[Swan] help configuring ikev2

Ali alimakki at gmail.com
Sat Feb 10 22:13:54 UTC 2018 

Hello everyone,

Lately I've been trying to configure a server running LibreSwan 3.23
as an IKEv2 daemon to get my iOS (configured with mobileconfig) device
to establish a secure tunnel, however all connection attempts seem to
fail, with the following error:

 10 21:56:37.677482: | *received 224 bytes from 1.2.3.4:21701 on ens3 (port=500)
Feb 10 21:56:37.679257: |   62 66 d3 4f  65 35 68 35  00 00 00 00  00 00 00 00
Feb 10 21:56:37.679412: |   21 20 22 08  00 00 00 00  00 00 00 e0  22 00 00 28
Feb 10 21:56:37.679530: |   00 00 00 24  01 01 00 03  03 00 00 0c  01 00 00 14
Feb 10 21:56:37.679619: |   80 0e 00 80  03 00 00 08  02 00 00 05  00 00 00 08
Feb 10 21:56:37.679706: |   04 00 00 13  28 00 00 48  00 13 00 00  3e 5d 38 72
Feb 10 21:56:37.679817: |   cd 67 bc 3d  f1 4d 15 94  90 92 e4 5a  e9 2a 7e 2b
Feb 10 21:56:37.679960: |   90 4c d1 16  a6 ba c8 23  62 fd e1 c5  8e 6b 25 d3
Feb 10 21:56:37.680066: |   b9 a5 f9 dc  b6 ba 17 60  c2 f8 19 c7  df b6 e3 c7
Feb 10 21:56:37.680161: |   e2 87 a7 2c  1d 1c 66 01  d6 be 0a aa  29 00 00 14
Feb 10 21:56:37.680385: |   02 25 a4 5f  90 90 85 2c  17 a3 69 03  92 12 1b 62
Feb 10 21:56:37.680503: |   29 00 00 1c  00 00 40 04  b5 d4 27 5d  9f 9c 8d 43
Feb 10 21:56:37.680683: |   89 02 b5 9d  45 33 a6 31  ab 95 49 55  29 00 00 1c
Feb 10 21:56:37.680837: |   00 00 40 05  5e fe d4 93  a2 00 25 d2  20 cd 68 9c
Feb 10 21:56:37.680999: |   b8 48 93 e3  80 1d da d9  00 00 00 08  00 00 40 2e
Feb 10 21:56:37.681135: | processing: start from 1.2.3.4:21701 (in
comm_handle() at demux.c:373)
Feb 10 21:56:37.681314: | **parse ISAKMP Message:
Feb 10 21:56:37.681443: |    initiator cookie:
Feb 10 21:56:37.681560: |   62 66 d3 4f  65 35 68 35
Feb 10 21:56:37.681657: |    responder cookie:
Feb 10 21:56:37.681760: |   00 00 00 00  00 00 00 00
Feb 10 21:56:37.681876: |    next payload type: ISAKMP_NEXT_v2SA (0x21)
Feb 10 21:56:37.681976: |    ISAKMP version: IKEv2 version 2.0
(rfc4306/rfc5996) (0x20)
Feb 10 21:56:37.682071: |    exchange type: ISAKMP_v2_SA_INIT (0x22)
Feb 10 21:56:37.682175: |    flags: ISAKMP_FLAG_v2_IKE_INIT (0x8)
Feb 10 21:56:37.682312: |    message ID:  00 00 00 00
Feb 10 21:56:37.682476: |    length: 224 (0xe0)
Feb 10 21:56:37.682608: |  processing version=2.0 packet with exchange
type=ISAKMP_v2_SA_INIT (34)
Feb 10 21:56:37.682642: | I am receiving an IKEv2 Request ISAKMP_v2_SA_INIT
Feb 10 21:56:37.682649: | I am the IKE SA Original Responder
Feb 10 21:56:37.682675: | icookie table: hash icookie 62 66 d3 4f  65
35 68 35 to 6176665531611921301 slot 0x557c388bf140
Feb 10 21:56:37.682691: | parent_init v2 state object not found
Feb 10 21:56:37.682702: | from_state is STATE_UNDEFINED
Feb 10 21:56:37.682714: | Unpacking clear payload for svm: Respond to
IKE_SA_INIT
Feb 10 21:56:37.682725: | Now let's proceed with payload (ISAKMP_NEXT_v2SA)
Feb 10 21:56:37.682738: | ***parse IKEv2 Security Association Payload:
Feb 10 21:56:37.682745: |    next payload type: ISAKMP_NEXT_v2KE (0x22)
Feb 10 21:56:37.682752: |    flags: none (0x0)
Feb 10 21:56:37.682758: |    length: 40 (0x28)
Feb 10 21:56:37.682764: | processing payload: ISAKMP_NEXT_v2SA (len=40)
Feb 10 21:56:37.682770: | Now let's proceed with payload (ISAKMP_NEXT_v2KE)
Feb 10 21:56:37.682782: | ***parse IKEv2 Key Exchange Payload:
Feb 10 21:56:37.682788: |    IKEv2 next payload type: ISAKMP_NEXT_v2Ni (0x28)
Feb 10 21:56:37.682794: |    flags: none (0x0)
Feb 10 21:56:37.682800: |    length: 72 (0x48)
Feb 10 21:56:37.682810: |    DH group: OAKLEY_GROUP_ECP_256 (0x13)
Feb 10 21:56:37.682817: | processing payload: ISAKMP_NEXT_v2KE (len=72)
Feb 10 21:56:37.682822: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni)
Feb 10 21:56:37.682829: | ***parse IKEv2 Nonce Payload:
Feb 10 21:56:37.682835: |    next payload type: ISAKMP_NEXT_v2N (0x29)
Feb 10 21:56:37.682840: |    flags: none (0x0)
Feb 10 21:56:37.682846: |    length: 20 (0x14)
Feb 10 21:56:37.682851: | processing payload: ISAKMP_NEXT_v2Ni (len=20)
Feb 10 21:56:37.682857: | Now let's proceed with payload (ISAKMP_NEXT_v2N)
Feb 10 21:56:37.682864: | ***parse IKEv2 Notify Payload:
Feb 10 21:56:37.682869: |    next payload type: ISAKMP_NEXT_v2N (0x29)
Feb 10 21:56:37.682875: |    flags: none (0x0)
