[Swan] help configuring ikev2

Paul Wouters paul at nohats.ca
Sat Feb 10 22:30:24 UTC 2018 

On Sat, 10 Feb 2018, Ali wrote:

> Lately I've been trying to configure a server running LibreSwan 3.23
> as an IKEv2 daemon to get my iOS (configured with mobileconfig) device
> to establish a secure tunnel, however all connection attempts seem to
> fail, with the following error:

> Feb 10 21:56:37.682642: | I am receiving an IKEv2 Request ISAKMP_v2_SA_INIT

> Feb 10 21:56:37.683323: | initial parent SA message received on
> 5.6.7.8:500 but no connection has been authorized with policy
> AUTHNULL+IKEV2_ALLOW

This suggests your connection did not load properly. Verify this with:

ipsec auto --add ikev2

> conn ikev2
>    left=1.2.3.4 # server ip address
>    leftca=ca-certificate
>    leftcert=donkey-shaft-century
>    leftid=%fromcert
>    leftsendcert=always
>    leftsubnet=1.2.3.4/32
>    leftrsasigkey=%cert
>    right=%any
>    rightaddresspool=192.168.42.10-192.168.42.250
>    rightca=%same
>    rightrsasigkey=%cert
>    modecfgdns=8.8.8.8,8.8.4.4
>    narrowing=no
>    dpddelay=30
>    dpdtimeout=120
>    mobike=yes
>    dpdaction=clear
>    auto=start
>    ikev2=insist
>    rekey=no
>    sha2-truncbug=no
>    fragmentation=yes
>    encapsulation=yes
>    ike=aes_gcm128-sha2;dh19
>    phase2alg=aes_gcm_c-128-null;dh19
>    phase2=esp

You have auto=start which is preventing this connection from loading,
because auto=start means to initiate the connection after loading it,
but it cannot initiate to "%any".

Try changing auto=start to auto=add

I also recommend leavin encapsulation= to its default auto setting, or
else you will see problems for clients not behind NAT.

for iOS, you also really want leftid=@yourdnsname or else it will likely
reject the connection. This dns name also has to be a SubjectAltName on
the gateway certificate.

You likely also need to add leftsubnet=0.0.0.0/0 or limit it to the
subnet you want to give access to. Right now, you are only providing a
vpn to 1.2.3.4 itself.

And you have wrong narrowing= option.

For a complete working example config, see:

https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2

Paul

More information about the Swan mailing list