[strongSwan] IOS connection only working over ipv6

Mon, 04 Jul 2022 07:01:23 -0700 

Hello all,
I am having issues under certain conditions with IOS devices not correctly connecting into my ipsec solution. 

my full set up consists of two parts:

An android connection using the strongswan application which works as 
expected, the device connects and the server / client can ping each other.
The device can fully access the servers listening ports and the solution 
works.



An Iphone connection which connects and works on mobile data that is 
only provided an ipv6 address, however, does not work on ipv4 addresses, 
including the same network that the android solution works on.

Iphone 11, software version: 15.5

In addition to this and worth a mention in case it's related:

when attempting connection from a macbook (Monterey 12.3.1), the device 
connects and gets assigned an IP, the server can then ping the device 
and receive a response, however, the device cant ping the server 
directly or connect to any of the ports, we dont require for the mac to 
be a part of the final solution currently so this isnt an issue however 
maybe this is a clue?



I believe it is likely I am missing a policy rule in one of the 
strongswan config files because the android device works without issue 
and the iphone works over mobile data with only an ipv6 address (the 
provider using nat64 translate to ipv4).



the ipsec.conf is as follows:


config setup
    charondebug="all"
    uniqueids=no

conn android
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@cerberus.conscious.co.uk
    leftcert=cerberus.conscious.co.uk.crt
    leftsendcert=always
    leftsubnet=156.67.0.0/16
    right=%any
    rightid=%any
    rightauth=pubkey
    rightsourceip=10.10.10.0/16
    rightdns=10.1.0.50,8.8.8.8,8.8.4.4
    rightsendcert=never
    eap_identity=%identity

ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!

esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!

conn apple
    inactivity = 6000
    dpdtimeout =6000s
    dpddelay = 30
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@cerberus.conscious.co.uk
    leftcert=cerberus.conscious.co.uk.crt
    leftsendcert=always
    leftsubnet=156.67.0.0/16
    right=%any
    rightid=%any
    rightauth=eap-tls #pubkey didnt work so using eap-tls
    rightsourceip=10.10.10.0/24
    rightdns=10,1,0,50,8.8.8.8,8.8.4.4
    rightsendcert=never
    eap_identity=%identity

ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!

esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!





here is the last few lines from the logs when connection is attempted 
from the iphone over wifi / with an ipv4 address.




Jul  4 14:22:43 cerberus charon[3945804]: 05[ENC] parsed IKE_AUTH 
request 9 [ EAP/RES/TLS ]
Jul  4 14:22:43 cerberus charon[3945804]: 05[IKE] EAP method EAP_TLS 
succeeded, MSK established
Jul  4 14:22:43 cerberus charon[3945804]: 05[ENC] generating IKE_AUTH 
response 9 [ EAP/SUCC ]
Jul  4 14:22:43 cerberus charon[3945804]: 05[NET] sending packet: from 
external-ip[4500] to clients-ip[4500] (76 bytes)
Jul  4 14:22:43 cerberus charon[3945804]: 07[NET] received packet: from 
clients-ip[4500] to external-ip[4500] (92 bytes)
Jul  4 14:22:43 cerberus charon[3945804]: 07[ENC] parsed IKE_AUTH 
request 10 [ AUTH ]
Jul  4 14:22:43 cerberus charon[3945804]: 07[IKE] authentication of 
'u...@conscious.co.uk' with EAP successful
Jul  4 14:22:43 cerberus charon[3945804]: 07[IKE] authentication of 
'cerberus.conscious.co.uk' (myself) with EAP
Jul  4 14:22:43 cerberus charon[3945804]: 07[IKE] IKE_SA apple[4] 
established between 
external-ip[cerberus.conscious.co.uk]...clients-ip[u...@conscious.co.uk]
Jul  4 14:22:43 cerberus charon[3945804]: 07[IKE] peer requested virtual 
IP %any
Jul  4 14:22:43 cerberus charon[3945804]: 07[CFG] reassigning offline 
lease to 'u...@conscious.co.uk'
Jul  4 14:22:43 cerberus charon[3945804]: 07[IKE] assigning virtual IP 
10.10.10.1 to peer 'u...@conscious.co.uk'
Jul  4 14:22:43 cerberus charon[3945804]: 07[IKE] peer requested virtual 
IP %any6
Jul  4 14:22:43 cerberus charon[3945804]: 07[IKE] no virtual IP found 
for %any6 requested by 'u...@conscious.co.uk'
Jul  4 14:22:43 cerberus charon[3945804]: 07[CFG] selected proposal: 
ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Jul  4 14:22:43 cerberus charon[3945804]: 07[IKE] CHILD_SA apple{2} 
established with SPIs c1c88d8d_i 0e330f25_o and TS external-ip/32 === 
10.10.10.1/32
Jul  4 14:22:43 cerberus charon[3945804]: 07[ENC] generating IKE_AUTH 
response 10 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) 
N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jul  4 14:22:43 cerberus charon[3945804]: 07[NET] sending packet: from 
external-ip[4500] to clients-ip[4500] (252 bytes)
Jul  4 14:22:43 cerberus charon[3945804]: 07[ENC] generating IKE_AUTH 
response 10 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) 
N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Jul  4 14:22:43 cerberus charon[3945804]: 07[NET] sending packet: from 
external-ip[4500] to clients-ip[4500] (252 bytes)
Jul  4 14:23:29 cerberus charon[3945804]: 01[NET] received packet: from 
clients-ip[4500] to external-ip[4500] (76 bytes)
Jul  4 14:23:29 cerberus charon[3945804]: 01[ENC] parsed INFORMATIONAL 
request 11 [ D ]
Jul  4 14:23:29 cerberus charon[3945804]: 01[IKE] received DELETE for 
IKE_SA apple[4]
Jul  4 14:23:29 cerberus charon[3945804]: 01[IKE] deleting IKE_SA 
apple[4] between 
external-ip[cerberus.conscious.co.uk]...clients-ip[a...@conscious.co.uk]

Jul  4 14:23:29 cerberus charon[3945804]: 01[IKE] IKE_SA deleted

Jul  4 14:23:29 cerberus charon[3945804]: 01[ENC] generating 
INFORMATIONAL response 11 [ ]
Jul  4 14:23:29 cerberus charon[3945804]: 01[NET] sending packet: from 
external-ip[4500] to clients-ip4500] (76 bytes)
Jul  4 14:23:29 cerberus charon[3945804]: 01[CFG] lease 10.10.10.1 by 
'u...@conscious.co.uk' went offline




==> /var/log/secure <==

Jul  4 14:22:43 cerberus charon[3945804]: 15[IKE] clients-ip is 
initiating an IKE_SA
Jul  4 14:22:43 cerberus charon[3945804]: 06[IKE] clients-ip is 
initiating an IKE_SA
Jul  4 14:22:43 cerberus charon[3945804]: 07[IKE] IKE_SA apple[4] 
established between 
external-ip[cerberus.conscious.co.uk]...clients-ip[u...@conscious.co.uk]
Jul  4 14:22:43 cerberus charon[3945804]: 07[IKE] CHILD_SA apple{2} 
established with SPIs c1c88d8d_i 0e330f25_o and TS external-ip/32 === 
10.10.10.1/32




does anyone have any thoughts and / or suggestions as to what I could be 
missing or guidance on where to look to fix this?

Thankyou


--
Lewis Robson
Systems Administrator
Conscious Solutions Limited

Tel: 0117 325 0200
Web: https://www.conscious.co.uk























					Reply via email to