[Swan] Trouble connecting to libreswan from iOS 12 ikev2
Paul Wouters
paul at nohats.ca
Mon May 27 14:35:24 UTC 2019
On Mon, 27 May 2019, Ian Dobson wrote:
> I am running libreswan as a VPN (network-to-multiple clients) on a Centos
> 7 platform. It has been working successfully to connect with iOS client
> using IKEV1 + XAUTH.
ok.
> conn ikev2-rsa
> type=tunnel
> ikev2=insist
> narrowing=yes
> pfs=no
> rekey=no
> encapsulation=yes
> fragmentation=yes
> dpddelay=30
> dpdtimeout=90
> dpdaction=clear
> left=144.132.45.114
> leftrsasigkey=%cert
> leftcert=vpn
> leftsendcert=always
> leftid=%fromcert
> leftsubnet=0.0.0.0/0
> right=%any
> rightid=%fromcert
> rightrsasigkey=%cert
> rightca=%same
> rightaddresspool=172.21.1.200-172.21.1.254
seems ok.
>
> tcpdump -i eth3 -nn host 144.132.45.114:
>
> listening on eth3, link-type EN10MB (Ethernet), capture size 65535 bytes
>
> 14:30:55.417934 IP 1.143.57.22.30035 > 144.132.45.114.500: isakmp:
> parent_sa ikev2_init[I]
> 14:30:58.495733 IP 1.143.57.22.30035 > 144.132.45.114.500: isakmp:
> parent_sa ikev2_init[I]
> 14:31:01.505931 IP 1.143.57.22.30035 > 144.132.45.114.500: isakmp:
> parent_sa ikev2_init[I]
> 14:31:04.495418 IP 1.143.57.22.30035 > 144.132.45.114.500: isakmp:
> parent_sa ikev2_init[I]
We cannot see much, other than it is showing an IKEv2 packet. We really
need the logfiles.
> It seems that libreswan isn't responding at all to the first init packet.
Yeah.
> I don't think it's a firewall or routing related issue, as libreswan is
> quite happily negotiating an ikev1 connection over the same interface.
Makes sense.
> There is nothing at all being output through syslog.
>
> Any ideas where I should start looking for the problem?
Do you have a logfile= set in "config setup" in /etc/ipsec.conf ? Then
all logs will go to the file instead of syslog. If not, perhaps set
logfile=/var/log/pluto.log to gather the logs.
Paul
More information about the Swan
mailing list