[strongSwan] Help needed for a basic swanctl config

Tue, 02 Jan 2018 02:54:59 -0800 

Hi,

I’m trying to set up an IKEv2 VPN server using swanctl for iOS clients.

I have this very simple config:

connections {
    ios {
        version = 2
        pools = ios_pool
        remote {
            id = foobar
            auth = psk
        }
    }
}

pools {
   ios_pool {
      addrs = 192.168.37.0/24
      dns = 8.8.8.8
   }
}

secrets {
   ike-ios {
      secret = abc
   }
}

But when connect from an iOS client using the following connection settings:

Remote ID: foobar
Local ID: [empty]
Authentication Settings: None
Shared Secret: abc

It fails to connect, and the log shows it fails at an pretty early stage:

12[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (604 bytes)
12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) 
N(NATD_D_IP) N(FRAG_SUP) ]
12[IKE] 2.2.2.2 is initiating an IKE_SA
12[IKE] remote host is behind NAT
12[IKE] sending cert request for "C=com, O=myvpn, CN=VPN CA"
12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
12[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (473 bytes)
15[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (604 bytes)
15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) 
N(NATD_D_IP) N(FRAG_SUP) ]
15[IKE] received retransmit of request with ID 0, retransmitting response
15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (473 bytes)
05[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (544 bytes)
05[ENC] unknown attribute type (25)
05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH 
CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) 
N(NON_FIRST_FRAG) SA TSi TSr ]
05[CFG] looking for peer configs matching 
1.1.1.1[foobar]...2.2.2.2[192.168.1.251]
05[CFG] no matching peer config found
05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
05[IKE] peer supports MOBIKE
05[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
05[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (80 bytes)

I’m trying to have a firm grasp of strongswan (I have some basic understanding 
of ikev2 & IPsec), so a few questions:

1. What constitutes a "peer config” in swanctl.conf?
2. The AUTH_FAILED message is caused by a secret mismatch or unable to find a 
connection setting or something else?
3. How do I find out in the logs the kind of auth request sent by the client? 
The iOS Client client provides quite a few authentication settings, and I’d 
like to learn how charon sees them in order to provide the corresponding 
settings in swanctl.conf

Thanks in advance.

Reply via email to