1. peer config is related to ipsec.conf 2. As your log, AUTH_FAILED might also caused by ipsec.conf, when finished ipsec.conf, you should config ipsec.secret also
Regards Quaker On Tue, Jan 2, 2018 at 7:00 PM, <[email protected]> wrote: > Send Users mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.strongswan.org/mailman/listinfo/users > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Users digest..." > > > Today's Topics: > > 1. Help needed for a basic swanctl config (Glen Huang) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 2 Jan 2018 18:54:27 +0800 > From: Glen Huang <[email protected]> > To: [email protected] > Subject: [strongSwan] Help needed for a basic swanctl config > Message-ID: <[email protected]> > Content-Type: text/plain; charset=utf-8 > > Hi, > > I’m trying to set up an IKEv2 VPN server using swanctl for iOS clients. > > I have this very simple config: > > connections { > ios { > version = 2 > pools = ios_pool > remote { > id = foobar > auth = psk > } > } > } > > pools { > ios_pool { > addrs = 192.168.37.0/24 > dns = 8.8.8.8 > } > } > > secrets { > ike-ios { > secret = abc > } > } > > But when connect from an iOS client using the following connection > settings: > > Remote ID: foobar > Local ID: [empty] > Authentication Settings: None > Shared Secret: abc > > It fails to connect, and the log shows it fails at an pretty early stage: > > 12[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (604 bytes) > 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) > N(NATD_D_IP) N(FRAG_SUP) ] > 12[IKE] 2.2.2.2 is initiating an IKE_SA > 12[IKE] remote host is behind NAT > 12[IKE] sending cert request for "C=com, O=myvpn, CN=VPN CA" > 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ] > 12[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (473 bytes) > 15[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (604 bytes) > 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) > N(NATD_D_IP) N(FRAG_SUP) ] > 15[IKE] received retransmit of request with ID 0, retransmitting response > 15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (473 bytes) > 05[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (544 bytes) > 05[ENC] unknown attribute type (25) > 05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr > AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) > N(NON_FIRST_FRAG) SA TSi TSr ] > 05[CFG] looking for peer configs matching 1.1.1.1[foobar]...2.2.2.2[192. > 168.1.251] > 05[CFG] no matching peer config found > 05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding > 05[IKE] peer supports MOBIKE > 05[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] > 05[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (80 bytes) > > I’m trying to have a firm grasp of strongswan (I have some basic > understanding of ikev2 & IPsec), so a few questions: > > 1. What constitutes a "peer config” in swanctl.conf? > 2. The AUTH_FAILED message is caused by a secret mismatch or unable to > find a connection setting or something else? > 3. How do I find out in the logs the kind of auth request sent by the > client? The iOS Client client provides quite a few authentication settings, > and I’d like to learn how charon sees them in order to provide the > corresponding settings in swanctl.conf > > Thanks in advance. > > > End of Users Digest, Vol 96, Issue 2 > ************************************ >
