Strongswan IKEv2 for iOS devices

Question

I want to connect a Strongswan IKEv2 VPN on iOS devices. It uses FreeRADIUS server for AAA of users.

It's already working perfectly on Android and Windows devices. but when I try to connect using the iOS device it shows the below logs. I'm manually making a VPN profile and manually Installing the .p12 certificates for server authetication

server hostname: nas.example.com
server ip: 89.89.89.89
client ip: 99.99.99.99

ipsec.conf

config setup
    charondebug="all"
    uniqueids=no

conn ikev2-vpn
    auto=add
    compress=yes
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    ike=aes256-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha1,3des-sha1!
    dpdaction=clear
    dpddelay=3600s
    dpdtimeout=5s
    rekey=no
    left=%any
    leftid=89.89.89.89
    leftcert=vpn-server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightid=%any
    rightauth=eap-radius
    #rightauth=eap-mschapv2
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=10.10.10.0/24
    rightsendcert=never
    eap_identity=%identity

server side logs

Oct 06 02:14:43 nas.example.com charon[3607]: 13[NET] sending packet: from 89.89.89.89[4500] to 99.99.99.99[4500] (792 bytes)
Oct 06 02:15:00 nas.example.com charon[3607]: 14[NET] received packet: from 99.99.99.99[500] to 89.89.89.89[500] (604 bytes)
Oct 06 02:15:00 nas.example.com charon[3607]: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 06 02:15:00 nas.example.com charon[3607]: 14[IKE] 99.99.99.99 is initiating an IKE_SA
Oct 06 02:15:00 nas.example.com charon[3607]: 14[IKE] 99.99.99.99 is initiating an IKE_SA
Oct 06 02:15:00 nas.example.com charon[3607]: 14[IKE] remote host is behind NAT
Oct 06 02:15:00 nas.example.com charon[3607]: 14[IKE] DH group MODP_2048 inacceptable, requesting MODP_1024
Oct 06 02:15:00 nas.example.com charon[3607]: 14[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Oct 06 02:15:00 nas.example.com charon[3607]: 14[NET] sending packet: from 89.89.89.89[500] to 99.99.99.99[500] (38 bytes)
Oct 06 02:15:01 nas.example.com charon[3607]: 15[NET] received packet: from 99.99.99.99[500] to 89.89.89.89[500] (476 bytes)
Oct 06 02:15:01 nas.example.com charon[3607]: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 06 02:15:01 nas.example.com charon[3607]: 15[IKE] 99.99.99.99 is initiating an IKE_SA
Oct 06 02:15:01 nas.example.com charon[3607]: 15[IKE] 99.99.99.99 is initiating an IKE_SA
Oct 06 02:15:01 nas.example.com charon[3607]: 15[IKE] remote host is behind NAT
Oct 06 02:15:01 nas.example.com charon[3607]: 15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Oct 06 02:15:01 nas.example.com charon[3607]: 15[NET] sending packet: from 89.89.89.89[500] to 99.99.99.99[500] (316 bytes)
Oct 06 02:15:01 nas.example.com charon[3607]: 03[NET] received packet: from 99.99.99.99[4500] to 89.89.89.89[4500] (484 bytes)
Oct 06 02:15:01 nas.example.com charon[3607]: 03[ENC] unknown attribute type (25)
Oct 06 02:15:01 nas.example.com charon[3607]: 03[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Oct 06 02:15:01 nas.example.com charon[3607]: 03[CFG] looking for peer configs matching 89.89.89.89[89.89.89.89]...99.99.99.99[varun]
Oct 06 02:15:01 nas.example.com charon[3607]: 03[CFG] selected peer config 'ikev2-vpn'
Oct 06 02:15:01 nas.example.com charon[3607]: 03[IKE] initiating EAP_IDENTITY method (id 0x00)
Oct 06 02:15:01 nas.example.com charon[3607]: 03[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 06 02:15:01 nas.example.com charon[3607]: 03[IKE] peer supports MOBIKE
Oct 06 02:15:01 nas.example.com charon[3607]: 03[IKE] authentication of '89.89.89.89' (myself) with RSA signature successful
Oct 06 02:15:01 nas.example.com charon[3607]: 03[IKE] sending end entity cert "C=US, O=nas.example.com, CN=89.89.89.89"
Oct 06 02:15:01 nas.example.com charon[3607]: 03[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Oct 06 02:15:01 nas.example.com charon[3607]: 03[ENC] splitting IKE message with length of 1980 bytes into 2 fragments
Oct 06 02:15:01 nas.example.com charon[3607]: 03[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Oct 06 02:15:01 nas.example.com charon[3607]: 03[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Oct 06 02:15:01 nas.example.com charon[3607]: 03[NET] sending packet: from 89.89.89.89[4500] to 99.99.99.99[4500] (1248 bytes)
Oct 06 02:15:01 nas.example.com charon[3607]: 03[NET] sending packet: from 89.89.89.89[4500] to 99.99.99.99[4500] (792 bytes)
Oct 06 02:15:12 nas.example.com charon[3607]: 16[JOB] deleting half open IKE_SA with 99.99.99.99 after timeout

