Hi, I am trying to start a connection using IKEv2, from an iPhone (iOS 8) to Ubuntu. The server basically works - using an Android device I can connect and use the network.
I suspect the problem is in my .mobileconfig - I was not able to find an example I understood. My mobileconfig for the iOS device: <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd";> <plist version="1.0"> <dict> <key>PayloadDisplayName</key> <string>Mark Test Profile</string> <key>PayloadIdentifier</key> <string>uk.co.mycompany.myhost</string> <key>PayloadUUID</key> <string>7fb8cc12-225b-4b30-8fed-f8c827153a0b</string> <key>PayloadType</key> <string>Configuration</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadContent</key> <array> <dict> <key>PayloadIdentifier</key> <string>uk.co.mycompany.myhost.shared-configuration</string> <key>PayloadUUID</key> <string>e914d1ce-8eac-41a3-bbad-5005f63b4e78</string> <key>PayloadType</key> <string>com.apple.vpn.managed</string> <key>PayloadVersion</key> <integer>1</integer> <key>UserDefinedName</key> <string>Mark IKEv2 VPN</string> <key>VPNType</key> <string>IKEv2</string> <key>IKEv2</key> <dict> <!-- Hostname or IP address of the VPN server --> <key>RemoteAddress</key> <string>192.168.196.191</string> <key>RemoteIdentifier</key> <string>192.168.196.191</string> <key>LocalIdentifier</key> <string></string> <key>OnDemandEnabled</key> <integer>1</integer> <key>OnDemandRules</key> <array> <dict> <key>Action</key> <string>Connect</string> </dict> </array> <key>AuthenticationMethod</key> <string>Certificate</string> <key>ExtendedAuthEnabled</key> <integer>0</integer> <key>PayloadCertificateUUID</key> <string>747281f0-e370-493c-83ef-aea219cc0a10</string> <key>IKESecurityAssociationParameters</key> <dict> <key>EncryptionAlgorithm</key> <string>AES-128</string> <key>IntegrityAlgorithm</key> <string>SHA1-96</string> <key>DiffieHellmanGroup</key> <integer>14</integer> </dict> <key>ChildSecurityAssociationParameters</key> <dict> <key>EncryptionAlgorithm</key> <string>AES-128</string> <key>IntegrityAlgorithm</key> <string>SHA1-96</string> <key>DiffieHellmanGroup</key> <integer>14</integer> </dict> </dict> </dict> <dict> <key>PayloadIdentifier</key> <string>uk.co.mycompany.myhost</string> <key>PayloadUUID</key> <string>747281f0-e370-493c-83ef-aea219cc0a10</string> <key>PayloadType</key> <string>com.apple.security.pkcs12</string> <key>PayloadVersion</key> <integer>1</integer> <key>Password</key> <string>a</string> <key>PayloadContent</key> <data> MIIM [...] qijlBvHwDQoCAggA </data> </dict> <dict> <key>PayloadIdentifier</key> <string>uk.co.mycompany.myhost</string> <key>PayloadUUID</key> <string>b561ad76-43a3-433b-ba2d-9cf7e5070b5c</string> <key>PayloadType</key> <string>com.apple.security.root</string> <key>PayloadVersion</key> <integer>1</integer> <key>PayloadContent</key> <data> MIIDM [...] kVgYtExC </data> </dict> </array> </dict> </plist> The resulting StrongSwan log: charon: 15[NET] received packet: from 192.168.198.33[500] to 192.168.196.191[500] (416 bytes) charon: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] charon: 15[CFG] looking for an ike config for 192.168.196.191...192.168.198.33 charon: 15[CFG] ike config match: 1052 (192.168.196.191 192.168.198.33 IKEv2) charon: 15[CFG] candidate: 192.168.196.191...%any, prio 1052 charon: 15[CFG] found matching ike config: 192.168.196.191...%any with prio 1052 charon: 15[IKE] 192.168.198.33 is initiating an IKE_SA charon: 15[CFG] selecting proposal: charon: 15[CFG] proposal matches charon: 15[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 charon: 15[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/HMAC_SHA1_96/HMAC_MD5_96/HM AC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/PRF_HMAC_SHA 1/PRF_HMAC_MD5/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES 128_XCBC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096 /MODP_8192/MODP_1024/MODP_1024_160 charon: 15[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 charon: 15[IKE] remote host is behind NAT charon: 15[IKE] sending cert request for "C=UK, O=CTS, CN=SSCA" charon: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] charon: 15[NET] sending packet: from 192.168.196.191[500] to 192.168.198.33[500] (465 bytes) charon: 14[NET] received packet: from 192.168.198.33[4500] to 192.168.196.191[4500] (332 bytes) charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] charon: 14[CFG] looking for peer configs matching 192.168.196.191[192.168.196.191]...192.168.198.33[10.0.3.2] charon: 14[CFG] peer config match local: 0 (ID_IPV4_ADDR -> c0:a8:c4:bf) charon: 14[CFG] peer config match remote: 1 (ID_IPV4_ADDR -> 0a:00:03:02) charon: 14[CFG] ike config match: 1052 (192.168.196.191 192.168.198.33 IKEv2) charon: 14[CFG] no matching peer config found charon: 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding charon: 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] charon: 14[NET] sending packet: from 192.168.196.191[4500] to 192.168.198.33[4500] (76 bytes) I don't honestly understand this stuff very well, but comparing this log to a (working) log (when I connect an Android device) is looks like the iPhone is not sending a CERT during IKE_AUTH. Thanks! -Mark _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
