[Swan] help configuring ikev2
Paul Wouters
paul at nohats.ca
Sat Feb 10 22:30:24 UTC 2018
On Sat, 10 Feb 2018, Ali wrote:
> Lately I've been trying to configure a server running LibreSwan 3.23
> as an IKEv2 daemon to get my iOS (configured with mobileconfig) device
> to establish a secure tunnel, however all connection attempts seem to
> fail, with the following error:
> Feb 10 21:56:37.682642: | I am receiving an IKEv2 Request ISAKMP_v2_SA_INIT
> Feb 10 21:56:37.683323: | initial parent SA message received on
> 5.6.7.8:500 but no connection has been authorized with policy
> AUTHNULL+IKEV2_ALLOW
This suggests your connection did not load properly. Verify this with:
ipsec auto --add ikev2
> conn ikev2
> left=1.2.3.4 # server ip address
> leftca=ca-certificate
> leftcert=donkey-shaft-century
> leftid=%fromcert
> leftsendcert=always
> leftsubnet=1.2.3.4/32
> leftrsasigkey=%cert
> right=%any
> rightaddresspool=192.168.42.10-192.168.42.250
> rightca=%same
> rightrsasigkey=%cert
> modecfgdns=8.8.8.8,8.8.4.4
> narrowing=no
> dpddelay=30
> dpdtimeout=120
> mobike=yes
> dpdaction=clear
> auto=start
> ikev2=insist
> rekey=no
> sha2-truncbug=no
> fragmentation=yes
> encapsulation=yes
> ike=aes_gcm128-sha2;dh19
> phase2alg=aes_gcm_c-128-null;dh19
> phase2=esp
You have auto=start which is preventing this connection from loading,
because auto=start means to initiate the connection after loading it,
but it cannot initiate to "%any".
Try changing auto=start to auto=add
I also recommend leavin encapsulation= to its default auto setting, or
else you will see problems for clients not behind NAT.
for iOS, you also really want leftid=@yourdnsname or else it will likely
reject the connection. This dns name also has to be a SubjectAltName on
the gateway certificate.
You likely also need to add leftsubnet=0.0.0.0/0 or limit it to the
subnet you want to give access to. Right now, you are only providing a
vpn to 1.2.3.4 itself.
And you have wrong narrowing= option.
For a complete working example config, see:
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
Paul
More information about the Swan
mailing list