Strongswan IKEv2 for iOS devices

Question

I want to connect a Strongswan IKEv2 VPN on iOS devices. It uses FreeRADIUS server for AAA of users.

It's already working perfectly on Android and Windows devices. but when I try to connect using the iOS device it shows the below logs. I'm manually making a VPN profile and manually Installing the .p12 certificates for server authetication

server hostname: nas.example.com
server ip: 89.89.89.89
client ip: 99.99.99.99

ipsec.conf

config setup
    charondebug="all"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=yes
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    ike=aes256-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha1,3des-sha1!
    dpdaction=clear
    dpddelay=3600s
    dpdtimeout=5s
    rekey=no
    left=%any
    leftid=89.89.89.89
    leftcert=vpn-server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-radius
    #rightauth=eap-mschapv2
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=10.10.10.0/24
    rightsendcert=never
    eap_identity=%identity

server side logs

Oct 06 02:14:43 nas.example.com charon[3607]: 13[NET] sending packet: from 89.89.89.89[4500] to 99.99.99.99[4500] (792 bytes)
Oct 06 02:15:00 nas.example.com charon[3607]: 14[NET] received packet: from 99.99.99.99[500] to 89.89.89.89[500] (604 bytes)
Oct 06 02:15:00 nas.example.com charon[3607]: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 06 02:15:00 nas.example.com charon[3607]: 14[IKE] 99.99.99.99 is initiating an IKE_SA
Oct 06 02:15:00 nas.example.com charon[3607]: 14[IKE] 99.99.99.99 is initiating an IKE_SA
Oct 06 02:15:00 nas.example.com charon[3607]: 14[IKE] remote host is behind NAT
Oct 06 02:15:00 nas.example.com charon[3607]: 14[IKE] DH group MODP_2048 inacceptable, requesting MODP_1024
Oct 06 02:15:00 nas.example.com charon[3607]: 14[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Oct 06 02:15:00 nas.example.com charon[3607]: 14[NET] sending packet: from 89.89.89.89[500] to 99.99.99.99[500] (38 bytes)
Oct 06 02:15:01 nas.example.com charon[3607]: 15[NET] received packet: from 99.99.99.99[500] to 89.89.89.89[500] (476 bytes)
Oct 06 02:15:01 nas.example.com charon[3607]: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 06 02:15:01 nas.example.com charon[3607]: 15[IKE] 99.99.99.99 is initiating an IKE_SA
Oct 06 02:15:01 nas.example.com charon[3607]: 15[IKE] 99.99.99.99 is initiating an IKE_SA
Oct 06 02:15:01 nas.example.com charon[3607]: 15[IKE] remote host is behind NAT
Oct 06 02:15:01 nas.example.com charon[3607]: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Oct 06 02:15:01 nas.example.com charon[3607]: 15[NET] sending packet: from 89.89.89.89[500] to 99.99.99.99[500] (316 bytes)
Oct 06 02:15:01 nas.example.com charon[3607]: 03[NET] received packet: from 99.99.99.99[4500] to 89.89.89.89[4500] (484 bytes)
Oct 06 02:15:01 nas.example.com charon[3607]: 03[ENC] unknown attribute type (25)
Oct 06 02:15:01 nas.example.com charon[3607]: 03[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Oct 06 02:15:01 nas.example.com charon[3607]: 03[CFG] looking for peer configs matching 89.89.89.89[89.89.89.89]...99.99.99.99[varun]
Oct 06 02:15:01 nas.example.com charon[3607]: 03[CFG] selected peer config 'ikev2-vpn'
Oct 06 02:15:01 nas.example.com charon[3607]: 03[IKE] initiating EAP_IDENTITY method (id 0x00)
Oct 06 02:15:01 nas.example.com charon[3607]: 03[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 06 02:15:01 nas.example.com charon[3607]: 03[IKE] peer supports MOBIKE
Oct 06 02:15:01 nas.example.com charon[3607]: 03[IKE] authentication of '89.89.89.89' (myself) with RSA signature successful
Oct 06 02:15:01 nas.example.com charon[3607]: 03[IKE] sending end entity cert "C=US, O=nas.example.com, CN=89.89.89.89"
Oct 06 02:15:01 nas.example.com charon[3607]: 03[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Oct 06 02:15:01 nas.example.com charon[3607]: 03[ENC] splitting IKE message with length of 1980 bytes into 2 fragments
Oct 06 02:15:01 nas.example.com charon[3607]: 03[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Oct 06 02:15:01 nas.example.com charon[3607]: 03[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Oct 06 02:15:01 nas.example.com charon[3607]: 03[NET] sending packet: from 89.89.89.89[4500] to 99.99.99.99[4500] (1248 bytes)
Oct 06 02:15:01 nas.example.com charon[3607]: 03[NET] sending packet: from 89.89.89.89[4500] to 99.99.99.99[4500] (792 bytes)
Oct 06 02:15:12 nas.example.com charon[3607]: 16[JOB] deleting half open IKE_SA with 99.99.99.99 after timeout

Any help will be appreciated. Thanks

It seems the client doesn't like the IKE_AUTH response. A likely problem is that it can't validate the server certificate, e.g. because it is missing the CA certificate (make sure it is installed and trusted). You could try to get the client logs via Xcode. — ecdsa, Oct 06 '17 at 08:09
`Oct 6 14:06:02 iPhone neagent(NetworkExtension)[871] : ikev2_ike_auth_initiator_recei:259 Certificate authentication data could not be verified` — Varun Taliyan, Oct 06 '17 at 08:49
As already mentioned, this indicates that the client can't verify the server certificate. Make sure the client has the CA certificate installed. Do you use an intermediate CA? — ecdsa, Oct 06 '17 at 11:45
No, I'm just generating a CA and HOST Certificate. and then making a .p12 of CA. Can you please tell me how to use intermediate CA. — Varun Taliyan, Oct 06 '17 at 11:48
When I install the CA file and then try to connect to VPN it works like a charm. But when I'm Installing the .p12 file it shows the Certificates profile in Settings > Generals > VPNs but it doesn't work for VPNs — Varun Taliyan, Oct 06 '17 at 12:11
Why generate a PKCS#12 file if you don't use client certificates? Just install the CA certificate if that works fine. — ecdsa, Oct 06 '17 at 12:40
We are using NetworkExtension framework of iOS to connect to VPN, It requires .p12 file to automatically connects to a client. So we have to do it Programatacally. Its working fine when we manullay install the p12 file. But we need to make it automated. — Varun Taliyan, Oct 09 '17 at 05:57

score 0 · Answer 1 · answered May 26 '19 at 06:40

0

you need to add the certificate /etc/ipsec.d/certs/vpn-server-cert.pem to the macbook by double clicking on it and establish full trust for it (setting "certificate use parameters") in the settings of the MacBook certificate store

answered May 26 '19 at 06:40

Alexander Gubenko

1

Except OP mentions using iOS. – jorisw Aug 13 '21 at 09:38

Strongswan IKEv2 for iOS devices

1 Answers1