[Swan] iOS IKEv2 "ISAKMP_v2_IKE_SA_INIT message received on 172.31.2.1:500 but no suitable connection found with IKEv2 policy"

Heting Wang meow at imlibra.me
Sat Jul 22 23:14:00 EEST 2023 


Hello,

I’m now migrating from StrongSwan to LibreSwan, it seems like it will never work with iOS

cat /etc/ipsec.conf
config setup
logfile=/var/log/pluto.log

conn cert
ikev2=insist
left=%defaultroute
leftid=@ipsec.imlibra.me
leftsendcert=always
leftsubnet=0.0.0.0/0
leftrsasigkey=%cert
right=%any
rightaddresspool=10.10.0.1-10.10.0.254
rightca="C=US, O= IdenTrust, CN= TrustID CA A13"
rightrsasigkey=%cert
modecfgdns=172.31.0.2
rekey=no
narrowing=yes
fragmentation=yes
encapsulation=yes
auto=add

include /etc/crypto-policies/back-ends/libreswan.config

include /etc/ipsec.d/*.conf

certutil -L -d sql:/var/lib/ipsec/nss

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

imlibra.me u,u,u
identrust-commercial-root-ca-1 CT,C,C
trustid-ca-a13 CT,C,C

ipsec auto --add cert
002 "cert": added IKEv2 connection

tail -f /var/log/pluto.log
Jul 22 19:49:36.532020: adding UDP interface eth0 [2406:da14:5db:f400::e60]:500
Jul 22 19:49:36.532049: adding UDP interface eth0 [2406:da14:5db:f400::e60]:4500
Jul 22 19:49:36.532072: adding UDP interface eth0 [2406:da14:5db:f400🔡:]:500
Jul 22 19:49:36.532096: adding UDP interface eth0 [2406:da14:5db:f400🔡:]:4500
Jul 22 19:49:36.532119: adding UDP interface eth0 [2406:da14:5db:f400:e9d7:64ca:b008:4182]:500
Jul 22 19:49:36.532142: adding UDP interface eth0 [2406:da14:5db:f400:e9d7:64ca:b008:4182]:4500
Jul 22 19:49:36.532165: adding UDP interface eth1 [2406:da14:5db:f400:810a:b1ea:b7d5:47bd]:500
Jul 22 19:49:36.532188: adding UDP interface eth1 [2406:da14:5db:f400:810a:b1ea:b7d5:47bd]:4500
Jul 22 19:49:36.534599: loading secrets from "/etc/ipsec.secrets"
Jul 22 19:49:36.534653: no secrets filename matched "/etc/ipsec.d/*.secrets"
Jul 22 19:50:03.652462: packet from 114.246.198.250:500: ISAKMP_v2_IKE_SA_INIT message received on 172.31.2.1:500 but no suitable connection found with IKEv2 policy
Jul 22 19:50:03.652512: packet from 114.246.198.250:500: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification NO_PROPOSAL_CHOSEN
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20230722/10824f6b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2244 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20230722/10824f6b/attachment.p7s>

More information about the Swan mailing list