Feb 10 21:56:37.682880: |    length: 28 (0x1c)
Feb 10 21:56:37.682886: |    Protocol ID: PROTO_v2_RESERVED (0x0)
Feb 10 21:56:37.682892: |    SPI size: 0 (0x0)
Feb 10 21:56:37.682899: |    Notify Message Type:
v2N_NAT_DETECTION_SOURCE_IP (0x4004)
Feb 10 21:56:37.682905: | processing payload: ISAKMP_NEXT_v2N (len=28)
Feb 10 21:56:37.682910: | Now let's proceed with payload (ISAKMP_NEXT_v2N)
Feb 10 21:56:37.682916: | ***parse IKEv2 Notify Payload:
Feb 10 21:56:37.682922: |    next payload type: ISAKMP_NEXT_v2N (0x29)
Feb 10 21:56:37.682927: |    flags: none (0x0)
Feb 10 21:56:37.682933: |    length: 28 (0x1c)
Feb 10 21:56:37.682939: |    Protocol ID: PROTO_v2_RESERVED (0x0)
Feb 10 21:56:37.682944: |    SPI size: 0 (0x0)
Feb 10 21:56:37.682950: |    Notify Message Type:
v2N_NAT_DETECTION_DESTINATION_IP (0x4005)
Feb 10 21:56:37.682956: | processing payload: ISAKMP_NEXT_v2N (len=28)
Feb 10 21:56:37.682962: | Now let's proceed with payload (ISAKMP_NEXT_v2N)
Feb 10 21:56:37.682968: | ***parse IKEv2 Notify Payload:
Feb 10 21:56:37.682974: |    next payload type: ISAKMP_NEXT_v2NONE (0x0)
Feb 10 21:56:37.682980: |    flags: none (0x0)
Feb 10 21:56:37.682985: |    length: 8 (0x8)
Feb 10 21:56:37.682991: |    Protocol ID: PROTO_v2_RESERVED (0x0)
Feb 10 21:56:37.682996: |    SPI size: 0 (0x0)
Feb 10 21:56:37.683002: |    Notify Message Type:
v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e)
Feb 10 21:56:37.683019: | processing payload: ISAKMP_NEXT_v2N (len=8)
Feb 10 21:56:37.683026: | selected state microcode Respond to IKE_SA_INIT
Feb 10 21:56:37.683037: | #null state always idle
Feb 10 21:56:37.683045: | Now lets proceed with state specific processing
Feb 10 21:56:37.683050: | calling processor Respond to IKE_SA_INIT
Feb 10 21:56:37.683106: | anti-DDoS cookies not required (and no
cookie received)
Feb 10 21:56:37.683131: | find_host_connection me=5.6.7.8:500
him=1.2.3.4:21701 policy=RSASIG+IKEV2_ALLOW
Feb 10 21:56:37.683140: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW
Feb 10 21:56:37.683146: | find_next_host_connection returns empty
Feb 10 21:56:37.683159: | find_host_connection me=5.6.7.8:500
him=%any:21701 policy=RSASIG+IKEV2_ALLOW
Feb 10 21:56:37.683167: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW
Feb 10 21:56:37.683172: | find_next_host_connection returns empty
Feb 10 21:56:37.683185: | initial parent SA message received on
5.6.7.8:500 but no connection has been authorized with policy
RSASIG+IKEV2_ALLOW
Feb 10 21:56:37.683198: | find_host_connection me=5.6.7.8:500
him=1.2.3.4:21701 policy=PSK+IKEV2_ALLOW
Feb 10 21:56:37.683206: | find_next_host_connection policy=PSK+IKEV2_ALLOW
Feb 10 21:56:37.683212: | find_next_host_connection returns empty
Feb 10 21:56:37.683224: | find_host_connection me=5.6.7.8:500
him=%any:21701 policy=PSK+IKEV2_ALLOW
Feb 10 21:56:37.683234: | find_next_host_connection policy=PSK+IKEV2_ALLOW
Feb 10 21:56:37.683243: | find_next_host_connection returns empty
Feb 10 21:56:37.683255: | initial parent SA message received on
5.6.7.8:500 but no connection has been authorized with policy
PSK+IKEV2_ALLOW
Feb 10 21:56:37.683266: | find_host_connection me=5.6.7.8:500
him=1.2.3.4:21701 policy=AUTHNULL+IKEV2_ALLOW
Feb 10 21:56:37.683276: | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW
Feb 10 21:56:37.683285: | find_next_host_connection returns empty
Feb 10 21:56:37.683295: | find_host_connection me=5.6.7.8:500
him=%any:21701 policy=AUTHNULL+IKEV2_ALLOW
Feb 10 21:56:37.683304: | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW
Feb 10 21:56:37.683313: | find_next_host_connection returns empty
Feb 10 21:56:37.683323: | initial parent SA message received on
5.6.7.8:500 but no connection has been authorized with policy
AUTHNULL+IKEV2_ALLOW
Feb 10 21:56:37.683357: packet from 1.2.3.4:21701: initial parent SA
message received on 5.6.7.8:500 but no suitable connection found with
IKEv2 policy
Feb 10 21:56:37.683376: | skip start processing: state #0 (in
complete_v2_state_transition() at ikev2.c:2326)
Feb 10 21:56:37.683385: | #0 complete v2 state transition from
STATE_UNDEFINED with v2N_NO_PROPOSAL_CHOSEN
Feb 10 21:56:37.683391: | sending a notification reply
Feb 10 21:56:37.683434: packet from 1.2.3.4:21701: sending unencrypted
notification v2N_NO_PROPOSAL_CHOSEN to 1.2.3.4:2170

