Strongswan IKEv2 for iOS devices

Question

I want to connect a Strongswan IKEv2 VPN on iOS devices. It uses FreeRADIUS server for AAA of users.

It's already working perfectly on Android and Windows devices. but when I try to connect using the iOS device it shows the below logs. I'm manually making a VPN profile and manually Installing the .p12 certificates for server authetication

server hostname: nas.example.com
server ip: 89.89.89.89
client ip: 99.99.99.99

ipsec.conf

config setup
    charondebug="all"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=yes
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    ike=aes256-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha1,3des-sha1!
    dpdaction=clear
    dpddelay=3600s
    dpdtimeout=5s
    rekey=no
    left=%any
    leftid=89.89.89.89
    leftcert=vpn-server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-radius
    #rightauth=eap-mschapv2
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=10.10.10.0/24
    rightsendcert=never
    eap_identity=%identity

server side logs

Oct 06 02:14:43 nas.example.com charon[3607]: 13[NET] sending packet: from 89.89.89.89[4500] to 99.99.99.99[4500] (792 bytes)
Oct 06 02:15:00 nas.example.com charon[3607]: 14[NET] received packet: from 99.99.99.99[500] to 89.89.89.89[500] (604 bytes)
Oct 06 02:15:00 nas.example.com charon[3607]: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 06 02:15:00 nas.example.com charon[3607]: 14[IKE] 99.99.99.99 is initiating an IKE_SA
Oct 06 02:15:00 nas.example.com charon[3607]: 14[IKE] 99.99.99.99 is initiating an IKE_SA
Oct 06 02:15:00 nas.example.com charon[3607]: 14[IKE] remote host is behind NAT
Oct 06 02:15:00 nas.example.com charon[3607]: 14[IKE] DH group MODP_2048 inacceptable, requesting MODP_1024
Oct 06 02:15:00 nas.example.com charon[3607]: 14[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Oct 06 02:15:00 nas.example.com charon[3607]: 14[NET] sending packet: from 89.89.89.89[500] to 99.99.99.99[500] (38 bytes)
Oct 06 02:15:01 nas.example.com charon[3607]: 15[NET] received packet: from 99.99.99.99[500] to 89.89.89.89[500] (476 bytes)
Oct 06 02:15:01 nas.example.com charon[3607]: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 06 02:15:01 nas.example.com charon[3607]: 15[IKE] 99.99.99.99 is initiating an IKE_SA
Oct 06 02:15:01 nas.example.com charon[3607]: 15[IKE] 99.99.99.99 is initiating an IKE_SA
Oct 06 02:15:01 nas.example.com charon[3607]: 15[IKE] remote host is behind NAT
Oct 06 02:15:01 nas.example.com charon[3607]: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Oct 06 02:15:01 nas.example.com charon[3607]: 15[NET] sending packet: from 89.89.89.89[500] to 99.99.99.99[500] (316 bytes)
Oct 06 02:15:01 nas.example.com charon[3607]: 03[NET] received packet: from 99.99.99.99[4500] to 89.89.89.89[4500] (484 bytes)
Oct 06 02:15:01 nas.example.com charon[3607]: 03[ENC] unknown attribute type (25)
Oct 06 02:15:01 nas.example.com charon[3607]: 03[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Oct 06 02:15:01 nas.example.com charon[3607]: 03[CFG] looking for peer configs matching 89.89.89.89[89.89.89.89]...99.99.99.99[varun]
Oct 06 02:15:01 nas.example.com charon[3607]: 03[CFG] selected peer config 'ikev2-vpn'
Oct 06 02:15:01 nas.example.com charon[3607]: 03[IKE] initiating EAP_IDENTITY method (id 0x00)
Oct 06 02:15:01 nas.example.com charon[3607]: 03[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 06 02:15:01 nas.example.com charon[3607]: 03[IKE] peer supports MOBIKE
Oct 06 02:15:01 nas.example.com charon[3607]: 03[IKE] authentication of '89.89.89.89' (myself) with RSA signature successful
Oct 06 02:15:01 nas.example.com charon[3607]: 03[IKE] sending end entity cert "C=US, O=nas.example.com, CN=89.89.89.89"
Oct 06 02:15:01 nas.example.com charon[3607]: 03[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Oct 06 02:15:01 nas.example.com charon[3607]: 03[ENC] splitting IKE message with length of 1980 bytes into 2 fragments
Oct 06 02:15:01 nas.example.com charon[3607]: 03[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Oct 06 02:15:01 nas.example.com charon[3607]: 03[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Oct 06 02:15:01 nas.example.com charon[3607]: 03[NET] sending packet: from 89.89.89.89[4500] to 99.99.99.99[4500] (1248 bytes)
Oct 06 02:15:01 nas.example.com charon[3607]: 03[NET] sending packet: from 89.89.89.89[4500] to 99.99.99.99[4500] (792 bytes)
Oct 06 02:15:12 nas.example.com charon[3607]: 16[JOB] deleting half open IKE_SA with 99.99.99.99 after timeout

Any help will be appreciated. Thanks

Brooog · Answer 1 · 2022-11-27T05:37:59.827

on IOS/MAC you don't require to install the certificate if you using EAP. you can make 2 type of conn profile. the best that works for me as follow.

config setup
   strictcrlpolicy=no
   uniqueids=never
conn %default
   keyexchange=ikev2
   ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
   esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
   leftid=111.111.111.111
   ikelifetime=24h
   keylife=24h
   dpdaction=clear
   dpdtimeout=3600s
   dpddelay=1800s
   compress=no
   rekey=yes
   inactivity=1800s
   forceencaps=yes
   left=%defaultroute
   leftsubnet=0.0.0.0/0,::/0
   rightsourceip=%config4,%config6
   leftfirewall=yes
   rightsourceip=10.10.0.0/16,2001:db8::3:0/16
   keyingtries=%forever
   fragmentation=yes
   right=%any
   mobike=yes
   rekeymargin=1m
   keyingtries=1
   lefthostaccess=yes
   type=tunnel

conn IPSec-IKEv2
  leftauth=pubkey
  leftcert=vpnHostCert.pem
  rightid=%any
  eap_identity=%any
  auto=add

conn IOS-PSK-VPN
   also=IPSec-IKEv2
   rightauth=psk
   rightsendcert=never

conn IOS-EAP-VPN
   also=IPSec-IKEv2
   rightauth=eap-mschapv2
   rightsendcert=never

conn IOS-EAP-Radius
   also=IPSec-IKEv2
   rightauth=eap-radius
   rightsendcert=never

conn windows-android
        also=IPSec-IKEv2
        rightauth=pubkey
        rightcert=userCert.pem

we have created .sh file to install strongswan on ubuntu and run ipsec vpn. the script can be found on

https://0a0.uk/ss

also you can use our IKEv2 App that works for IOS and MAC and can be downloaded from apple store on the link Brooog IKEv2

score 0 · Answer 2 · answered May 26 '19 at 06:40

0

you need to add the certificate /etc/ipsec.d/certs/vpn-server-cert.pem to the macbook by double clicking on it and establish full trust for it (setting "certificate use parameters") in the settings of the MacBook certificate store

answered May 26 '19 at 06:40

Alexander Gubenko

1

Strongswan IKEv2 for iOS devices

2 Answers2