE request 2376593287 [ HASH SA No KE ID ID ] Jul 25 10:35:59 centos1 charon: 05[NET] sending packet: from 192.168.1.101[4500] to 176.34.100.100[4500] Jul 25 10:35:59 centos1 charon: 04[NET] received packet: from 176.34.100.100[4500] to 192.168.1.101[4500] Jul 25 10:35:59 centos1 charon: 04[ENC] parsed INFORMATIONAL_V1 request 918202651 [ HASH N(INVAL_ID) ] Jul 25 10:35:59 centos1 charon: 04[IKE] received INVALID_ID_INFORMATION error notify Jul 25 10:36:23 centos1 charon: 07[IKE] sending keep alive Jul 25 10:36:23 centos1 charon: 07[NET] sending packet: from 192.168.1.101[4500] to 176.34.100.100[4500] Logfile from the server : Jul 25 09:36:07 ip-10-66-254-21 charon: 14[IKE] XAuth authentication of 'iphone' successful Jul 25 09:36:07 ip-10-66-254-21 charon: 14[ENC] generating TRANSACTION request 2626266634 [ HASH CP ] Jul 25 09:36:07 ip-10-66-254-21 charon: 14[NET] sending packet: from 10.66.254.21[4500] to 87.194.200.200[4500] Jul 25 09:36:07 ip-10-66-254-21 charon: 04[NET] received packet: from 87.194.200.200[4500] to 10.66.254.21[4500] Jul 25 09:36:07 ip-10-66-254-21 charon: 04[ENC] parsed TRANSACTION response 2626266634 [ HASH CP ] Jul 25 09:36:07 ip-10-66-254-21 charon: 04[IKE] IKE_SA ios[5] established between 10.66.254.21[C=GB, O=Company, CN=176.34.100.100]...87.194.200.200[C=GB, O=Company, CN=Maxs iPhone] Jul 25 09:36:07 ip-10-66-254-21 charon: 04[IKE] scheduling reauthentication in 10252s Jul 25 09:36:07 ip-10-66-254-21 charon: 04[IKE] maximum IKE_SA lifetime 10792s Jul 25 09:36:07 ip-10-66-254-21 charon: 03[NET] received packet: from 87.194.200.200[4500] to 10.66.254.21[4500] Jul 25 09:36:07 ip-10-66-254-21 charon: 03[ENC] parsed TRANSACTION request 3715724063 [ HASH CP ] Jul 25 09:36:07 ip-10-66-254-21 charon: 03[IKE] peer requested virtual IP %any Jul 25 09:36:07 ip-10-66-254-21 charon: 03[CFG] reassigning offline lease to 'iphone' Jul 25 09:36:07 ip-10-66-254-21 charon: 03[IKE] assigning virtual IP 10.100.255.1 to peer 'iphone' Jul 25 09:36:07 ip-10-66-254-21 charon: 03[ENC] generating TRANSACTION response 3715724063 [ HASH CP ] Jul 25 09:36:07 ip-10-66-254-21 charon: 03[NET] sending packet: from 10.66.254.21[4500] to 87.194.200.200[4500] Jul 25 09:36:07 ip-10-66-254-21 charon: 01[NET] received packet: from 87.194.200.200[4500] to 10.66.254.21[4500] Jul 25 09:36:07 ip-10-66-254-21 charon: 01[ENC] parsed QUICK_MODE request 2376593287 [ HASH SA No KE ID ID ] Jul 25 09:36:07 ip-10-66-254-21 charon: 01[IKE] no matching CHILD_SA config found Jul 25 09:36:07 ip-10-66-254-21 charon: 01[ENC] generating INFORMATIONAL_V1 request 918202651 [ HASH N(INVAL_ID) ] root@ip-10-66-254-21:/usr/local/etc# ipsec status Security Associations (1 up, 0 connecting): ios[5]: ESTABLISHED 2 minutes ago, 10.66.254.21[C=GB, O=Company, CN=176.34.100.100]...87.194.200.200[C=GB, O=Company, CN=Maxs iPhone] Connecting from the iPhone gives the similar response but a different quick_mode:Jul 25 09:51:52 ip-10-66-254-21 charon: 16[NET] received packet: from 87.194.205.228[1473] to 10.66.254.21[4500]Jul 25 09:51:52 ip-10-66-254-21 charon: 16[ENC] parsed QUICK_MODE request 2502504197 [ HASH SA No ID ID ]Jul 25 09:51:52 ip-10-66-254-21 charon: 16[IKE] no matching CHILD_SA config found Can anyone offer any advice? Thanks,Max
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
