Nevermind, I confused local with remote. I can connect now.
Regards, Glen > On 3 Jan 2018, at 2:27 PM, Glen Huang <[email protected]> wrote: > > I made some progress. > > I can fix the "no matching peer config found” error by deleting "id = foobar” > in remote. > > I’m not sure why I shouldn’t specify an IKE identity. I assume the Remote ID > in iOS client specifies the IKE identity. Should I only specify the id when > authenticating using a certificate? > > After fixing it, the peer config “ios” was selected (now I understand peer > config denotes a connection), but I got a new error saying no private key > found for ‘foobar’. > > I don’t quite understand it. Since I don’t have any certificates configured > in strongswan, and don’t ask the iOS client to send one. Why is charon > looking for a private key for ‘foobar’? > > Regards, > Glen > > >> On 2 Jan 2018, at 6:54 PM, Glen Huang <[email protected]> wrote: >> >> Hi, >> >> I’m trying to set up an IKEv2 VPN server using swanctl for iOS clients. >> >> I have this very simple config: >> >> connections { >> ios { >> version = 2 >> pools = ios_pool >> remote { >> id = foobar >> auth = psk >> } >> } >> } >> >> pools { >> ios_pool { >> addrs = 192.168.37.0/24 >> dns = 8.8.8.8 >> } >> } >> >> secrets { >> ike-ios { >> secret = abc >> } >> } >> >> But when connect from an iOS client using the following connection settings: >> >> Remote ID: foobar >> Local ID: [empty] >> Authentication Settings: None >> Shared Secret: abc >> >> It fails to connect, and the log shows it fails at an pretty early stage: >> >> 12[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (604 bytes) >> 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) >> N(NATD_D_IP) N(FRAG_SUP) ] >> 12[IKE] 2.2.2.2 is initiating an IKE_SA >> 12[IKE] remote host is behind NAT >> 12[IKE] sending cert request for "C=com, O=myvpn, CN=VPN CA" >> 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) >> N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ] >> 12[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (473 bytes) >> 15[NET] received packet: from 2.2.2.2[500] to 1.1.1.1[500] (604 bytes) >> 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) >> N(NATD_D_IP) N(FRAG_SUP) ] >> 15[IKE] received retransmit of request with ID 0, retransmitting response >> 15[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (473 bytes) >> 05[NET] received packet: from 2.2.2.2[4500] to 1.1.1.1[4500] (544 bytes) >> 05[ENC] unknown attribute type (25) >> 05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr >> AUTH CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) >> N(NON_FIRST_FRAG) SA TSi TSr ] >> 05[CFG] looking for peer configs matching >> 1.1.1.1[foobar]...2.2.2.2[192.168.1.251] >> 05[CFG] no matching peer config found >> 05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding >> 05[IKE] peer supports MOBIKE >> 05[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] >> 05[NET] sending packet: from 1.1.1.1[4500] to 2.2.2.2[4500] (80 bytes) >> >> I’m trying to have a firm grasp of strongswan (I have some basic >> understanding of ikev2 & IPsec), so a few questions: >> >> 1. What constitutes a "peer config” in swanctl.conf? >> 2. The AUTH_FAILED message is caused by a secret mismatch or unable to find >> a connection setting or something else? >> 3. How do I find out in the logs the kind of auth request sent by the >> client? The iOS Client client provides quite a few authentication settings, >> and I’d like to learn how charon sees them in order to provide the >> corresponding settings in swanctl.conf >> >> Thanks in advance. >