my ikev2.conf file within /etc/ipsec.d/ looks like the following:

conn ikev2
    left=1.2.3.4 # server ip address
    leftca=ca-certificate
    leftcert=donkey-shaft-century
    leftid=%fromcert
    leftsendcert=always
    leftsubnet=1.2.3.4/32
    leftrsasigkey=%cert
    right=%any
    rightaddresspool=192.168.42.10-192.168.42.250
    rightca=%same
    rightrsasigkey=%cert
    modecfgdns=8.8.8.8,8.8.4.4
    narrowing=no
    dpddelay=30
    dpdtimeout=120
    mobike=yes
    dpdaction=clear
    auto=start
    ikev2=insist
    rekey=no
    sha2-truncbug=no
    fragmentation=yes
    encapsulation=yes
    ike=aes_gcm128-sha2;dh19
    phase2alg=aes_gcm_c-128-null;dh19
    phase2=esp

/etc/ipsec.conf:

version 2.0

config setup
  virtual_private=%v4:10.0.10.0/24,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24
  protostack=netkey
  interfaces=%defaultroute
  logfile=/var/log/pluto.log
  plutodebug="all crypt"

include /etc/ipsec.d/*.conf

certutil -L -d sql:/etc/ipsec.d

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

ca-certificate                                               CT,,
toddler-security                                             u,u,u
donkey-shaft-century                                         u,u,u


I'm at a bit of a loss and can't seem to find relevant information to
nudge me in the right direction, so any help would be appreciated. If
more info is needed, do let me know.

Thanks in advance,

Ali

More information about the Swan mailing list