Any help will be appreciated. Thanks

It seems the client doesn't like the IKE_AUTH response. A likely problem is that it can't validate the server certificate, e.g. because it is missing the CA certificate (make sure it is installed and trusted). You could try to get the client logs via Xcode. — ecdsa, Oct 06 '17 at 08:09
`Oct 6 14:06:02 iPhone neagent(NetworkExtension)[871] : ikev2_ike_auth_initiator_recei:259 Certificate authentication data could not be verified` — Varun Taliyan, Oct 06 '17 at 08:49
As already mentioned, this indicates that the client can't verify the server certificate. Make sure the client has the CA certificate installed. Do you use an intermediate CA? — ecdsa, Oct 06 '17 at 11:45
No, I'm just generating a CA and HOST Certificate. and then making a .p12 of CA. Can you please tell me how to use intermediate CA. — Varun Taliyan, Oct 06 '17 at 11:48
When I install the CA file and then try to connect to VPN it works like a charm. But when I'm Installing the .p12 file it shows the Certificates profile in Settings > Generals > VPNs but it doesn't work for VPNs — Varun Taliyan, Oct 06 '17 at 12:11
Why generate a PKCS#12 file if you don't use client certificates? Just install the CA certificate if that works fine. — ecdsa, Oct 06 '17 at 12:40
We are using NetworkExtension framework of iOS to connect to VPN, It requires .p12 file to automatically connects to a client. So we have to do it Programatacally. Its working fine when we manullay install the p12 file. But we need to make it automated. — Varun Taliyan, Oct 09 '17 at 05:57

Brooog · Answer 1 · 2022-11-27T05:37:59.827

on IOS/MAC you don't require to install the certificate if you using EAP. you can make 2 type of conn profile. the best that works for me as follow.

config setup
   strictcrlpolicy=no
   uniqueids=never

    conn %default
       keyexchange=ikev2
       ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
       esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!
       leftid=111.111.111.111
       ikelifetime=24h
       keylife=24h
       dpdaction=clear
       dpdtimeout=3600s
       dpddelay=1800s
       compress=no
       rekey=yes
       inactivity=1800s
       forceencaps=yes
       left=%defaultroute
       leftsubnet=0.0.0.0/0,::/0
       rightsourceip=%config4,%config6
       leftfirewall=yes
       rightsourceip=10.10.0.0/16,2001:db8::3:0/16
       keyingtries=%forever
       fragmentation=yes
       right=%any
       mobike=yes
       rekeymargin=1m
       keyingtries=1
       lefthostaccess=yes
       type=tunnel
    
    conn IPSec-IKEv2
      leftauth=pubkey
      leftcert=vpnHostCert.pem
      rightid=%any
      eap_identity=%any
      auto=add
    
    conn IOS-PSK-VPN
       also=IPSec-IKEv2
       rightauth=psk
       rightsendcert=never
    
    conn IOS-EAP-VPN
       also=IPSec-IKEv2
       rightauth=eap-mschapv2
       rightsendcert=never

    conn IOS-EAP-Radius
       also=IPSec-IKEv2
       rightauth=eap-radius
       rightsendcert=never

    conn windows-android
            also=IPSec-IKEv2
            rightauth=pubkey
            rightcert=userCert.pem

we have created .sh file to install strongswan on ubuntu and run ipsec vpn. the script can be found on

https://0a0.uk/ss

also you can use our IKEv2 App that works for IOS and MAC and can be downloaded from apple store on the link Brooog IKEv2

score 0 · Answer 2 · answered May 26 '19 at 06:40

0

you need to add the certificate /etc/ipsec.d/certs/vpn-server-cert.pem to the macbook by double clicking on it and establish full trust for it (setting "certificate use parameters") in the settings of the MacBook certificate store

answered May 26 '19 at 06:40

Alexander Gubenko

1

Except OP mentions using iOS. – jorisw Aug 13 '21 at 09:38

Strongswan IKEv2 for iOS devices

2 Answers2