I made some progress. I can fix the "no matching peer config found” error by deleting "id = foobar” in remote.
I’m not sure why I shouldn’t specify an IKE identity. I assume the Remote ID in iOS client specifies the IKE identity. Should I only specify the id when authenticating using a certificate? After fixing it, the peer config “ios” was selected (now I understand peer config denotes a connection), but I got a new error saying no private key found for ‘foobar’. I don’t quite understand it. Since I don’t have any certificates configured in strongswan, and don’t ask the iOS client to send one. Why is charon looking for a private key for ‘foobar’? Regards, Glen > On 2 Jan 2018, at 6:54 PM, Glen Huang <[email protected]> wrote: > > Hi, > > I’m trying to set up an IKEv2 VPN server using swanctl for iOS clients. > > I have this very simple config: > > connections { > ios { > version = 2 > pools = ios_pool > remote { > id = foobar > auth = psk > } > } > } > > pools { > ios_pool { > addrs = 192.168.37.0/24 > dns = 8.8.8.8 > } > } > > secrets { > ike-ios { > secret = abc > } > } > > But when connect from an iOS client using the following connection settings: > > Remote ID: foobar > Local ID: [empty] > Authentication Settings: None > Shared Secret: abc > > It fails to connect, and the log shows it fails at an pretty early stage: > > 12[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (604 bytes) > 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) > N(NATD_D_IP) N(FRAG_SUP) ] > 12[IKE] 2.2.2.2 is initiating an IKE_SA > 12[IKE] remote host is behind NAT > 12[IKE] sending cert request for "C=com, O=myvpn, CN=VPN CA" > 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ] > 12[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (473 bytes) > 15[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (604 bytes) > 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) > N(NATD_D_IP) N(FRAG_SUP) ] > 15[IKE] received retransmit of request with ID 0, retransmitting response > 15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (473 bytes) > 05[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (544 bytes) > 05[ENC] unknown attribute type (25) > 05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr > AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) > N(NON_FIRST_FRAG) SA TSi TSr ] > 05[CFG] looking for peer configs matching > 1.1.1.1[foobar]...2.2.2.2[192.168.1.251] > 05[CFG] no matching peer config found > 05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding > 05[IKE] peer supports MOBIKE > 05[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] > 05[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (80 bytes) > > I’m trying to have a firm grasp of strongswan (I have some basic > understanding of ikev2 & IPsec), so a few questions: > > 1. What constitutes a "peer config” in swanctl.conf? > 2. The AUTH_FAILED message is caused by a secret mismatch or unable to find a > connection setting or something else? > 3. How do I find out in the logs the kind of auth request sent by the client? > The iOS Client client provides quite a few authentication settings, and I’d > like to learn how charon sees them in order to provide the corresponding > settings in swanctl.conf > > Thanks in advance.
